We wrote recently about the threat of Ransomware. But there are other threats to be aware of, and one of the most prevalent is Phishing. Unlike Ransomware, Phishing is not a virus, but it can affect individuals, small and large businesses, and governments alike. Read on find out what Phishing is, the risk it poses to your personal and financial information, and what you can do to identify and avoid it.
The Canadian Centre for Cyber Security defines Phishing as “an attack where a scammer calls you, texts or emails you, or uses social media links to trick you into clicking a malicious link, downloading malware, or sharing sensitive information. Phishing attempts are often generic mass messages, but the message appears to be legitimate and from a trusted source (e.g. from a bank or courier company). So like the word that it sounds like, Phishing is a method or technique of luring you in like a fish to bite the bait on a hook, Once hooked, the scammer will try to reel you in to share identity information, passwords or financial information such as a credit card number.
There are several variations of Phishing. Again, using definitions from the Canadian Centre for Cyber Security…
Is a personalized attack that targets you specifically. The message may include personal details about you, such as your interests, recent online activities, or purchases.
A personalized attack that targets a big “phish” (e.g. CEO, executive). A scammer chooses these targets because of their level of authority and possible access to more sensitive information.
A phishing attack using SMS (texts). A scammer may impersonate someone you know or pose as a service you use (e.g. Internet or mobile provider) to request or offer an update or payment.
A phishing attack using “quick response” (QR) codes which a scammer usually sends via email. The victim scans the QR code that re-directs them to a malicious website. Quishing can bypass your email security protection that scan for malicious links and attachments.
Vishing is short for "voice phishing," which involves defrauding people over the phone, enticing them to divulge sensitive information. A scammer can use a voice over internet protocol (VoIP) system which allows caller ID to be spoofed to trick you into believing they are legitimate.
What happens during a common Phishing attack? First, the scammer creates a message to look like a legitimate message that you might have seen before from your bank, or any other company you might correspond with or do business with. Using spoofing techniques, the fake email is sent to a list of recipients with the hope that someone will take the bait. Second, the victim receives the false email which urges them to click a link to take urgent action to resolve some problem. If the victim clicks the link they could be directed to a website that looks like a real website but is fake. If the victim then provides login credentials to their email account, the scammer can now access the victim’s email to send more phishing emails to the victim’s contact list, widening the attack. It may end there, or the scammer may use malicious software or malware, to gain control of the victim’s computer to steal data, obtain credit card information, or infect their computer with Ransomware to lock all of their files so they hold the victim hostage and demand money to unlock the files.
The Canadian Centre for Cyber Security states that “phishing is the number one technique cyber criminals use to infiltrate your network to install malware/ransomware or steal your data.”
So what can you do about it?
Awareness is your number one defense. Here are some ways to tell if you are being phished…
You don’t recognize the sender’s name, email address, or phone number (e.g. very common for spear phishing)
You notice a lot of spelling and grammar errors
The sender requests your personal or confidential information, or asks you to log in via a provided link
The sender makes an urgent request with a deadline
The offer sounds too good to be true
The caller’s voice has a robotic tone or unnatural rhythm to their speech
The call is of poor audio quality
Also, watch out for unsolicited communications with attachments, hidden links, spoofed websites, malicious QR codes, log-in pages, urgent requests, prompts for personal information, or a caller claims to be government official or bank representative
So how can you protect yourself? Again, being aware is the best defense.
Verify links before you click them. Hover your mouse over the link to see if the info (sender/website address) matches what you expect
Avoid sending sensitive information over email or texts
Back up information so that you have another copy
Keep Windows and your web browser programs up-to-date
Use your e-mail program’s Junk filters to block unsolicited junk emails sent in bulk, and block IP addresses, domain names, and file types that you know to be bad
Call the e-mail sender to verify legitimacy (e.g. if you receive a strange call allegedly from your bank, hang up and call them)
Use anti-phishing software that aligns with the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy
Reduce the amount of personal information you post online (e.g. phone numbers and extensions for employees)
Establish protocols and procedures for your employees to internally verify suspicious communications. This should include an easy way for staff to report phishing attacks
Update your organization’s incident response plan to include how to react if you’re hit with a phishing attack
Use multi-factor authentication on all systems, especially on shared corporate media accounts
It can take a lot of time and effort to implement these best practices, but Phishing scams are becoming more prevalent every day so being diligent is key. If you have any other questions about Phishing scams or if you suspect your computer may be infected with malware then please call our Service Dept at 519-660-6160 and ask to speak with Andy or Bruno.
