Protect Yourself from Phishing Scams

Data breaches generated through emails are the primary channel for hackers to access your company’s data. Phishing attacks are so frequent and successful that the Health and Human Services Office for Civil Rights devoted an entire newsletter about basic phishing information in February 2018. OCR is not the only government agency that’s concerned about email breaches. The IRS and the FBI recently sent out an alert to businesses warning payroll and human resources professionals of a dangerous Form W-2 phishing scam that victimized hundreds of organizations and thousands of employees during the last two tax seasons – and is affecting the uninformed again this year.1 Phishing continues to plague many industries, and it is increasingly sophisticated, making it easy for your company to become a victim.

A Phishing Primer

Phishing is when a target(s) is contacted by email, telephone, or text message by someone masquerading as a trusted entity to lure individuals into providing sensitive data like personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss. Phishing can take different forms with each type getting trickier to detect.

Spear Phishing

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer. Spear phishers often use sites like LinkedIn to target their victims and gather specific information on them, then send emails that could plausibly look like they’re coming from co-workers. Attackers will also use social media pages like Facebook to determine their targets’ specific interests and close friends and family names (including children). While you may not fall for all phishing emails, one that includes your child’s name, for example, would likely warrant immediate attention. A human resources employee of Lincare Holdings fell prey to a phishing attack sending unencrypted personally identifiable information to a third party purporting to be from a senior-level executive. The employee ended up sending the names, addresses, social security numbers, earnings information, and more, of current and former Lincare employees to the third party.2

Whale Phishing

Whale phishing, sometimes called just whaling, is a form of spear phishing aimed at the big fish in a company, including— CEOs or other high-value targets. Many times, whale phishing scams target company board members. Since some board members aren’t full-time employees, they often use personal email addresses, which doesn’t often have the protections offered by corporate email. Whaling emails are designed to seem like a critical business problem and may even be from a legitimate authority, either externally or even internally from the company itself. Do higher-ups really fall for such scams? The 2008 FBI subpoena whaling scam is a prime example. When 20,000 corporate CEOs were attacked, about 2,000 of them clicked a link that they thought would download a special browser add-on to view the entire subpoena.3

Instead, the link was a keylogger that secretly recorded their passwords. Each of the 2,000 compromised companies were hacked even further after the attackers accessed their systems.

Smishing

Smishing is “the act of using mobile phone text messages (SMS) to lure victims into immediate action such as downloading mobile malware, visiting a malicious website or calling a fraudulent phone number.” Like phishing, hackers using smishing typically try to trick you into giving them your private information through texts, and the type of attack is becoming an emerging and growing threat in the world of online security. Learn more about smishing here.

What Can You Do To Stave Off Phishing Scams?

According to a 2016 report from PhishMe, 91% of cyberattacks start with a phish. With phishing in the news so much, why are so many people still falling for these types of cyber attacks?

The top reasons people are duped by phishing emails? Curiosity (13.7%), fear (13.4%), and urgency (13.2%), followed by reward/recognition, social, entertainment, and opportunity.4 Scammers know that playing off emotions works. How can you avoid falling victim to a phishing scam?5

  • Know how to identify suspect emails.
    • Study the actual images of the “company.” Many phishers can almost duplicate well-known companies’ images.
    • Don’t be fooled if an email contains just the name of a company or an actual employee of the company. This information isn’t proprietary.
    • Be wary of any email promoting gifts or prompting for any form of sensitive information
  • Stay abreast of the latest phishing schemes in the news. Scammers prey on victims during opportune times of the year, including tax season and big holidays like Christmas.
  • Consider an email asking for sensitive information or containing a link a scam until you can prove it otherwise. If in doubt, directly call the company to ask if they sent the email.
  • Any website requesting financial information should begin with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well.
  • Use smart security protocols, including multi-factor authentication and firewalls; update anti-virus software and any available patches quickly.
  • Make employees aware of the following report from KnowBe4, a provider of security awareness training and simulated phishing platform:

10 Global Most-Clicked Global Phishing Email Subject Lines for Q3 2017 include:

  1. Official Data Breach Notification – 14%
  2. UPS Label Delivery 1ZBE312TNY00015011 – 12%
  3. IT Reminder: Your Password Expires in Less Than 24 Hours – 12%
  4. Change of Password Required Immediately – 10%
  5. Please Read Important from Human Resources – 10%
  6. All Employees: Update your Healthcare Info – 10%
  7. Revised Vacation & Sick Time Policy – 8%
  8. Quick company survey – 8%
  9. A Delivery Attempt was made – 8%
  10. Email Account Updates – 8%

*Capitalization is as it was in the phishing test subject line6

 

Staying aware of cyber attack tactics like phishing and doing what you can to help mitigate an assault on you and your company’s data are essential in helping protect your clients’ sensitive information. Knowledge is power; understanding the different types of phishing scams and knowing how to spot them can help prevent you from disaster.

 

  1. https://www.irs.gov/newsroom/irs-alerts-payroll-and-hr-professionals-to-phishing-scheme-involving-w2s
  2. https://healthitsecurity.com/news/employees-file-lawsuit-following-lincare-holdings-data-breach
  3. https://www.lifewire.com/what-is-whaling-2483605
  4. https://www.darkreading.com/endpoint/91–of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704
  5.  http://www.phishing.org/10-ways-to-avoid-phishing-scams
  6.  https://www.knowbe4.com/press/knowbe4-releases-q3-2017-top-clicked-phishing-report