Phishing Attacks

Globally, the threat from cyber attacks is increasing both in number and intensity. According to McKinsey & Company research, billions of data sets are breached annually, and each year hackers create roughly 120 million new variants of malware.

Even with the growing awareness among businesses, they are frequently unprepared for the sophistication and ferocity of attacks. Despite new defences, companies still need roughly 99 days to detect a covert cyber attack. Pause for a moment: imagine what damage an undetected attacker could cause in 99 days!

What Are Phishing Attacks And What Are They Designed To Do?

Phishing attacks are a play on the word fishing: the perpetrators hope victims “take the bait” and provide money, passwords, social security numbers and other valuable information.

Targeted email attacks, primarily through phishing scams, represent one of the most dangerous threats to both digital consumers and the organizations they join. Information of particular interest to criminals behind phishing schemes is your uniquely identifiable information: your social insurance number, bank details and credit card information. 

Gaining access to personal and sensitive information is generally for a deeper more nefarious purpose: identity theft. Identity theft is the fraudulent procurement and use of a person’s private identifying information for financial gain.

In a phishing attack, criminals can pose as a person or organization the individual trusts.  The criminal may impersonate another individual, hack an email account and send mass emails under another person’s or organization’s name.

Criminals may also design phishing attacks to impersonate an authoritative organization, like a bank, credit card company or government agency. Criminals go to great lengths to create fraudulent websites that appear legitimate.

Phishing emails can collect this sensitive information in one of two ways: a direct ask or the installation of malware designed expose passwords credentials.

An example of a direct ask would be “due to security issues, you are required to reset your bank passwords. Click here to do so now.”  In “resetting” your bank account password you are unwittingly sharing your existing bank account password with a criminal. Because the phishing email is fraudulent, the “new” password is not implemented, and your bank account is no longer secure.

 Phishing attacks can be a means by which malware is transferred to the victim’s computer.  Fake emails and websites can infect the computer with viruses without the user’s knowledge. Some verities of malware allow criminals to track keyboard strokes, exposing login information. While other malware is designed to record your screen, allowing hackers to see what files you are viewing, what information you enter and what your patterns of behaviour are. 

Here is an example of a phishing email designed to install malware on a computer covertly could look like. “Norton AntiVirus is experiencing some security issues. Due to recent attacks, we require you to download this quick update to protect your computers security system.”

It is crucial for companies and individuals to understand how accessible cybercrime is. Phishing emails are one of the easiest attacks to conduct.  Phishing attacks are not exclusively in the realm of “elite Russian hackers”, they are equally (if not more) a method of attack favoured by a layman, like a teenager living in their mom’s basement.

Detecting A Phishing Attack

While phishing attacks vary who they target and the organizations they impersonate, there are a few things to watch out for.

A Fictitious Prize

Email subject lines will be designed to catch the victim’s attention and prompt them to act. One common tactic is claiming to offer a prize or stating that the recipient won something in a fake competition. Be wary of emails claiming that you have won a prize.

Dear Customer

Emails that do not address you by name should be treated with caution. It is best practice for companies to address you by name in any official email communication. While some companies don’t do this, the majority do.  Often phishing emails starting with “Dear Customer” will claim there is an issue with payment and say you need to re-enter your banking details. Be highly suspicious of this claim. If there were a payment issue, the company in question would email you directly by name.

Double Check The Domain Name

If a link is provided in a phishing email, the domain name will differ from the authentic source. For example, https://scouttg.com/, which is authentic, compared to http://scouttg.net/ which may be fraudulent. When looking at a domain name, be sure that the web address begins with https:// because the ‘s’ indicates that the site is secure.

Pay Attention To Details

It is relatively common for phishing emails to contain grammatical or spelling errors, as well as poor sentence structure. If you open an email and the text reads awkwardly and poorly, it is likely a phishing scam. Do not open any of the links and do not comply with what the email asks you to do.

Three Actionable Steps to Handle Phishing Attacks

  1. Be On Guard: Use comprehensive security software to protect your computer and mobile devices.  There are three layers of protection: a spam filter, up-to-date antivirus software and network security. Scout offers a comprehensive network security service that addresses each layer.
  2. Protect Your Passwords: The most fundamental step in keeping personal information secure is to protect your passwords. On a basic level, keeping your passwords safe means never sending passwords and banking details over email or text. A more advanced (and easy) step in password security is to use a password management system. For more information, read our blog post about what we recommend as a password management solution.
  3. Be Suspicious: When you receive a suspicious email, don’t open it. Delete it immediately. If you do open it, don’t click on any of the links and do not share your personal information.

The Importance Of Strengthening Security and Vulnerability Training

Strengthening security is particularly important for companies. According to the Data Protection and Breach Accountability Act of 2014, companies can be held liable for a data breach. With the European Union tightening regulation on data protection and privacy, Scout anticipates a shift in how data protection will be treated in the future. The provincial implementation of PIPA (Personal Information Protection Act) echos the growing global focus of data protection.

Companies should be working with technology partners, such as Scout, to ensure their security systems follow best practices.

Vulnerability Training

The solution to the question of cybersecurity and data protection starts with testing. When an organization partners with Scout for vulnerability training, we send company employees fake phishing emails. These emails are designed to reflect the design, structure and level of sophistication of the best phishing emails currently being used in cyber attacks.

Each fake phishing email sent is unique, and each employee receives one. Throughout one or two months, Scout tracks what “bait” companies are most susceptible to, and what employees “swallow.” When employees engage with the fake phishing email, Scout tracks what links are clicked, what attachments are downloaded and what type of details employees reveal when faced with this covert attack.

Once Scout establishes a baseline for the client, the results are reviewed with the larger organization. Specific company vulnerabilities are identified, and then Scout begins to strengthen network security and build the human firewall.

Matt Dryfhout, Scout CEO and founder shares “We’re in the business of providing solutions to clients, which we deliver on through our deep technology expertise. But when Scout works with clients, technology is only one component of the security solution we provide. The other component we bring to clients is building a human firewall and healthy paranoia.”

Scout offers solutions to clients by focusing on the technical and human aspects of network security. From a technical standpoint, Scout installs a company-wide button on Outlook that equips employees to report phishing emails (both the test ones and real threats), which keeps security engagement high. On a human level, Scout helps build phishing email detection skills in company employees, providing each employee with a cheat sheet of actionable insight that helps them avoid falling prey to future threats.

The Future of Phishing Attacks

As more personal information is publicly available on social media and websites, hackers can execute increasingly targeted phishing attacks that are personalized for the recipient. It is this higher level of personalization that increases the danger; the more convincing and trustworthy the attack appears, the more likely it will be to bypass personal and organizational security systems.

While cybercriminals are improving their skills and attacks, business is going digital, making companies more vulnerable to cyber attacks. In going digital, thousands of people, applications, devices and servers are now all deeply and intricately interconnected. With the rise of the internet of things (IoT) the number of connections, as well as connectivity will grow exponentially.

Matt notes, “In our partnerships with clients, many of them have grasped a single acute truth: conducting vulnerability testing on an ongoing basis is critical. Security isn’t a one and done task, rather, it’s constant vigilance. The tactics used in phishing attacks evolve rapidly, so companies need to be evolving just as fast, if not faster.”

These interconnections mean that now, and in the future, companies must be more vigilant in monitoring points of attack.  Points of attack consist not only through your cybersecurity system, but also the security of your partners and suppliers. One weak point in a company’s business partner or client can compromise you as well.

Scout Technology Guides offer internet security services that help companies ensure their IT security is strong.  Scout also has the expertise to help you ask the right questions to ensure your partner’s security systems are equally strong.

Reach out to Scout Technology Guides today to explore how we can help.