Michael Brown, Infrastructure Specialist with a focus on cryptography and cybersecurity, uses a simple illustration to understand online scams and how to avoid them.
Overview
A novice scammer only invests $100 to receive 50,000 email login names for a large bank. In a little over an hour, he set up a duplicate login page with an XSS script running to capture the logins. Even if only half of the emails are legitimate, and 1% of the recipients log into the page, that’s 250 exploited accounts. He plans to steal $10 from each user, hoping that it is small enough to not draw attention, netting him $2,500.
Phishing is a form of cyber-attack often used to steal user data, including login credentials and credit card numbers. Attackers often dupe victims into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information. As you can imagine, this can lead to catastrophic consequences for both individuals and organizations.
The ease of someone with very little technical acumen to initiate and profit from a generic phishing attack can be unsettling. A perpetrator can purchase email addresses in bulk online, get a script and install instructions from a forum on the dark web, and copy a webpage. After that, they sit back, hope more people fall for the email, and collect their ill-gotten gains. It allows maximum payoff with a limited chance of detection.
CEO fraud or Whaling occurs when a CEO or CFO is spoofed with the hopes that someone will perform a desired task. Circulating emails with spoofed addresses to appear as if they are coming from the CEO requesting a meeting or funding. If the person responds, perhaps they request a payment be made, or a bank account be revealed/altered. Companies have been tricked into transferring millions of dollars. Often multiple payments will be made before the change is discovered.
Recognizing a Scam
One of the most valuable things you can do for your firm is educating your employees on what to look for. Some red flags include:
- Claiming to notice suspicious activity or login attempts
- Claiming there’s a problem with your payroll or timesheet
- Including a fake or questionable invoice
- Saying you are eligible for a free government refund
- Asking you to click on a link to make a payment
- Poor spelling or grammar
- Communications from IT or HR outside of normal channels
- Prompts to click on links or URLs that show a different address when hovered over
- Email addresses showing the name of an individual within the company but from generic email providers (Gmail, Yahoo, etc.)
- Unexpected zip files or attachments
Phishing continues to be one of the top entry points for hackers to gain access to personal and company computers. While it cannot be stopped at its source, many software solutions can detect or block known phishing sites/emails, while other software solutions will double-check the links and attachments in emails, looking for potential viruses. Another option is for companies to add banners to emails coming from outside the company to let the user know to be on their guard.
After You Click
Unfortunately, phishing emails can have real consequences for people who give scammers their information in addition to greatly affecting a firm’s technological infrastructure. If employees shared a password with a scammer, make sure they change it on every account that uses this password. Although it can seem daunting, it is useful to use unique passwords for each account and service—especially when these scenarios arise.
Be sure all employees are regularly trained and tested on phishing. Their computers need to be current on updates and have strong anti-virus software installed. If the affected computers are connected to a network, contact a cybersecurity expert who can check your entire network for intrusions.
Cybersecurity teams often find themselves in a reactionary position, putting out fires and dealing with potential exploits. Ultimately, the final layer of defense a company has against phishing is the end-users themselves. By training users to examine emails closely for misleading/ambiguous verbiage or poor spelling/grammar, and finally, hovering over any links to ensure it is directing them to a legitimate URL, you are converting employees into human firewalls. This, in turn, allows cybersecurity teams to focus on proactive issues, leading to a more secure company.