Gone Phishing – The Increasing Threat of Scam Emails
Listeners tuning in to CBS Radio on October 30, 1938, were in for some alarming news: Martians were attacking New Jersey and New York City. As the story developed, panic ensued before CBS and narrator Orson Welles confirmed that what audiences had heard was not the breaking news of a galactic takeover, but a radio play of H.G. Wells’s classic 1898 novel The War of the Worlds.
Welles was a consummate storyteller, but even so, it’s hard to believe so many people were taken in by his performance. (In fact, evidence suggests that the overreaction has been exaggerated in the ensuing decades.) Likewise, with all the tools and resources now available, it seems almost baffling these days that anyone would fall for a phishing scam—fraudulent communication designed to obtain a user’s or company’s private information. The statistics say otherwise: according to the FBI’s Internet Crime Complaint Center’s 2018 report, 26,379 phishing victims accounted for $48,241,748 in losses that year. The actual figure is probably much higher. The FBI estimates that 85% of cybercrime goes unreported.
“I don’t think a lot of people really believe these things happen, and I don’t think they realize how sophisticated these phishing emails have gotten in terms of the realism,” says Dave Hatter, a cybersecurity consultant at Intrust IT. “At one time, there’d be a lot of red flags, but it’s so easy to go scrape the content off the website and set up something that, to a non-technical person and their naked eye, looks realistic.”
“It really has to be something that you remind your employees of on a daily, weekly, very frequent basis,” says Reiko Feaver, a Certified Information Privacy Professional and Partner at Culhane Meadows PLLC. “Hackers will do the easiest thing that they can do, and the easiest thing they can do is make something look really inviting…they exploit human nature. That’s hard to avoid. You’ve got to just be suspicious.”
Who is Vulnerable?
It doesn’t matter what industry you’re in, the size of your company, or even your role there. Scammers will target anyone they can to get their hands on valuable information and data. As users become savvier and protection software more common, determined hackers develop new strategies to appear more legitimate and urgent.
“The bad guys are very smart, and they’re constantly changing their tactics,” says Hatter. “While I think taking a real hard look at [programs] with advanced threat protection will make you a lot more resistant to these types of attacks, it’s certainly not a silver bullet.” Those looking to implement new
and innovative techniques to keep their data safe should reach out to the experts at Katalyst. We can provide education and training to keep employees prepared, helping to set up tools and exercises with our phishing awareness campaigns.
One of the more disconcerting practices used is emails that resemble internal communication. It’s only under careful scrutiny that a user might discover the message is not from a familiar sender. Some scammers have craftily embraced “spear phishing,” targeting a specific individual and going so far as to research them to construct the most convincing message. They can even boldly target higher-ups in an organization, such as a CEO, in practice known as “whaling.”
“One easy way to stop phishing emails that pretend to be from someone within the company is to add banners to all emails that come from the outside world,” says Greg Kelley, CTO, founder and lead investigator at Vestige Digital Investigations. “If you make the banner obvious and train your users, they will easily spot that an email comes from outside and treat it accordingly.”
Predictably, software companies, financial institutions, and those possessing large amounts of data are particularly susceptible to phishing attacks. However, they’re not alone. Scams have hit everyone from manufacturers to hospitals to real estate agents, as well as a host of individuals who have inadvertently given out account information for Amazon, Netflix, and especially PayPal.
While no company wants to take a financial hit, SMBs are especially vulnerable to breaches. According to a National Cyber Security Alliance survey, 37% reported losses, 25% filed for bankruptcy, and 10% went out of business as a result. Learn how to avoid phishing email scams below.
What to Do When You’re Suspicious
Organizations should work with their IT departments and other employees to establish standard practices when a user comes across an email they expect might be a scam. It may be a cliché, but the general rule of thumb is that it’s always better to be safe than sorry.
“We would much rather not get hit by ransomware than have a customer, partner, vendor, employee, or boss mad because you didn’t respond to something on time,” says Hatter. “Take a breath and slow down.” An excellent way to test how well your employees can detect a scam is through “ethical phishing,” which sends fake messages to see how users respond. The expense of additional training is a small price to pay compared to the consequences of a data breach.
Now for the bigger question: what should employees do if they suspect they’ve already clicked on a scam message and potentially made information vulnerable? The first step is to report it: the faster the situation is dealt with, the more minimal the damage. If you’re even the slightest bit uncertain, the “better safe than sorry” mindset is the way to go.
“If you’re embarrassed because you thought you did something that you shouldn’t do, and you knew you shouldn’t have done it and you don’t want to tell anybody, and it doesn’t look like anything happened, in reality, something might have happened,” says Feaver. “It’s not the whole ransomware thing anymore where all of a sudden your screen goes black and you can’t do anything. They [could have] put a keylogger on there, or they put malware, and it’s running in the back and it doesn’t look like anything happened. And if you don’t tell your IT folks, then it’s just sitting there.”
Phishing attacks can be incredibly harmful, and with hackers eager to stay one step ahead, the threat will always be real. But continued employee education and protection techniques can ensure that you’re never too far behind.
Online article from: