Tag: Phishing

  • Spam and Phishing

    October 27, 2021

    Tags: , , ,

    Malicious Email

    A mali­cious email can look just like it comes from a finan­cial insti­tu­tion, an e‑commerce site, a gov­ern­ment agency or any oth­er ser­vice or business.

    It often urges you to act quick­ly, because your account has been com­pro­mised, your order can­not be ful­filled or there is anoth­er urgent mat­ter to address.

    If you are unsure whether an email request is legit­i­mate, try to ver­i­fy it with these steps:

    • Con­tact the com­pa­ny direct­ly – using infor­ma­tion pro­vid­ed on an account state­ment, on the company’s offi­cial web­site or on the back of a cred­it card.
    • Search for the com­pa­ny online – but not with infor­ma­tion pro­vid­ed in the email.

    Spam

    Spam is the elec­tron­ic equiv­a­lent of junk mail. The term refers to unso­licit­ed, bulk – and often unwant­ed – email. Here are ways to reduce spam:

    • Enable fil­ters on your email pro­grams: Most inter­net ser­vice providers (ISPs) and email providers offer spam fil­ters; how­ev­er, depend­ing on the lev­el you set, you may end up block­ing emails you want. It’s a good idea to occa­sion­al­ly check your junk fold­er to ensure the fil­ters are work­ing properly.
    • Report spam: Most email clients offer ways to mark an email as spam or report instances of spam. Report­ing spam will also help to pre­vent the mes­sages from being direct­ly deliv­ered to your inbox.
    • Own your online pres­ence: Con­sid­er hid­ing your email address from online pro­files and social net­work­ing sites or only allow­ing cer­tain peo­ple to view your per­son­al information. 

    Phishing

    Phish­ing attacks use email or mali­cious web­sites (click­ing on a link) to col­lect per­son­al and finan­cial infor­ma­tion or infect your machine with mal­ware and viruses.

    Spear Phishing

    Spear phish­ing involves high­ly spe­cial­ized attacks against spe­cif­ic tar­gets or small groups of tar­gets to col­lect infor­ma­tion or gain access to sys­tems. For exam­ple, a cyber­crim­i­nal may launch a spear phish­ing attack against a busi­ness to gain cre­den­tials to access a list of cus­tomers. From that attack, they may launch a phish­ing attack against the cus­tomers of the busi­ness. Since they have gained access to the net­work, the email they send may look even more authen­tic and because the recip­i­ent is already cus­tomer of the busi­ness, the email may more eas­i­ly make it through fil­ters and the recip­i­ent maybe more like­ly to open the email.

    The cyber­crim­i­nal can use even more devi­ous social engi­neer­ing efforts such as indi­cat­ing there is an impor­tant tech­ni­cal update or new low­er pric­ing to lure people.

    Spam & Phishing on Social Networks

    Spam, phish­ing and oth­er scams aren’t lim­it­ed to just email. They’re also preva­lent on social net­work­ing sites. The same rules apply on social net­works: When in doubt, throw it out. This rule applies to links in online ads, sta­tus updates, tweets and oth­er posts. Here are ways to report spam and phish­ing on major social networks:

    Tips for Avoiding Being a Victim

    • Don’t reveal per­son­al or finan­cial infor­ma­tion in an email, and do not respond to email solic­i­ta­tions for this infor­ma­tion. This includes fol­low­ing links sent in email.
    • Before send­ing or enter­ing sen­si­tive infor­ma­tion online, check the secu­ri­ty of the web­site.
    • Pay atten­tion to the website’s URL. Mali­cious web­sites may look iden­ti­cal to a legit­i­mate site, but the URL may use a vari­a­tion in spelling or a dif­fer­ent domain (e.g., .com ver­sus .net).
    • If you are unsure whether an email request is legit­i­mate, try to ver­i­fy it by con­tact­ing the com­pa­ny direct­ly. Con­tact the com­pa­ny using infor­ma­tion pro­vid­ed on an account state­ment, not infor­ma­tion pro­vid­ed in an email. Check out the Anti-Phish­ing Work­ing Group (APWG) to learn about known phish­ing attacks and/or report phishing.
    • Keep a clean machine. Keep all soft­ware on inter­net-con­nect­ed devices – includ­ing PCs, smart­phones and tablets – up to date to reduce risk of infec­tion from malware.

    What to Do if You Are a Victim

    • Report it to the appro­pri­ate peo­ple with­in the orga­ni­za­tion, includ­ing net­work admin­is­tra­tors. They can be alert for any sus­pi­cious or unusu­al activity.
    • If you believe your finan­cial accounts may be com­pro­mised, con­tact your finan­cial insti­tu­tion imme­di­ate­ly and close the account(s).
    • Watch for any unau­tho­rized charges to your account.
    • Con­sid­er report­ing the attack to your local police depart­ment, and file a report with the Fed­er­al Trade Com­mis­sion or the Inter­net Crime Com­plaint Cen­ter.

    Protect Yourself With These STOP. THINK. CONNECT.™ Tips

    • When in doubt, throw it out: Links in email, tweets, posts and online adver­tis­ing are often how cyber­crim­i­nals try to com­pro­mise your infor­ma­tion. If it looks sus­pi­cious, even if you know the source, it’s best to delete or – if appro­pri­ate – mark it as junk.
    • Think before you act: Be wary of com­mu­ni­ca­tions that implores you to act imme­di­ate­ly, offers some­thing that sounds too good to be true or asks for per­son­al information.
    • Make your passphrase a sen­tence: A strong passphrase is a sen­tence that is at least 12 char­ac­ters long. Focus on pos­i­tive sen­tences or phras­es that you like to think about and are easy to remem­ber (for exam­ple, “I love coun­try music.”). On many sites, you can even use spaces!
    • Unique account, unique passphrase: Hav­ing sep­a­rate passphras­es for every account helps to thwart cyber­crim­i­nals. At a min­i­mum, sep­a­rate your work and per­son­al accounts and make sure that your crit­i­cal accounts have the strongest passphrases.
    • Lock down your login: For­ti­fy your online accounts by enabling the strongest authen­ti­ca­tion tools avail­able, such as bio­met­rics, secu­ri­ty keys or a unique one-time code through an app on your mobile device. Your user­names and passphras­es are not enough to pro­tect key accounts like email, bank­ing and social media.

    Additional Resources

    Orig­i­nal­ly post­ed on Stay Safe Online

  • Be Alert: Employers Are Seeing a Spike in Phishing Scams

    February 9, 2021

    Tags: ,

    Phish­ing emails are a type of scam designed to obtain infor­ma­tion or prompt cer­tain behav­ior from their tar­gets. To that end, they typ­i­cal­ly appear to come from a per­son or enti­ty we trust.

    In most cas­es, care­ful inspec­tion will reveal cracks in the façade, lit­tle signs that the mes­sage is not what it pur­ports to be. But, of course, most of us don’t thor­ough­ly ana­lyze every email we receive from a col­league or super­vi­sor. When we get an email from our CEO, Lizzy Beth, we don’t hov­er the mouse over her con­tact card to ver­i­fy that the mes­sage came from her actu­al com­pa­ny email and not [email protected] We see the email, assume Lizzy Beth wants us to send her the request­ed infor­ma­tion, and send it.

    A suc­cess­ful scam can be a cost­ly data breach with legal con­se­quences. Busi­ness­es are gen­er­al­ly required to take rea­son­able pre­cau­tions to pro­tect per­son­al infor­ma­tion in their pos­ses­sion. In the event of a breach, many states require that notice be giv­en to those whose infor­ma­tion was com­pro­mised. This notice might need to include the cause and nature of the data breach as well as what pro­tec­tions are afford­ed to those affected.

    One of the best ways to pro­tect your com­pa­ny from these sorts of scams is to have a pol­i­cy and prac­tice of nev­er email­ing sen­si­tive employ­ee infor­ma­tion. The lan­guage below may serve as an effec­tive reminder:

    “Employ­ees should not under any cir­cum­stance email sen­si­tive employ­ee infor­ma­tion such as W‑2s, ben­e­fit enroll­ment forms, com­plet­ed cen­sus forms, or any­thing with social secu­ri­ty or cred­it card num­bers. Email is inher­ent­ly inse­cure, and scam­mers may pose as com­pa­ny exec­u­tives or employ­ees to steal infor­ma­tion. If you receive a request to email any such sen­si­tive infor­ma­tion, do not respond to it. Instead, inform your man­ag­er immediately.”

    You can help pro­tect your orga­ni­za­tion by giv­ing employ­ees exam­ples of the kinds of emails and oth­er com­mu­ni­ca­tions (texts, calls, etc.) that are like­ly sus­pi­cious. Here are a few:

    • A notice from your email provider sug­gest­ing you change your password.
    • A mes­sage from the IRS ask­ing you to click a link, open an attach­ment, or pro­vide information.
    • A mes­sage ask­ing you to click a link to pay fines or penalties.
    • A request for W‑2s or pay­roll records.
    • A request for names, birth dates, home address­es, salaries, and social secu­ri­ty numbers.
    • A request for con­tact information.
    • A request to pur­chase gift cards and email the sender the card numbers.
    • A request for login information.
    • A com­mu­ni­ca­tion with glar­ing typos.
    • A com­mu­ni­ca­tion that says “EMERGENCY” in the subject.
    • A LinkedIn con­nec­tion from some­one you don’t rec­og­nize even though they pur­port to work at your com­pa­ny and have con­nect­ed with some of your colleagues.

    By Kyle Cupp

    Orig­i­nal­ly post­ed on thinkhr.com.

     

Español »