Post #2 in threat types
8 ways to stop toxic phishing email
Could you be the next target for a phishing scheme? Is that term even familiar? Phishing is a method of trying to gather personal information using deceptive emails and websites.
The word “phish” sounds like “fish.” This online criminal activity has been around for a long time. But now it’s sneakier. Crooks are getting more sophisticated in their cyber attacks.
When an entertainer on a stage makes a book or a person disappear, we enjoy that. But if the “trick” is someone who makes your entire bank account disappear, that is very different.
Being tricked could potentially also make your professional reputation disappear!
If you get a message from your bank or a note from someone in your company, did you notice the wording was a little odd? If you did notice, you may have double-checked and discovered it was fake. A phisher tried to trick you. If you did not notice, and got burned, that was probably a difficult experience.
The person who sent the phishing email is trying to manipulate belief. Trying to take advantage of the way people normally perceive things. He or she knows most people are busy, and that most people look for basic indicators that an email is trustworthy.
Phishing tips from Kratikal▸Check for SSL certificate
▸Lookout for grammatical errors
▸Pop-ups are not always friendly
▸Stay cautious of shortened links
▸Update all security patches
▸Avoid unexpected alarming emails
▸Double-check sender’s email address
Let’s go down a typical list of “trustworthy” email:
- Same logo as is normal
- Same type style as normal
- Refers to ordinary procedure
- Seems to offer help
For a busy office worker, these used to be enough to verify a real email. Those days are gone. We all need to understand that cyber attacks have made work more complicated. Including just looking at email.
You need to stop the phisher. First; what is he trying to get you to do?
1) Expose private information; a username and password that can be used to breach a system or account.
2) Download malware; a malignant attachment or a link to another location that offers a download. They may take the form of Microsoft Office documents (with malicious embedded code) or .zip files with toxic contents.
Phishing can start outside your email inbox; even outside your office. For example: Don’t post personally important dates, addresses or phone numbers anywhere online. Phishers try to get inside your head to trip you up. Try changing your mindset!
How to filter messages…
• Check the spelling of links before you click. Does it go to bankname.com or actually go to alisayadda.net? Most email software will show you the real destination if you just hover your mouse pointer over the link. MS Outlook reveals the link at lower left and also as a pop-up. Gmail also shows the real destination at lower left.
• Even better, if it seems to be from someone you do business with, don’t touch the email but go to a web browser and type in correct-name dot com and log in to check for news. Organizations you do business with will show important information on their site.
• Are you behind a good strong firewall? That will prevent much phishing from ever reaching you. Same deal with installing the best anti-virus software you can afford and understanding how it works.
Other red flags …
Resembles Trusted Sources
Standard practice is to never open emails from unknown senders. So, hackers mimic trusted names, especially national or international organizations. You may receive a message from Amazon, Wal-Mart or your bank that appears to be real, but contains malware.
Phishing Scare Tactics
Urgency and fear prompt people to act impulsively. Criminals also use these methods to make innocent people click without thinking. They may claim your bank account will soon be closed, or that you’ll be punished for not responding, or that there’s been a security breach.
No matter how smart you are and how careful, something could go wrong. Reduce the damage!
In an office setting, directly contact managers. Don’t depend on email or other wait-and-see methods. If you can’t contact management then contact your technical staff. Don’t hesitate to make it urgent.
Scan your system
Your anti-virus software can stop malware much faster than any person. This is one thing it was designed for.
Your new passwords should be in the “strong” category (link below). Use password management software if needed.
Protect others from falling for whatever snagged you. Notify all your associates what happened, but only use email after a successful virus scan. You don’t want to spread whatever bug you caught. Also notify the organization that the phisher imitated; companies want to know about this, so they can help stop it.
The Five Most Costly Phishing Attacks to Date (from Check Point)
The five attacks described here required little sophistication on behalf of the attackers but enabled them to steal tens of millions of dollars from an organization.
1. Facebook and Google
Between 2013 and 2015, Facebook and Google were tricked out of $100 million due to an extended phishing campaign. The phisher took advantage of the fact that both companies used Quanta, a Taiwan-based company, as a vendor. The attacker sent a series of fake invoices to the company that impersonated Quanta, which both Facebook and Google paid.
Eventually, the scam was discovered, and Facebook and Google took action through the US legal system. The attacker was arrested and extradited from Lithuania, and, as a result of the legal proceedings, Facebook and Google were able to recover $49.7 million of the $100 million stolen from them.
2. Crelan Bank
Crelan Bank, in Belgium, was the victim of a business email compromise (BEC) scam that cost the company approximately $75.8 million. This type of attack involves the phisher compromising the account of a high-level executive within a company and instructing their employees to transfer money to an account controlled by the attacker. The Crelan Bank phishing attack was discovered during an internal audit, and the organization was able to absorb the loss since it had sufficient internal reserves.
FACC, an Austrian manufacturer of aerospace parts, also lost a significant amount of money to a BEC scam. In 2016, the organization announced the attack and revealed that a phisher posing as the company’s CEO instructed an employee in the accounting department to send $61 million to an attacker-controlled bank account.
This case was unusual in that the organization chose to fire and take legal action against its CEO and CFO. The company sought $11 million in damages from the two executives due to their failure to properly implement security controls and internal supervision that could have prevented the attack. This lawsuit demonstrated the personal risk to organization’s executives of not performing “due diligence” with regard to cybersecurity.
4. Upsher-Smith Laboratories
In 2014, a BEC attack against a Minnesotan drug company resulted in the loss of over $39 million to the attackers. The phisher impersonated the CEO of Upsher-Smith Laboratories and sent emails to the organization’s accounts payable coordinator with instructions to send certain wire transfers and to follow the instructions of a “lawyer” working with the attackers.
The attack was discovered midway through, enabling the company to recall one of the nine wire transfers sent. This decreased the cost to the company from $50 million to $39 million. The company decided to sue its bank for making the transfers despite numerous missed “red flags”.
5. Ubiquiti Networks
In 2015, Ubiquiti Networks, a computer networking company based in the US, was the victim of a BEC attack that cost the company $46.7 million (of which they expected to recover at least $15 million). The attacker impersonated the company’s CEO and lawyer and instructed the company’s Chief Accounting Officer to make a series of transfers to close a secret acquisition. Over the course of 17 days, the company made 14 wire transfers to accounts in Russia, Hungary, China, and Poland.
The incident only came to Ubiquiti’s attention when it was notified by the FBI that the company’s Hong Kong bank account may have been the victim of fraud. This enabled the company to stop any future transfers and attempt to recover as much of the $46.7 million stolen as possible (which represented roughly 10% of the company’s cash position).Check Point original article (new tab/window)
Tripwire: Common attacks
TripWire’s recent warning about 6 common phishing attacks and how you can protect your company and your staff.
Phony websites are related to phishing problems. People who create fake sites are hoping you will log in and give out private information, such as your credit card details. The following post by The SSL Store is very helpful…
5 Ways to Determine if a Website is Fake Fraudulent or a Scam
Malware phishing downloads
This article by the people at MalwareBytes can help you assess the risk of downloading software or files that might be phishing.
Visual examples & password tool
Here is an image gallery of known phishing examples (external link / new tab):
The Federal Trade Commission offers tips including multi-factor authentication at “How to Recognize and Avoid Phishing Scams”
And this tip courtesy blog reader Adam Roger: Safety Detectives free password tool (and more)