What is a phishing scam?
Phishing scams are an increasingly popular method criminals use to steal your sensitive information either via emails or phone calls. These scams use social engineering to trick you and your employees into providing sensitive and private information, such as banking information, login credentials and even access to your computer. The concept is the same as actual fishing, a piece of bait is presented to the prey, in this case the you or your employees, in hopes that you'll bite, by taking the action the attacker wants. This could be clicking on a link, downloading software, or even just providing a little information that might be used in a more targeted phishing attack later on. Often these emails and phone calls are made to appear as if they come from legitimate contacts and businesses like Google, Microsoft, the IRS, your bank, or even people you know.
Types of Phishing Scams
Spear Phising: Attacks that target specific individuals, often using personal information that was previously stolen or that is available via public records or social media.
Whaling: An attack that targets a high level executive or official that has greater access within their organization giving the attackers greater access to the organizations confidential information if the attack succeeds. You can read more about a recent example of Whaling here, when Russian hackers targeted senior lawyers and management at large law firms, intent on stealing information that could be used for insider trading.
Clone Phishing: Attacks where legitimate emails from companies like banks (Chase, Bank of America, etc.), delivery companies (UPS or FedEx), or tech companies (Google, Microsoft or Facebook), are cloned to make them appear identical to a real email from one of these businesses.
What are some examples of phishing scams?
The Basic Phishing Attempt
You probably see basic phishing attempts every week, if not every day. These are usually fairly easy to spot and come in the form of emails with fake invoices or shipping orders that have .zip attachments. The attacker is looking for you to download the attachment which is often a virus, or a file with a link to a virus or other malicious downloads.
Clone phishing emails that direct you to fake login page
Another common type of phishing scam is an email that directs you to a fake login page, where your login credentials (username and password) will be stolen. Examples include emails from big banks like Chase or Bank of America that say fraudulent activity has been detected on your account, or advise that you should change your password immediately, please login and change it. Other examples include fake Google, Microsoft or Facebook login pages. You can be directed to these pages from malicious emails or even redirected from malicious websites.
One particularly clever clone scam we've seen uses Gmail and Google Drive, both the free and paid Google Apps versions, to steal your credentials. This specific example starts in the form of an email from one of your existing email contacts saying they've shared a file with you on Google drive. It then askes you to login with your Google account to access the file. However, the login page is a fake and when you login it instantly steals your login credentials, logs into your Gmail account and sends a similar email to all of the contacts in your Google contacts. Since the emails are sent from the hacked email accounts of otherwise trusted contacts, these emails usually make it past email security and spam filters, making these phishing emails highly successful.
The phishy phone call
Other common phishing scams include fake phone calls from organizations like the IRS or Microsoft.
In the case of fake IRS calls, they are usually calls in regards to your tax refund asking for your banking information, so they can deposit your taxing filing refund money into the proper account. These calls tend to be most frequent during tax season, but can occur year round. When it's not tax season, we've seen these calls target people by saying they owe money to the IRS and must immediately make a payment.
The fake Microsoft scammers, typically act as technical support representatives wanting to help with your computer. They'll even go as far as using remote support software like real technical support agents, so they can gain access to your computer and then infect it, by installing malicious software aimed at stealing your confidential information.
So how do you protect yourself?
Make sure you and your employeess can spot tell-tale signs of phishing emails:
- Spoofed Email Addresses: A spoofed email address is made to look like it's legitimate "Bank of America" or "Google Support", but if you look at the actual email it will be from a random and suspicious address.
- Suspicous LInks: When you hover over the link in an email and it goes to a suspicious URL versus what you'd expect. Example instead of going to "google.com" a suspicious link might go to something random like "boardxehc.com".
- Unsolicited Calls or Emails: Spoofed emails are made to look like they come from legitimate companies and contacts, but they are unsolicited. If you didn't open a support ticket with Microsoft, they won't be calling you to provide support. If you didn't talk to one of your contacts about getting a file from them, they probably won't randomly share a file with you via Google Drive.
Be sure you have strong security In place:
- Email Security & Filtering: As most phishing scams start out as emails strong email security will help block many malicious emails.
- Internet Security & Filtering: Internet security on firewalls and computers can block known malicious websites and foreign IP addresses where the majority of phising scams originate.
- Password Security & Management: Strong password policies including frequent changing of passwords and use of secure password managers that direct you to the correct login page, will reduce the change of passwords being compromised.
- Antivirus/Antimalware: Some phishing attacks attempt to install virus like Cryptolocker on your computer, so up-to-date business class antivirus security software is a must.