September 25, 2013 by Carsen
In my previous blog post, I wrote about some new phishing tactics including Spear-phishing and SMiShing. Today I want to provide some tips on how to stay protected from these phishing attacks.
Tips to stay protected from Spear-phishing and SMiShing
Clicking a link is only part of the threat; phishing can be part of a larger attack.
1. If you are an organizational leader, provide security awareness training for your staff, with specific emphasis on anti-phishing awareness. If you are an associate, take such training to ensure you know how to keep the organization you work for secure.
2. Do not click on links within your email, especially if they allude to the need for a log-in or personal information. It is always a best practice to go to the actual website of the trusted company by entering in the URL manually, then logging in as you normally would. If this call is legitimate, there will be a message in your account.
3. Call the number on the official site to verify the request - do not call the number provided in the email or letter. These are often fake numbers complete with IVR systems to match the company and operators who are part of the scam.
4. Think logically. If you receive an urgent call to action that does not make sense or seems random, verify the urgency before acting on any requests. These attackers want you to act fast, so they provide scenarios that equate to emergencies. There have been instances of individuals receiving “bills” from companies they haven’t purchased from, and they click the link in curiosity. Don’t do it.
5. Do not post personal information on blogs, social networking sites, and other public websites through which attackers could potentially locate your information to use as a legitimacy factor.
6. Recognize the Signs of a Phishing Email. They are not always easy to spot. Here are some items to look for:
Misspellings in the company name, URL, or email copy. (for example company.1.com or company.net vs company.com)
A sender with a long email address or an unlisted recipient, or it is from your email.
Urgent calls to action (an abnormal amount of money as your bill, unpaid statements that you know were paid, threat to deactivate your account, etc.)
As a general rule, no legitimate organization will EVER ask for you to respond with your password or other personal information in an email
September 16, 2013 by Carsen
Phishing attacks are on the rise and new tactics lure in more victims. One new attack is spear-phishing, another is called SMiShing. In this blog, we will describe these attacks so you know how to detect them and can maintain anti-phishing best practices.
First, let me show you some interesting statistics that should encourage you to understand the threat and provide a strong case to offer anti-phishing training in your organization:
When asked how the number of phishing attacks aimed at employees had changed in the past 12 months, 45 percent of respondents note the attacks have increased, BankInfoSecurity confirms in preliminary results collected for its 2013 Faces of Fraud Survey. (source)
When asked to distinguish malicious emails from legitimate ones, nearly everyone in a group of 53 undergraduates failed, according to a recent study done by North Carolina State University.
Ninety-one percent of advanced persistent threats start with phishing attacks and success could give cyber criminals the 'keys' to bypass security and initiate further attacks (source)
Phishing is a global problem for businesses as well as individuals, targeting 37.3 million people globally in the past year (source)
Now, let’s get into the terms.
Spear-Phishing on the Rise: cyber criminals targeting individuals
Spear-phishing is a form of phishing in which the attackers target specific individuals or companies. Many times in these cases criminals research prior to the attack and have personal information, making the claim seem more legitimate to the victim and increasing the chance that the recipient will click the link in the email, following the call to action. The FBI has seen an increase in this tactic spanning across many industries. The FBI wrote that in these attacks, criminals gain access to private computer networks, create fake identities, steal intellectual property and compromise financial credentials.
In SMiShing, attackers use SMS messages as a platform to lure in victims. These messages contain claims such as: someone sent you a gift, your bill is ready for payment or you have a prize waiting for you. In many cases, the message then tells you to click on the link below or copy, paste in your browser and login to see the gift/bill/prize as well as the sender (in the instance of the “gift” they come in as anonymous and tell you that you will discover the “sender” when you click the link). These can be tempting to click, but DO NOT fall for it.
In our follow-up blog, we will discuss six tips to stay protected from these attacks. For more information on Security Awareness Training, click here.