Something Phishy in Cyber Security
Phishing scams have become more prevalent than ever, and many businesses continue to fall victim to them. It happens to the best of us, and it’s a serious problem; one that compromises any business that falls prey to it. The company may lose data, become a victim of intellectual property or identity theft, or even defamation.
Phishing scams disrupt operations which may lead to losing money and clients. Their impact on businesses’ reputations can be devastating and difficult to recover from.
From 2013 to 2015 alone, Facebook and Google were scammed of $100 million through a prolonged phishing campaign. As both companies used the Taiwan-based vendor, Quanta, the phisher was able to hit two birds with one scam. The phisher fabricated invoices that it sent to the media giants under the guise of Quanta. Not doubting that it is their vendor, Facebook and Google paid for them.
Facebook and Google uncovered the phishing campaign and took the case to court. The authorities caught the attacker in Lithuania and the companies got back $49.7 million of the $100 million stolen.
With Facebook and Google’s level of reputation, influence, and net worth, springing back from this financial blow may prove easier. The same cannot be said of relatively smaller or medium sized companies (SMB).
If you own an SMB or startup and want security tips to strengthen your defense against phishing scams, we are here to help!
Here are 10 security measures to protect your business from phishing scams, as well as how to identify them in order to prevent disaster before it even has a chance.
How to Safeguard from Phishing Campaigns
1. Know the Enemy
The first thing you have to do is recognize when a phishing attempt appears. Cybercriminals pretend to be legitimate entities. They trick unsuspecting individuals into giving them otherwise sensitive information. These data may include bank account details, credit cards, and passcodes.
Their aim for procuring these data is simple: to access your accounts and steal valuable data from them. It is a form of corporate espionage that often results in a company’s compromised reputation.
Emails are the channels by which phishing campaigns are executed. Fraudulent email accounts may direct to fake websites that only harvest corporate or even banking data. However, if you have the right cybersecurity provider, any accidental clicks might not spell complete disaster.
There are four types of phishing attacks:
Clone Phishing
This phishing campaign type sees hackers create copies of real emails that appear almost identical, hence the name. The hackers pretend to be well-known institutions and organizations to get confidential information from companies and their employees.
Spear Phishing
Spear phishing target specific individuals or companies. These fraudsters do their due diligence to know everything about the individual they want to scam. They will exert every effort to gather the information that would make them look credible to their target.
Tech Support Phishing
This phishing scam convinces the victim that their computer units have been infected by malware. Pretending to solve the problem, the hacker will propose to install software that gives them remote access. But of course, this software is the malware that will harvest your valued data.
Whale Phishing
As the name suggests, this type of phishing scam goes after high-profile professionals and those with notable positions.
Learning about these phishing techniques makes you conscious of the possible linguistic measures hackers will take to make you believe them.
2. Use Security Software
Installing security software should be one of your priorities in setting up your employees’ online accounts. This software does not have to be sophisticated.
These may include automatically updating antivirus programs, firewalls, and spam filters. Web filters are also a potential defense against malicious websites.
It’s also important to update your software regularly. When you ensure security patches and updates, you will keep phishing campaigns at bay.
As a business owner, you have to secure the necessary updates for your security software, operating system, browsers, and other pertinent applications.
One such way to ensure reliable updates is through partnering with a Managed IT security services provider (MSSP).
3. Partner with an MSSP
Business owners should be vigilant. If they are not, they at least have to enlist the help of tools and cyber security experts that could protect their digital valuables.
An MSSP allows businesses to focus on their growth and general operations, while they take care of cyber security and managing their IT. And if a phishing scam ever pops up, they’ll know and be able to act defensively before it has a chance to cause any real harm.
Of course, this does also rely on how knowledgeable and capable the MSSP is. A way to know for sure is if they are certified in any data compliance standards, such as FINRA, HIPAA, or SOC regulations. This ensures the IT provider has been audited by a third party, and they have the processes in place to deal with cyber threats.
4. Fortify Accounts Through Multi-Factor Authentication
Apart from implementing stringent password protocols, business owners should also use multi-factor authentication across all their company accounts. This stumps hackers and potentially leaves them unable to access the second step to open these accounts.
5. Backup Your Data
Apart from storing your files and data in your computer, you may put them in other safe storage like external hard drives. The only drawback being is that this is susceptible to physical damage and worse, may even be stolen.
You may also save your data in the cloud. Just make sure to regularly test your data backups so you don’t accidentally create a different, potential worst-case-scenario disaster like the one in this video.
How Can I Tell the Difference?
It can be exhausting to constantly have your guard up when sifting through potentially dangerous emails. But there are several ways to immediately point them out, sometimes even before you open the email. Here are 5 ways to help identify phishing emails!
1. The Sender Email and Subject Line
One of the simplest ways of identifying a phishing email before you even open it is by looking at the subject line and sender’s email address. Does the subject line have poor grammar or misspellings? Is the email address a bunch of numbers and letters with an email domain that’s slightly modified? Especially be on the lookout for when a recognizable email domain has a lowercase L or uppercase i, as they can be substituted to create a fake email.
2. Poor Grammar or Misspellings
As previously mentioned, an email having poor grammar or misspellings is the age-old way of identifying suspicious emails. This is because many cyber-criminals are just rushing through developing scams that they don’t have time to use grammar checks. So are you being addressed with your name spelled correctly? Is the punctuation all over the place? These are the most basic points to keep in mind.
3. Asking for Sensitive Information
Once you’ve used the previous points to observe an email before opening it, now it’s time to check what’s inside. If the sender is asking for any personal or sensitive account login or client information, that should be an immediate red flag. And when in cases where the email is coming from someone you know, on your team or an email you were expecting, just make sure to have verification measures in place. Call the individual or message them on any collaboration applications (or both, when applicable) to verify it was them who sent the email before sending any important data.
In some cases, you don’t even have to share login information over email or instant messaging. Cloud platforms such as Workplace allow you to securely share application logins or files, so such things don’t have to be constantly copied and pasted among members of your team.
4. Email Mimicry
Another simple, but sometimes effective way scammers try to deceive people is by using Email Mimicry, where they try their best to recreate a companies’ look in their emails and then proceed to ask for information.
Recently, there have been an increased abundance of reports of people receiving emails from services they either don’t use or just don’t regularly receive email updates from, a common example being fake email addresses from McAfee. Many people use their services, and these potential targets might receive emails saying either their accounts were disabled or payments were rejected, and then are offered a link to log-in or send payment information.
On the other hand, people who don’t use their services might receive an email saying they were charged for service, or possibly will be held liable if they don’t complete some kind of task. This can create confusion or panic in some people and rush to contact the “service” (aka the hackers) using contact information within the email. From there, the hacker who contacts them can proceed to lead them to providing device login or payment information in their process to “check if everything is alright”. Make sure to always double check online for what the verified contact information is for a company or service, because mistakes do happen, and people get mischarged for services all the time. This is what hackers rely on to make people second-guess and cause panic.
5. Never Immediately Click on Links
Last but certainly not least, never immediately click on links in potentially dangerous emails. While there are plenty of harmful link checking integrations in services such as Barracuda, you can always do a bit of due diligence beforehand. Always hover over links before clicking them, this will show you where a hyperlink will lead to. If the email for example has a link “youtube.com”, but when you hover over the link it goes to a different website, immediately flag the email. If your email application is doesn’t have this feature, you can always right-click and then copy the hyperlink from the text and paste it into a text editor to check (never paste it into a search engine URL bar, just to be safe).
And finally, if you’ve tried all these checks and still aren’t 100% sure, you can always forward the email to your IT department or provider to check for you by using their cyber security tools. Many, if not all MSSP’s should allow their clients to do this regularly for their own safety!
Do Not Be Deceived
Awareness and an efficient data loss prevention (DLP) strategy secures your business’ earnings and reputation. In a world operated by clicks and disinformation, business owners need to sharpen the data presented to them. The gap between reading and submitting a request is crucial to keeping bad online actors out of your company server.
If your business is interested in fortifying your cyber security, maybe want to have your current IT audited, or possibly have recently fallen victim to a phishing attack, contact Nerds Support today! We’ll show how we can help strengthen and educate your business to make sure the next time hackers put out their phishing bait, it falls into dead waters.