The ancient philosopher, Maimonides, is credited with saying:
Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime.
This is a life lesson that is transformational personally and professionally.
Traditional fishing is a process: Get the right equipment. Maintain it in optimum working condition. Learn how to properly and fully use it. Then you actually fish for gain. First you tempt a fish to bite your hook, then lock them into the hook so it sets deeper and the fish cannot escape. You reel the fish in, remove it from the safety of the water, and then you have a meal.
In contrast yet following a similar process, hackers are basically savvy computer nerds casting emails to millions of people to hook them into their malware. Once a person takes the “bait” by clicking on a link or opening an attachment, then the “hook” of the malware moves from the ocean of the internet into your computer system (“the fish”). At that point you enter a life-and-death struggle to protect your digital assets.
Most phishing victims do not realize what has happened until it is too late. At that point they have already lost control of their computer system and/or digital assets.
What is phishing?
According to Wikipedia, “…phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”
The email you receive or link you click on looks legitimate, but it is not really from that person or related to a trustworthy source.
Phishing is similar to ransomware because both are hackers seeking control of your technology for their financial gain, and your loss. However ransomware, focuses on a one-time extortion demand of money from you whereas a successful phishing attack releases your social security numbers, passwords, and other information – and possibly your entire computer system or network – to be sold to someone else, give someone a new identity, open lines of credit in your name, or exploited for more significant gain.
Phishing is typically categorized in four ways:
#1 – General phishing
This is an email or text sent to acquire information such as usernames, passwords, and/or credit card details by masquerading as a trustworthy entity. Its objective is to motivate recipients to click on a link that downloads malware into your computer system, or enter confidential information into a form that looks legitimate, but is not.
#2 – Spear phishing
This approach targets a specific person or group of people within an organization, such as an executive or HR team. The person or people of interest are sent an email from someone they trust asking for sensitive information. The majority of the time, the email comes from high-profile individuals, such as the CEO emailing someone in the finance department for account information or asking them if they are available to do a wire transfer.
At the moment, hackers have shifted their efforts primarily to this Spear phishing. This technique is the most successful on the internet today, accounting for 91% of attacks.
We know of companies who are NOT our clients, where hackers got access to a the organizations’ networks via phishing. They studied the email communication of key executives and managers. Then they acted as a decision-maker and emailed a request to have funds wired.
This approach looks so real that one company wired over $300,000 overseas. Gone forever.
To fully protect your technology it must be fully configured, monitored, and updated quickly as security patches become available.
You also need to set simple rules within your company to help employees avoid getting fooled, such as wires are only sent in-person by an authorized employee of your company at a local bank branch.
#3 – Clone phishing
This is where hackers mimics a legitimate, previously delivered email containing an attachment or link. They copy the email, replacing the attachment or link with malicious coding. Then they email you their version from an email address spoofed to appear to come from the original sender.
The hacker’s version may claim to be a resend of the original, or an updated version to the original. It may want to move from your computer to others by exploiting the social trust associated with the entity it is mimicking to both parties receiving the original email.
#4 – Whaling
Want to go for the “big fish?” Some hackers like to target senior executives and other high profile managers within businesses. This is important when their objective is to trick people into wiring funds or achieve other large dollar thefts.
You can consider these approaches bizarre or impressive, but either way they can be quite creative. Some examples are emails written to look like a legal subpoena, FBI subpoena, customer complaint, or executive issue. It might require the recipient to click a link and install special software to view the subpoena. It can be very tempting…
SO WHAT CAN YOU DO?
#1 – Do regular security assessments
WCA Technologies does this for our managed services clients annually, and in some cases quarterly. Why?
First, we want to confirm each client is fully protected with the right technology for their specific needs. As time passes, their needs may change. For instance, in the past healthcare organizations had to meet government regulations and this often requires additional protection. Now some regulations require any supplier of a healthcare organization to meet similar bureaucratic requirements.
Second, your organization may have the right technology installed, but it is does not have the latest security patches. You are at risk.
And finally, your firm may have invested in security solutions and even had them installed, but one or more of the solutions – or the computing devices connected to your network – are not properly configured. All a hacker needs is one opening to exploit.
Building your dream home can be an analogy of a secure technology environment. Your home might be completely built, fully operational, and secure. Or… you might just have all the materials to build your home on your property let your dream home is only partially built. For instance, maybe the foundation, flooring and walls are installed, but the roof is not done.
You would never think a partially built home is safe and fully meets your needs, but you can see the difference. Unless you know what to look for, you are blind to being able to confidently confirm your technology environment is secure even if you have invested in anti-virus, firewalls and/or other security solutions.
#2 – Train your people
Recognizing phishing attacks can be challenging because they usually look like a communication from someone or an organization you trust. Train your people monthly or quarterly what to look for.
Here are some quick tips:
- Typos – Many phishing emails have typos, grammatical errors, and mix a numerical “0” with the consonant “o.”
- URL – The URL of the sender’s email is not the organization’s website. For instance, instead of Netflix.com it might be netflixdirect.com. (This is not an actual example. My computer’s security is doing such a good job that I do not have an example in my Deleted folder.) Another example is http://payapl.com-dty.info/. This is not going to paypal.com.
- Short – The body of the email might be short. For instance, in the past I have gotten emails from a name I trust (but not his email address). The email just said something like, “Click here. You’re going to lov this video!”
- Logo – The email may have the company’s actual logo, or the hacker’s version which is slightly off color or has another error. Logos do NOT confirm authenticity of the sender.
- Request – The email asks for personal information.
- Threat – The email threatens that if you do not respond that something bad will happen. This is an attempt to make you click before you think. If an email demands you do something quickly because “it” is urgent, then do nothing with the email. Get on the phone and call them.
- Pop-ups – Even if you are on a legitimate website you may not be able to trust everything that pops up as a result of you visiting that site. Be careful.
Avoiding phishing scams and other hacker attacks is a daily challenge. However your company’s risk is limited if you regularly assess the security of your technology environment and keep your people educated as to secure computing best practices.
TO BE CANDID, there is much more to fully understanding phishing and there is not enough room to cover everything here. Contact us for a more thorough discussion.
WCA Technologies is a reputable, 28-year-old Manhattan team of computer experts providing IT security and managed services. We can help.
GOOD NEWS: For a limited time you can receive a complete security assessment of your technology environment at no charge.
Contact WCA online or call (212) 642-0980 to schedule a conversation with Peter Fidler, one of our founders.