Phishing is a method of using misleading e-mails and sites to obtain personal details. What is scary is that the hackers have turned it into art: focusing on emotion, allowing victims to let their guards down, for one click. Learn more about how hackers are phishing during this Pandemic.
Would you hand over the keys to your car to a stranger? Sounds kind of silly right? What about the keys to your house? “Can this get any sillier,” you might ask?
Unfortunately, handing over passwords and personal details of our digital accounts is tantamount to handing over the keys to both our cars and houses to hackers.
And it’s not just regular folks too.
In 2016, hackers managed to get Hillary Clinton campaign chair John Podesta to cough up his Gmail password. This was considered one of the most consequential phishing attacks in history.
Remember that year when several celebrity personal photos and videos were leaked to the public? Initially, it was thought of as a weakness in Apple’s iCloud data management system. It turns out it was primarily due to phishing. If it can happen to them, what more to us?
Here at ITS, we protect businesses from these unwanted attacks. We have done thousands of network assessments and can quickly identify gaps in company technologies that we report to client ownership and management.
We’d like to help you with this article on how to best look out for yourself and your company, during these times of pandemic. Because not only is there a sense of urgency within your company and staff, but from hackers as well.
What is Phishing?
Phishing is a method of using misleading e-mails and websites to try to obtain personal details.
What is scary is that the hackers have turned it into art: focusing on emotion, allowing victims (A.K.A you and me) to let their guards down, for one click.
And just like door-to-door food deliveries during these times of pandemic, hackers are coming right into peoples’ homes.
One piece of spotted malware alerted victims: "Just because you're home, doesn't mean you're safe," according to Cyber Security Firm Nocturnus.
They are brazen enough indeed to actually send this message right before demanding payment to unlock data.
Phishing Examples: Top 10 Social Media Email Subjects
Check out the subjects that hackers have chosen, and try to see if you can resist opening messages with subjects such as these:
- “Join My Network!” (LinkedIn)
- “Profile Views.." (LinkedIn)
- “Add Me” (LinkedIn)
- “New Message” (LinkedIn)
- “Password Change.." (Facebook)
- “Primary Email Changed" (Facebook)
- “Your Friend Tagged a Photo of You (Facebook, Instagram)
- “New Voice Message At…”
- “Your password was successfully reset)”
- “Login alert for Chrome on your mobile phone”
We can see from the top four headlines that LinkedIn is now a favorite among hackers.
From a hacker’s point of view, LinkedIn is the new candy store: victims are immediately identified, what companies they work for, their current position, and possible contact information.
It’s almost like LinkedIn did the job for them in terms of targeting their next victims.
Second to LinkedIn are popular social media pages such as Facebook and Instagram with alert messages that tug at the heart – “Your Friend Tagged a Photo of You.”
We would never associate your friend and that photo with hacking, right?
This is exactly what hackers pounce on: letting our guards down into thinking that LinkedIn and Facebook (companies with strong brands) are actually the ones messaging us.
Phishing Examples: Top 10 General Email Subjects
On a personal level, these are the subject headers that hackers use to get you to open their messages:
- “De-activation of Your Email in Process”
- “A Delivery Attempt Was Made”
- “You Have a New Voicemail”
- “Failed Delivery for Package #5357343”
- Staff Review 2018
- Revised Vacation & Sick Time Policy
- APD Notification
- “Your Order with Amazon.com”
- “Re: W-2”
- “Scanned image from MX23IOU@[domain]”
Can you imagine Amazon sending you an update on deliveries for your purchases from Thanksgiving and Christmas? Wouldn't you want to open that email and track that package quickly?
How to stop phishing attacks?
You should introduce proactive steps to protect your business, including:
- Inbound email "Sandboxing" -- testing the safety of each connection a user clicks on.
- Inspecting and evaluating web traffic
- Rewarding good conduct, if anyone spots a phishing text, maybe by displaying a "catch of the day"
- Create off-site backups of your data in case of a breach
- Limit employee access to sensitive data
When it comes to personnel training, take these additional steps to protect yourself and your business from spam and other cyber attacks:
- Warn employees about malicious websites
- Train employees to spot phishing emails
- Never send private information over email
- Don’t open attachments
- Ask employees to update their passwords to protect their home WiFi network, especially if they connect to your systems from home.
On a personal security level, you can do the following:
- Before you click or enter sensitive information, always check the spelling of URLs in the email links.
- Watch for URL redirects to subtly take you to another website with the same design.
- If you receive an email from a source you know, but it seems suspicious, instead of just hitting reply, contact the source with a new email.
An Ounce of Managed-IT Services...
Doubling up on defense is the safest way to prevent phishing assaults. Anti-malware programs and powerful firewalls prevent, track, and delete malicious files on your computers and systems. Invest in good security software.
It is also well worth urging workers to log in only to HTTPS-protected websites. In addition, search for open ports on a regular basis that could expose your networks to cyberattacks.
Doing all of these by yourself is definitely possible. Partnering with Intelligent Technological Solutions to protect your organization from these hazardous and devastating kinds of phishing attacks would be more efficient, effective, and ultimately, cost-friendly.
At ITS, we can help you build and execute a robust cybersecurity plan and a security awareness training program that lets you focus on your core business.