by Felicien | Feb 6, 2020 | Education
Modern Phishing Email and Article Headlines That Even Fool Savvy Tech Professionals
Learn more about the kind of email phishing headlines that end up fooling the smartest tech professionals, and how you can better protect your business.
Any tech professional worth their salt understands the damage wrought by unsuspecting users clicking on links inside “phishing” emails. It’s not surprising when tech-challenged individuals end up getting sucked in by today’s social engineering attempts. However, some of the headlines used by hackers manage to fool a lot of experienced IT pros.
Emails aren’t the only place where tech professionals show their vulnerability. Messaging portals in spaces like Facebook and LinkedIn have become prime targets for scammers, especially as traditional email providers step up their protections. In fact, both platforms had the highest success rate for phishing scams when they were included in an email subject line at 28 percent and 55 percent, respectively.
How Do Experienced Tech Professionals End Up Getting Fooled?
It’s hard to imagine how the people charged with keeping company systems safe end up ensnared in these schemes. Security-minded individuals become so comfortable in their knowledge of suspicious emails and technology in general that it makes them less careful. They’re prone to quickly scanning and clicking emails and messages without absorbing the information. It’s already too late by the time they realize their error in judgment.
What Makes a Phishing Headline Successful?
Phishing email headers that include words like “Request,” “Follow-Up,” and “Urgent/Important” tend to have a higher click rate, especially if it seems they come from a colleague or high-level executive. Victims often feel compelled to respond quickly out of fear of not delivering on job expectations. They also worry about costing the company money by failing to follow through on requests related to finance and payments.
The manipulation of that social element can have the same effect on tech workers. They’re more likely to respond quickly to a request that seems to come from a company vice-president. No one wants to be the person preventing them from getting back to company business.
Let’s look at some of the headlines used to fool regular users and IT professionals.
Requests for password changes
Deactivation of Microsoft Office email service
Setting up employee raises for HR
Document sharing using a secure server
Lack of internet service due to scheduled server maintenance.
Address needed for FedEx delivery
Locked company twitter account
Complete steps for Google service
Error with Coinbase
Closed company bank account
How Can Businesses Upgrade Their Current Phishing Protections?
There’s no one step a business can take to prevent someone from falling for a phishing scam. It pays to use a multi-pronged approach to blocking and dealing with suspicious emails and websites targeting company workers.
Tools like SPAM filters, mock phishing practice scenarios, and web filters to block malicious websites should be a priority. It also pays to encrypt sensitive company information, making it harder for employees to share the data with anyone. That goes double for telecommuters who must log into company systems remotely from different devices.
Businesses should initiate company-wide security initiatives and enforce them consistently. Make sure IT employees understand that their knowledge doesn’t leave them immune to these types of attacks.
by Felicien | Feb 3, 2020 | Education
‘Conversation hijacking’ Seeks Sensitive Business Intelligence
Your employees probably know not to open unexpected file attachments or click on random links, but what if an attachment arrives as part of an email conversation with trusted colleagues?
Sophisticated hackers are using a technique known as “conversation hijacking” to insert themselves into business operations, gain insight into sensitive details, and exploit the information for financial gain. What should you know about this insidious form of cyberattack on businesses?
Conversation Hijacking: Infiltrating Business Communications
New research indicates that the incidence of conversation hijacking increased by more than 400 percent in the second half of 2019 alone.
In a conversation hijacking attack, a hacker uses various methods for gaining access to business credentials — for instance, an email login. By using the phished information, the hacker then may join an existing email conversation by posing as someone already involved in the conversation.
Conversation hijacking attacks are mounted by hackers willing to invest significant time to gain access to sensitive information. The hacker may read through numerous emails and conduct research online to learn about business deals in progress or other potentially valuable information.
By gaining the trust of other people in the email thread, the hacker then can use a variety of techniques for gaining access to banking information and financial assets.
Forms of Conversation Hijacking
Conversation hijacking can take a number of different forms, with information coming from a range of different sources. Hackers may compromise email accounts through phishing or data breaches and use the stolen account information to stage account-takeover attacks.
A hacker then may spend time monitoring an email account — including ongoing message threads — to gain information about sensitive business details or financial arrangements. An attack may involve a hacker creating a fake domain similar to the real domains used by a company. In the case of domain impersonation, the goal is to create a domain similar enough to the real domain that unsuspecting employees click or download files without realizing the error.
Hackers also may impersonate the domain of a client, vendor or business partner to gain the trust of employees for the ultimate purpose of accessing financial accounts and information.
Protecting Your Business
Conversation hijacking can be more difficult to detect than other types of hacking, but you can take steps to protect your business, your employees and your clients and partners.
The most important step you can take is ensuring that your team members understand how conversation hijacking attacks work. They should always use caution when downloading files or clicking on links and take time to ensure that all information — including domain names — matches their expectations.
In addition, any requests for financial information or immediate payment should raise red flags and should be reported to your company’s accounting department. If an employee doubts the authenticity of an email, they can contact the sender by phone or by starting a new email thread with an email address known to be accurate. Employees also should report to your IT team any email conversations or other incidents that seem suspicious.
Additional security measures — including robust email filtering and inbox rules — also can help, and restricting macros within documents can limit the means for hackers to gain access to account information. Multi-factor authentication also can provide extra protection against sophisticated conversation hijacking attacks.
by Felicien | Jan 28, 2020 | Education
Data Privacy Day commemorates the anniversary of the signing of the first international treaty focused on data protection. Here’s how you can get involved.
January 28th, Data Privacy Day 2020, is here. First introduced in January of 2008, Data Privacy Day commemorates the anniversary of the signing of Convention 108, one of the first international treaties focused on data protection. Here’s what you can do to get involved.
Ways to participate at home
Visit with your family about online privacy and safety. Discuss what information is private information and consider together the risks associated with sharing confidential information online. Take a look at the online accounts of any children in the home to identify breaches, risky behavior, and connections with strangers. Remedy any problems identified and use the opportunity to share information and teach.
Now is also a good time to go through old papers, files, and devices, and schedule safe destruction to protect your information before it lands in the wrong hands. Remember, never throw away bills, bank statements, check blanks, or devices without destroying them first.
How you can participate at work
There are a number of ways you can use this opportunity to promote data security at work:
designate this as archive week, encouraging all staff to identify electronics that are no longer in use so they can be destroyed appropriately
use games and activities to refresh staff knowledge of the risks of security breaches and internet best practices
take a moment to ensure all corporate computers have the safest web browser, operating system, and security software installed and working as expected
review your policies and procedures to ensure they’re still compliant with best practice; we learn and evolve every day so a periodic review is critical to achieving the best results
share current news surrounding data breaches and lead a discussion exploring what went wrong and how similar crises can be avoided in your organization and industry
Involving your community
Data Privacy Day provides a great opportunity for community outreach and involvement. Include clients, stakeholders, and community members in your commitment to privacy. Host an open house, where you share materials encouraging safe internet practices at home and sharing what your organization is doing to protect client information. Send out client emails celebrating the occasion and summarizing all of the steps that go into maintaining their protected information (and the results of your hard work). You might even consider launching a survey to learn more about stakeholder satisfaction with your commitment to privacy and data protection program.
by Felicien | Jan 24, 2020 | Education
Cybersecurity education is essential in order to keep businesses one step ahead of this evolving space. Learn about types of attacks and preventative actions.
Cyber solutions are the future of business, with innovation such as the Internet of Things (IoT) gaining increasing popularity. Accordingly, focus on the protection and recovery of networks, devices and programs from cyberattacks is no longer a luxury, but a very basic necessity to remain competitive in today’s landscape. Here is a basic overview of cybersecurity:
Things to know
Data breaches are intended to access proprietary information, usually for financial gain. These activities can result in damaged corporate reputations, significant downtime and even the cessation of business viability
Hackers are becoming much more sophisticated, and traditional anti-virus software programs may not be sufficient to prevent attacks
As more devices and gadgets are connected to networks via IoT, they provide backdoors for hackers to access proprietary data
Despite the rising prevalence and notoriety of data breaches, they can be prevented. Cybersecurity often relies less on high-end technology than on common sense and solid security practices /protocols, such as:
Restricting employee access to sensitive data
Employing strong password controls
Educating employees on e-mail security
Encrypting data
Appropriately secure mobile devices – smartphones, tablets
Investing in IT professionals with current cybersecurity knowledge and skills
Types of Attacks
Malware is any type of malicious software utilized to gain unauthorized access to a computer
Ransomware is a form of malware that locks owners out of their devices/data until a ransom is paid
Spyware is a form of malware that spies on users in order to acquire sensitive information
Fileless malware attaches to existing programs running on the computer, thereby embedding inside the computer’s memory
Viruses are malicious programs usually sent as attachments, and which infect devices once downloaded
Watering holes are when a known website is hacked either directly or via a third-party service hosted on the site. In this way, anyone who visits the site is infected
Phishing is the act of sending e-mails that trick people into revealing sensitive information
Spearphishing is related to phishing but is more focused to prey on specific targets by including relevant details about the individual (usually obtained via research), thus luring them to click on the link
Pharming is the act of directing users to illegitimate websites under the guise of a legitimate link
Hacking is the act of accessing a network or device without appropriate authorization to do so
Types of Cyber Security
Network Security: These are defenses implemented to prevent hackers from gaining access to organizational networks and systems. Examples would be password controls and two-factor authentication
Application Security: This is when software and/or hardware is employed to protect against threats from malicious programs. An example would be antivirus programs
Information Security: This is the protection of data via restricted access or encryption
Cloud Security: These are tools utilized to monitor and protect corporate data stored in the cloud
by Felicien | Jan 23, 2020 | Education
Small Town Reeling After BEC Scammers Get Employee to Wire $1M
Would you fall for this scam that cost a small town $1M? Find out what a BEC scam is, how it works, and what you can do to keep your company from falling victim.
What would you do if you found out your employee just cost you a million dollars? We’ll just guess they probably wouldn’t stay working for you much longer.
The little town of Erie, Colorado, was recently faced with this scenario. Hackers used a Business Email Compromise (BEC) scam to deplete the town’s savings.
Don’t know what a BEC scam is? You should. Here’s what you need to know
What Is a BEC Scam & How Does It Work?
BEC scams are targeted and sinister. In this scam, a hacker gains access to the business email someone in C-suite, or of similar power.
Once inside, they monitor the account to determine who among your staff they should target from that account for financial gain. Once they’ve identified the person who holds the purse strings, they send that person an email from your account with instructions to wire money somewhere.
If the person who receives the email is suspicious, hackers don’t want their cover blown. So they may also mess with your email rules so that any emails received with words like “scam”, “is this a joke” or “please verify” in them automatically get deleted.
They may target several people to see who takes the bait. And the scammers use the principle of social engineering to convince people to comply.
In the case of the Erie BEC scam, the criminals were able to find a real account payable and request that the employee change where the payment was sent.
This gave legitimacy to the request that reduced suspicion.
How Do Hackers Get Access to Your Email?
The most common way to hack your email is through a phishing email scam. The fraudster may send an email to you that looks like it’s from your email service provider. They then trick you into giving up your password by having you log into a spoofed website or download malicious key-tracking software.
If your business email is through Microsoft, Google or another company with many product lines that use a single password, they can get it in a roundabout way, further lowering your guard.
If you don’t have a strong password, they may also be able to guess it by following the bread crumb trail all of us leave online.
How Do You Protect Against BEC Scams?
BEC scams are convincing. You’re dealing with professional con artists, not hacker hobbyists. Because of that, you need a multi-faceted plan, which will include email scam security solutions like:
Employee education
Having a clear verification process including additional safeguards when changing where payment is sent or when other red flags go up
Email server monitoring for suspicious activity
Strong password policy with two-step verification along with enforcement
Spam filters, which reduce the risk of you or someone else in C-suite seeing the spoof email in the first place.
Up-to-date malware protection
And above all, stay informed about scams and schemes like these. Criminals constantly adapt their strategies. Don’t fall for it. Follow our blog to stay up-to-date.
