Don’t Get Hooked: Phishing, Vishing & Smishing
Phishing continues to be a huge security problem for everyone. While more than half of US organizations were successfully compromised by ransomware and phishing attacks last year according to Proofpoint, it also reported 90 percent of global organizations were targeted by business email compromise and spear phishing attacks. This ever-growing privacy risk affects home users, schools, businesses of all sizes, towns and even cities. The reality is that phishing threats are not going away any time soon. In fact, phishing attacks are expected to become more personal and even more sophisticated in 2020. Here’s a recap of what those security risks are and the steps you should take to protect yourself and your company or town from these attacks.
What is Phishing?
In case you are not aware, phishing is a technique used by hackers where they send fake emails designed to look legitimate in order to trick someone into providing sensitive information to the hacker. That sensitive information could be passwords, private account information, financials, photos, or any other data you would consider of value. There are many sub-categories of phishing. Below are some of the key types:
Spear Phishing
A phishing email that is specifically tailored to the individual recipient(s) or group. Spear phishing emails can be particularly difficult to distinguish from a legitimate email. These emails will usually appear to or actually come from a trusted source (e.g., friend, colleague, vendor, etc.).
Whale Phishing or Whaling
A phishing email targeting senior people within an organization (“big phish” or “whales”). Knowing an executive is responsible for putting their entire organization at risk, hackers hope hooking a large whale will pay exorbitant amounts to hide their security mistakes.
Vishing (Voicemail Phishing)
A phone call or voicemail appearing to come from a trusted or reputable source (e.g., the IRS, your HR department, etc.). Many of these calls or voicemails attempt to trick you into confirming your identity and then giving up sensitive personal information, namely a social security number or credit card information in a hurry to rectify a seemingly dire situation.
Smishing (Text Message Phishing)
A text message (SMS) appearing to come from a trusted or reputable source (e.g., a friend, your company, a favorite brand, etc.). These text messages tend to be vague and have a link dropped into them, hoping you’ll click and be baited on your phone.
Phishing Changes In 2020
The phishing trend in 2020 is expected to become more frequent as hackers shift toward more personal and sophisticated tactics. Hackers have started using recent tragedies in order to target phishing victims. The latest example of this is with the coronavirus. The World Health Organization (WHO) warned against cyber criminals disguising themselves as WHO members in order to steal money or sensitive information in emails and social media accounts about the virus.
Scammers are getting better at hyper targeting victims by becoming entwined within their social media accounts. This fake personal relationship is also known as a romance scam. Emerging technology similarly finds new ways to help hackers become more efficient. Another growing threat is the use of AI systems or machine learning to target cyber victims. As phishing attacks become more devious and harder to detect, it is more important than ever to know the signs to detect a possible scam.
How To Recognize A Phishing Scam
Now that you know the types of scams, here’s how to spot them:
1. Is there a sense of urgency? Phishing emails are meant to make you panic and rush to take action immediately and ultimately make a mistake. Be leery of such messages, they may be a phish.
2. Is the email, call or text from someone you know? If from an unknown person, be very careful, as it could be a hacker trying to trick you.
3. Is the cadence, feel or language in the email off or odd? Sometimes a trusted account (friend, colleague or vendor) can be compromised. If this is the case a message could come from this trusted source – be sure to ask via another source of secured communication.
4. Is someone you know suddenly making a request? Is it for something or in a way that they have never asked for in the past? For example, is this trusted person suddenly asking you for a gift card? If so, this is a scam. DO NOT BUY GIFT CARDS FOR THEM! Again, if it feels odd, it most likely is.
5. Be extra careful with links and attachments. If any of the above elements seem off and there is a link or attachment do not click on the link or open the attachment. Whenever possible, contact the sender about the message in question using a different form of secured communication than the one you received. There is a good chance they are unaware of being hacked. Call the sender from a known safe number, walk down the hall and talk to them, but don’t trust their message on only its face value as it may be from a hacker.
6. Accidentally shared sensitive information? Don’t panic. Change your account information and credentials immediately for any site you believe was compromised. Follow password best practices here.
7. Utilize technology to block phishing emails. Your IT department can set up technology to help block phishing emails, bad links and bad attachments. If they can’t help, contact us and we’ll help you.
8. On-going Cyber Security Trainings. Regular phishing training and cyber security training is critical to increase phishing awareness and help identify these emails. Make sure your IT department is training your staff regularly.
Be Vigilant, Not Vulnerable
Phishing is the number one way hackers gain access to your sensitive data and hack your infrastructure. Educate yourself on the different types of phishing. Learn how to spot phishing emails and what to do if you’re unsure about any email links or attachments. Make sure your IT department implements technology to protect you and your staff from these threats and make sure they are training your staff regularly. The moment you’re most vulnerable is when you think you’re safe. Staying vigilant will make you more likely to recognize and report phishing scams before becoming a victim of one.
Written by: Chris Zambuto | Chief Information Security Officer @CMITBostonCambridge
