If you and your employees have noticed an increase in phishing attempts at work and at home since the beginning of the COVID-19 pandemic, you’re not alone. Phishing perpetrators and hacking experts have taken advantage of the widening of company infrastructure – via working from home and other remote access points – and are now more successful than ever in their attempts to siphon data from unsuspecting employees. According to the second Abnormal Security Quarterly BEC Report, phishing incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020 when the novel Coronavirus was first making landfall in the United States.
Payloads
There are two very different kinds of phishing attacks, but they both can carry one of four payloads: ransomware, spyware, “dummy site” links, or direct money transfer requests.
Ransomware will, upon downloading an infected file, lock down all of the user’s data files and change the file extension. This will render the files inaccessible to the user; generally, a message requesting payment will appear if the user wants their files back. It should be noted that users should never follow through with the payment, often requested in cyber currency.
Spyware downloads through an attachment or background application on a website; these tiny programs essentially log inputs that you enter into the computer: bank logins, social media credentials, etc. This information is highly valuable and will either be sold or used by the spyware coder in a variety of ways.
Phishing can also occur through the use of “dummy sites”. These are websites made to look similar to the real website, asking you to input your username, password, or reset your credentials. Sometimes “dummy sites” will also ask you to update or verify your billing information. It is very important to examine the hyperlinks within emails prior to clicking on them.
The final payload relates to direct requests for money. Often posing as a family member, friend, or well-loved organization, these phishing emails will ask for donations or sums of money to be sent via cyber currency or wired transfers. Some perpetrators will also request money orders and cash sums. Always connect with family and friends to verify that they did not send these requests.
General Phishing
The first type of phishing attempt is known as general phishing; this attack is generally target-less, often being sent from a number of source emails to a massive email list garnished from any number of sources. These phishing emails usually seem unsophisticated and contain a fair number of errors and spelling mistakes; this is intentional and will often hook even the smartest of us.
What to look out for:
- Typos and spelling errors – The spelling errors are often intentional because they are trying to hook less wary users (these attacks rarely hook prepared users). They are typically designed to filter out the prepared and target the gullible.
- Sender address makes little sense in relation to who it should be from
- Embedded links (on hover) forward to unexpected or odd domains
An example of a general phishing attempt might be an email claiming to be from Paypal that says your account has been compromised. The email might look similar to a valid email from Paypal, except all of the images are low quality and the sender address is something like “noreeply@upaypall.com” when you expand the Paypal name in the “from” field.
General phishing emails will often claim to be a site or service and request that you reset your password, update your billing information, or renew a subscription. It’s important to look very carefully at these emails because they will often route through the correct domain in an effort to appear more legitimate.
Spear Phishing
This is simply a fancy name for targeted phishing attempts. These usually occur within organizations, using public-facing information (names, resources, PR) to make the emails appear legitimate. While spear phishing emails are most common within the setting of a business, they are never internally sent; this means that warnings about externally sent emails can be an effective way to avoid spear phishing.
There are two types of spear phishing that companies should be on high alert for: money order phishing and ransom or spyware phishing. If someone within the company is requesting money via a strange channel – i.e. iTunes gift cards, prepaid visas, or money orders – you should have your employees report the email right away.
In addition, emails that request that a file be downloaded through a suspicious website should be cleared with IT. Ransomware (CryptoLocker virus) is a devastating infection for businesses as it locks everyone out of the data files necessary for normal operation. Ransoms are usually large sums of cryptocurrency and are the only way out of a CryptoLocker infection – unless there is a good, recent data backup on the cloud or on-site. Occasionally, a dedicated security firm has to be called in to work with investigators from the FBI – especially for larger companies. The business then has to coordinate with the security firm, their insurance provider, their insurance providers’ security firm (if they choose to bring one), and law enforcement. Often, they also have to coordinate with dedicated “hostage” negotiators if they are unable to restore their data in order to secure a more reasonable ransom payment. Unfortunately, even paying this ransom does not always work, as these malicious actors will often request a second ransom after the first is paid. Businesses that have been hit by a crypto infection can be down for many months, with many more months before they return to full production. It’s obviously better to do as much to avoid this situation in the first place as possible via the right products, policies, and training.
The “Tells”
It can be extremely difficult to distinguish a phishing email from the real deal sometimes. Here are some questions to keep in mind when you train your employees to avoid phishing scams:
- Were you expecting this email?
- Are there many spelling mistakes and typos?
- Does the domain (@companyname.com) match what you are expecting?
- Do the hyperlinks (https://….com) make sense? You can hover your cursor over these links to check where it routes.
- If the email comes from an internal user, are they requesting money in an odd way or asking for payment on invoices they don’t usually send?
- Does the email pertain to an application or service you don’t actually use?
Be Wary
Again, train employees to be on the lookout for the same indicators above, but also be mindful of the information that is within the email. Just because the “from” field claims to be a person you know or work with, doesn’t mean that person is responsible for the email. Accounts can be hacked, and spoofs can be fabricated. When in doubt, email users shouldn’t click any hyperlinks within the email or open any attachments; instead, they should reach out to that person via a different platform and attempt to confirm the identity of the sender.
Within a corporate or business setting, the IT department should be available for clarification; tell employees to use extreme caution when dealing with potential phishing emails. The implications for a successful phishing attempt on the company are so massive that monthly training with a company like KnowBe4 should be considered – you may also want to have IT send out periodic test phishing emails to see who might need more training. KnowBe4 also does the phish testing/ongoing testing as well as training, so it is an all in one solution for companies.
There are also free/open source tools that IT departments can use that typically do not include training, such as Go Phish, and spam filtering apps (the first line of defense) such as Mimecast, Barracuda, and Spam Titan.
Above all, try to prevent phishing attempts from having an impact. Update malware scanners and firewalls often, train your employees well and apply an external email disclaimer to your email server. If you can stop phishing before it occurs, you can prevent untold amounts of damage being done to the company’s name, data, and finances. If you wish to work with a knowledgeable partner in your defense against phishing attacks, Source1 Solutions is here to help; schedule a consultation with us today to discuss your business and its readiness to resist phishing.