Photo Credit: © panandrii - stock.adobe.com
The following is part of Align’s National Cyber Security Awareness Month (NCSAM) Article Series and focuses on how to identify and avoid phishing scams. If you missed last Thursday’s article, read “Why Should Registered Investment Advisors Buy Cyber Coverage?” here.
Phishing is a popular scam tactic that attempts to fool its victims into giving out personally identifiable or company information. Many phishing attacks are driven by monetary gain, but in other cases they simply aim to wreak havoc on a specific company or even an entire country.
Phishing attacks often take the form of fraudulent emails, some of which contain malware or ransomware that propagates when a user opens or clicks on the email contents. Phishing often relies on the use of social engineering techniques.
Social engineering is a psychological tool that takes advantage of patterns of human behavior. One of these patterns being that people are inclined to blindly open email, especially if they are motivated by curiosity, fear, urgency or opportunity. Perhaps an email contains an urgent or intriguing subject line, or contains a document attachment that appears to be work related. Below we will explore some of the most common phishing email attacks seen in 2017.
One type of email phishing attack is known as the Business Email Compromise. Business Email Compromise, or BEC, attacks take a few different forms.
Ransomware is often delivered to phishing victims via fake email invoices. Attackers may schedule the phishing invoices to be sent specifically during work hours, to both make the emails appear to be legitimate, and to catch victims when they are somewhat distracted; another example of a social engineering tactic.
Once the victim opens the email, they will see it contains an attached zip file, presumably containing the invoice, that once clicked on, executes the attacker’s ransomware. Ransomware targets and encrypts specific file extensions on a system, which in many cases will render the machine utterly useless.
The files will remain encrypted until the ransom is paid to the attacker. Unfortunately, often times a ransom is paid by the victim and the files are not decrypted. Millions of users have been subject to this type of attack and have paid millions of dollars in ransoms. Ransomware is very effective and lucrative for attackers, and the number of victims will only continue to rise.
The Google Docs phishing scam has affected over three million people worldwide. While this scam has been in existence since 2014, the latest attack is particularly effective, in part because it looks very authentic. The attacker sends a fraudulent invitation to edit a Google document to the victim. After clicking the document link, the victim is led to a genuine account screen, which shows all of the Google accounts that they are presently logged into.
The authentic screen only entices the victim to move further into this scam. After choosing the account to log in with, a malicious third-party app, masquerading as Google Docs, asks to be granted privileges to access account information. Granting this permission provides all of the victim’s account information to the attacker.
This scam is particularly effective, not only because it mimics Google so successfully, but because the attacker can continue stealing information for as long as the victim is unaware that their account has been compromised.
Being that phishing email tactics have become increasingly sophisticated and convincing, the following may help you to avoid becoming a victim:
As demonstrated by some of the most wide spread and devastating phishing attacks, no one is immune to falling for a phishing scam. Educate your firm with employee security awareness training.
Phishing training modules will allow your employees to become experts at identifying phishing emails; before they fall victim to phishing attacks in the wild. Come back this Thursday for our next article in our National Cyber Security Awareness Month (NCSAM) Series!