Tag Archives: Phishing

Pop up stating Your Files Are Encrypted. Hackers will encrypt your files with Ransomware and charge you to buy an encryption key to restore access to your data.

3 Ways to Avoid Phishing Attacks

by

By all accounts, phishing attacks are the favorite tool of hackers. Phishing is the internet equivalent of throwing bait out and waiting for someone to bite. Phishing attacks can be utilized to gather protected information like bank accounts, dates of birth, passwords and social security numbers, or to deliver malware and viruses to your device. Learning how to identify and respond to phishing attacks will help you and your employees protect your data, your profits and your productivity.

Here are 3 ways to avoid phishing attacks to yourself and your business.

1. Knowledge is Power

Educate your employees and yourself.

Trained employees can identify threats and avoid clicking on dangerous links. Employees must know why and how hackers access their data. Training on the latest hacker techniques arms your employees with the tools to defend your data.

Phishing emails are often topical. At the time of this blog, COVID-19 dominates the headlines worldwide. Hackers have responded with phishing emails about stimulus checks, how to prevent or cure the virus, offers for relevant items and charities requesting donations on behalf of victims. Additionally, they have sent emails spoofing the World Health Organization (WHO) and Centers for Disease Control (CDC).

Phishing scams also rely on hot-button issues like political trigger points. They might provide topics such as “Trump Locks Up Hillary” or “Trump’s Tax Returns Released.” They could promise sensational riches such as “Click here to learn how we made millions while working from home.” They could entice using the sex sells method: “Taylor Swift laptop hacked. Click here to see her sex tape.” Additionally, hackers often impersonate well known and trusted entities such as Amazon (like the pictured example below), Microsoft, UPS, FedEx and common banking institutions.

In addition to training, you should test your employees with phishing simulators. All it takes is one employee. You should know who in your organization is the weakest link, and help strengthen them.

The right cyber-security training can benefit anyone in both their personal and professional lives.

An example of a phishing email designed to look like it came from Amazon with markings to indicate the identifiers that differentiate it from a regular email.
An example of a phishing email with notations

2. No Target Too Small

Don’t assume you’re a small target. Unlike actual fishing, hackers don’t care how small their catch is. Your data has a value. Small businesses and individuals that believe they are too small are playing right into the hands of the hackers.

For a moment, imagine that you logged into your computer this morning and found all your sensitive data encrypted. A few minutes later, you receive an email demanding money for the encryption key to get your data back. How much is that worth to you? How much will you pay? Normally, hackers will only give you a limited amount of time to respond before the price rises or other consequences occur.

In addition to the threat of losing your data, ransomware hackers in recent weeks have started threatening to release stolen data to friends of the victim or the public. Consequently, this has added an additional urgency to the decision to pay a ransom.

Ask yourself what data do you have in your computer that you are willing to lose?

  • Wedding photos? Photos of the birth of your baby?
  • Private selfies?
  • A medical history form you completed for your doctor?
  • Drug use?
  • Sexual history, or orientation?
  • Prior criminal record?
  • Your viewing history?
  • Pictures of family members that have died?

Hackers don’t care how small your business is. They know the value of your data. Therefore, you should too.

3. Don’t click or forward

If you or an employee suspects an email or message is “phishy,” don’t click any links (including the unsubscribe button) or open any attachments. If necessary, look up the phone number of the sender and contact them to verify that the email is valid. Also, don’t forward the email to a co-worker to ask for their opinion. Finally, don’t reply to hackers. Hackers will attempt to convince you that their email is valid.

Conversely, when notified after an employee has already clicked on a link or opened an attachment, contact your IT provider and notify them immediately. In many cases, malware hides to spread to other devices in the network. The faster an IT person can investigate and abate the threat, the more likely they can prevent further damage.

As a side note, C-Level Administrators, please be patient with employees that report clicks. Phishing attacks are getting much more difficult to spot since the days of the “Nigerian Prince” emails. Making timely notifications to supervisors and IT personnel should be considered a positive response.

Conclusion

In conclusion, Phishing emails are the most common forms of attack. Approximately 90% of phishing attacks arrive via email. Having a spam filter can reduce the amount of emails that have to be evaluated by employees and subsequently reduce risk.

Finally, backup your data. Employees make mistakes every day. Having the ability to recover quickly from an attack is invaluable. If your cyber-security budget is limited, start with backup.

Data Breach Malware Cyber-security

PowerPoint Malware Phishing Hack

by

The threats in cyber-security are constantly changing. Cyber-criminals are finding new delivery methods to defeat your cyber-security methods. Now, hovering over the power-point attachment in a phishing email can infect your computer with malware.

Power-point attack changes the game.

Here is a reminder that you need to be on alert for phishing emails that contain malicious attachments.

Currently there are emails going around with a malicious PowerPoint file attached. If you simply open this attached file, your computer can become infiltrated with Ransomware, and your computer and even your organization’s network can be taken hostage.

Here is the worst part: if you move or hover your mouse over a link in the attachment without even clicking on it, your computer can instantly be compromised. The subject lines of these emails can vary greatly, but some of the reported emails have had subject lines similar to ‘Purchase Order #130527’ and ‘Confirmation’.

These short tips will help you prevent infection:

  • Were you expecting the email? If not, don’t open it.  If you do open it, never hover over or click the attachments!
  • Does the subject line of the email seem like something you weren’t expecting, out of the ordinary, or irrelevant to the message content?
  • Have you ever talked to the sender of the email? If you weren’t expecting an attachment, call them to determine if they intended to send you this attachment. The email could be from a hacker spoofing their email address or sending malicious attachments from their email account.

Currently, this is only relevant to power-point attachments.  It would not be surprising to see it evolve to all Office apps in the future.  Stay safe by staying aware!

Our partner, KnowBe4, must be acknowledged for contributing to this blog.

Be sure to follow us on Facebook, Twitter, Google+, and LinkedIn for updates on cybersecurity and technology. Contact us with any questions or concerns you have about your technology! 

scam of the week: google docs phishing scam

KnowBe4 Scam Of The Week: Massive Google Doc Phishing Attack

by

Think Before You Click On Random Google Doc Invitation Links!

A very convincing Google Docs phishing scam raced through the internet last week. The scam spread almost as fast as a real computer worm, but it was driven by social engineering instead. It appears that a million people fell for it in less than an hour. It was so effective that even if you didn’t receive this email, you probably know someone who did.

The email appeared to be someone you know sharing a Google Doc with you. If you clicked the link in the message, it would have asked you for access permissions to your Gmail account, which the actual Google Docs links would not need.

If you had agreed to give permissions, it would have allowed a malicious third-party web app named “Google Docs” to access your email and address book. It would have spammed everyone in your contacts with the same link to that bogus Google Docs file. Your contacts, in turn, would email everyone in their contacts, and so on, like a human-powered computer worm. All of the emails included the same recipient email address of @mailinator.com. The actual recipient was blind carbon copied (BCC’ed) on it.

Below is an example of what the email looked like:

phishing attack example
A person who is watching out for red flags in emails would have decided that this email was unexpected and suspicious. Were you expecting a Google Doc invitation from this person? Provided you were expecting something, is the name of the shared file relevant to what you were expecting? If not, hit that delete button, or report the message to your IT team.

If you’re unsure about whether it is safe or not, contact the person who sent it through a different method (other than email) to ensure it is legitimate. Be vigilant and keep yourself and your organization safe. Always Think Before You Click!

 

Be sure to follow us on Facebook, Twitter, and LinkedIn for updates and news on cyber-security and technology.