Most people have heard of phishing and have an intuitive grasp of what it means. Images come to mind of bright shiny lures tempting hapless fish into taking a bite of something that will cause their demise. Indeed, this concept holds true whether you’re a rainbow trout or run-of-the-mill worker idly surfing the web at your desk. But unlike fishing in the traditional sense, with its watchful serenity or – to some – unrelenting tedium, what does phishing entail in the virtual world of hackers, malware and data loss?
Phishing scams usually involve fraudulent emails from cybercriminals pretending to be someone else in order to steal money, information, or a person’s identity. These emails are especially harmful to businesses, where a single employee can accidently open the wrong email and bring a whole company to its knees.
Phishing scams have been around for a while, but people still fall for them all the time. A recent study found that, on average, people open one in every three phishing emails, with the FBI noting that such scams resulted in a loss of $3.1 billion dollars worldwide. With the recent rise of malicious software (aka malware) such as ransomware, phishing e-mails have become more harmful than ever before.
Hackers Get Creative
There’s an impressive array of phishing scams out there, angling to snag unwary users. Here are some common types to watch for:
- Spear Phishing refers to emails that trick individuals into performing an action (like clicking bad links and downloading infected attachments) or giving out personal information (like banking information and passwords).
Hackers will use social media posts to see where victims have been, where they’re going, and what they recently bought. For example, if hackers see a tweet that you recently purchased a new iPhone on Amazon, they might send you an email like this, urging you to click on a link. Once you click, you’re directed to a legitimate-looking webpage that requests updated credit card information—which goes straight to hackers.
- Soft Targeting refers to emails that target large groups of people who all share an attribute, like the same job title. By using vague language, the scammers can successfully target different people using the same email.
One popular soft targeting scam involves sending HR departments fake resumes infected with ransomware. As shown on the image below, attachments are often sent as a .zip file, which can hide all sorts of malicious files inside. When employees open the resume, the ransomware infects the computer instantly, putting valuable information and entire businesses at risk.
- Whaling refers to scams that target senior executives who likely have access to large amounts of money. Before attacking, hackers may comb through social media posts to learn the names of key executives, payment schedules, and anything else that will help their emails look convincing.
Last year, a Mattel finance executive was the target of a whaling scam when she received an email from the new CEO, requesting a large amount of money. The executive sent off $3 Million dollars, only to realize her mistake a few days later. Mattel eventually got its money back, but only because of a banking holiday.
An Ounce of Prevention
Although there’s no way to eliminate all threats, there are several simple techniques you can adopt to prevent a phishing attack or mitigate one after it happens.
- Educate Users: Educating users about safe browsing practices, the consequence of malware infection, and the latest threats is an important first step. It can also help to involve different departments in addition to IT. To supplement user education, many companies run mock phishing exercises, where IT sends out emails that simulate popular phishing scams, and gather information on employee behavior and compliance. Such testing helps companies understand if employees are disregarding guidelines and putting the company at risk.
- Create Unique Passwords: An estimated 63% of data breaches involve overly simplistic passwords or those reused by people for their different accounts. While it may be difficult for users to remember several complex passwords, creating distinct passwords for every account makes things more difficult for hackers as well.
- Flag Outside Emails: Scammers often use emails that look similar to a company’s email address in order to trick employees into thinking the email sender is a coworker. For this reason, it’s important to flag all emails that come from outside the company so employees can think twice before clicking links or sending money.
- Limit User Privileges: Because workers with administrative privileges often have access to important data, their a favorite target of hackers. Limiting the number of people with such privileges makes it more difficult for hackers to succeed.
- Disable Java and Macros: Malware is routinely delivered through exploited Microsoft Office documents and Java scripts, both of which can circumvent anti-virus programs. To address this, IT should replace Java and Macro Scripts with much safer programs.
- Back Up Data: Because prevention doesn’t always work, a solid backup plan is essential. In particular, it’s a good idea to keep several copies of backup files in different locations and formats since the more backups you have, the easier it will be to recover your data. And since hackers are learning how to infect backup data, it’s important to have as many different backups as possible. That way, if your system becomes infected with malware, all you have to do is wipe it clean and reconnect to your backups. Backing up data and systems to the cloud or using a dedicated collocated backup server provides access to built-in firewalls and other useful security measures. Malware systems can’t keep up with ransomware’s frantic permutations designed to sidestep detection. Additionally, paying ransomware doesn’t mean you’ll absolutely get your data back, key corruption and other issues can arise that permanently lock you out of your data and could force the business, depending on its size into failure. It takes a two-phase approach, leveraging detection technologies and backup to be better protected. The cloud benefit is that the cloud isn’t on-premise and depending on how the vendor has designed their architecture can be impervious to being infected by such a virus. This is an advantage of being cloud-native vs. being retrofitted to the cloud.
When someone falls victim to a phishing scam, they should immediately disconnect any infected computers from the Internet to avoid any further infection or data loss. It’s also important to contact your local FBI field office and file a complaint with the IC3 at www.IC3.gov. True, you may not be able to undo a phishing scam. However, if you’ve backed up everything across your enterprise, you can survive the ordeal with your assets intact and nothing more than a few scrapes and bruises to show for it.
To learn more about how to minimize the impact of malware with backup, download our Insider’s Guide.