alt tag

Posts Tagged ‘email phishing’


An Expert’s Guide to Avoiding Phishing Scams

Tuesday, January 24th, 2017

hacker-1944673_640

Unlike most IT security threats, phishing scams attack the human element instead of the machine element. Phishing scams try to bait a person into exposing confidential information by posing as a legitimate, reputable source, typically by email or phone. Most often, the culprits seek users’ account login details, credit card numbers, social security numbers, and other personal information.

By properly educating your employees and following a handful of best practices, your business can significantly reduce the threat of phishing scams.

Here’s how:

1. Treat every request for information—whether by email, phone, or Instant Message—like a phishing scam until proven otherwise.

Meeting any request for confidential information with skepticism, regardless of how trivial it sounds, is your employees’ best defense against phishing scams. Even innocent information like a person’s first car, pet’s name, or birthday can be used to steal accounts through password recovery. Generally speaking, no professional organization or company would ever ask for personal information when contacting you—so any information request of this type is more likely to be fraudulent than real.

2. Familiarize your staff with scheduled emails for password resets.

Many companies use regularly scheduled password reset policies as a security measure; however, hackers can exploit this system to get people to hand over account login information. Your company’s best protection in this case is to familiarize employees with which services actually send out these requests. If possible, enable 2-step verification services, or avoid scheduled password changes altogether.

3. Never click a “reset password” link.

One of the easiest ways a hacker can steal information is to include a spoofed link claiming to be a password reset page that leads to a fake website. These links typically look exactly like the legitimate reset page and will take the “account name” and “old password” information the person enters. If you need to reset an account or update your information, navigate to the site manually and skip these links.

4. Never send credentials over email or phone in communication that you did not initiate.

Many sites utilize legitimate password reset emails and phone calls; however, a person has to go to the site and request it. If someone did not request a password reset, any form of contact to do so should be met with extreme skepticism. If employees believe there is a problem, they should cease the current contact thread and initiate a new one directly from the site in question.

5. Don’t give in to fear.

One common phishing scam emulates online retailers, claiming they will cancel an order because a person’s credit card information is “incorrect.” These scams rely on a sense of urgency to get a potential victim to hand over information without stopping to think. If the account really is compromised, chances are the damage is already done.

6. Report suspected phishing attempts.

Phishing attacks like this typically target more than one person in an organization, whether it be from a “mass-scale” or “spear” phishing attack. Therefore, it’s safe to assume that if one person receives a phishing email, others will, too—so contact both your company’s IT department and the organization the hackers were imitating.

If your business is looking to improve its IT security practices and avoid falling victim to phishing scams and other attacks, contact the experts at MPA Networks for help today.

A Primer on Phishing Attacks

Wednesday, December 21st, 2016

credit-card-1591492_640

Phishing attacks are a dangerous and devastating method hackers use to steal personal information and accounts—primarily by striking the user instead of the machine. According to the APWG Phishing Activity Trends Report, the first quarter of 2016 saw an explosive 250 percent increase in phishing attacks, meaning both the industry and individuals should be increasingly concerned about these scams.

While security software is getting better at detecting phishing attacks, it can’t stop them all. Here’s the rundown on what you can do to protect yourself and your employees.

What Exactly Is a Phishing Attack?

The goal of a phishing scam is to get a person to hand over private information, usually pertaining to account access credentials, credit card numbers, social security numbers, or other information, that can be used to steal accounts, information, and identities.

According to Indiana University, phishing attacks, or scams, typically present themselves as fake emails masquerading as official sources asking for personal information. Google adds that phishing attacks can also come through advertisements and fake websites.

So, phishing attacks come in several forms. One example of a phishing attack is an email arriving in an employee’s inbox asking them to reset their Gmail account information. Another is an email from “Amazon” saying the account holder’s credit card information didn’t go through for a recent order.

What’s the Best Defense Against Phishing Attacks?

The best thing a person can do to protect themselves from phishing scams is to be wary any time they receive a message asking for personal information. Businesses and organizations can protect themselves by educating their employees and members about what phishing attacks look like, and how to avoid them.

Teach your employees to look for red flags, like an email address that doesn’t correspond to the supposed sender, impersonalized messages, grammatical errors, and/or unsolicited attachments. Equally, watch out for spoofed links that list one URL on the page but redirect to another—and keep an eye out for spoofed URLs that don’t match the real site (e.g., gooogle.com instead of google.com).

Some phishing emails use such highly personalized information that they may appear, on the surface, to be authentic. Don’t let your guard down. Phishing attacks typically use fear to motivate a person into handing over sensitive information with statements like “your order will be canceled” or “your account will be deactivated.” Instead of clicking the link inside the email or responding directly with personal information, go to the real website using a search engine or by typing the URL directly into your browser. If you receive a phishing email related to any of your professional account credentials, report it to IT.

The State of Phishing Attacks

Now that web users are spread out over a variety of operating systems including Windows, Mac OS, Android, and iOS, it makes sense that hackers would divert more effort to scams that attack the user instead of the operating system. Symantec reported a 55 percent increase in “spear-phishing” scams across 2015. In the first quarter of 2016, CSO reported that criminals successfully targeted 41 organizations in a phishing scam aimed at retrieving W-2 data.

If your company is looking to improve its IT security practices against threats like phishing scams, the IT consulting experts at MPA Networks are ready to help. Contact us today.

Prepare Now or Pay Later: More Ransomware Attacks in the News

Thursday, April 7th, 2016

euro-76015_640

We’re only a few months into 2016, but we’ve already seen two high-profile ransomware attacks—where cyber-crooks heavily encrypt a victim’s computer files before demanding payment for a decryption key only they can provide. Two notable incidents grabbed headlines:

  • In January, Israel’s Electricity Authority was hit by what officials termed “a severe cyber attack.” What early media reports described as a possible terrorist plot to knock out Israel’s national power grid turned out to be a multiple ransomware infection that crippled the agency’s IT network—most likely triggered by a employee falling for a phishing scam (as little as clicking a link in a bogus email). The Israeli government didn’t reveal whether they’d paid off the crooks in order to restore the network.
  • Closer to home, one month later Hollywood Presbyterian Medical Center in Southern California gave in to hackers’ demands for 40 Bitcoins—a little under $17,000—to restore access to their ransomware-encrypted network. With patient care potentially in the balance, the hospital decided the quickest solution would be to simply pay the ransom.

Pay or Don’t Pay: Where Do You Stand?

A recent study from anti-virus maker Bitdefender indicates that over half of all U.S. ransomware victims have actually paid off their attackers, while 40% of respondents said they most likely would pay to restore access to their data files if necessary.

This leads us back to the central ransomware conundrum: To pay or not to pay.

As we recently discussed, the FBI considers their hands tied against ransomware attacks (almost all are suspected to be launched from Eastern Europe) and shockingly recommends victims simply cough up the Bitcoins. But there are still very logical reasons why paying off cyber-extortionists is never a wise idea:

  • You’re an instant patsy. A quick ransom payment indicates you’ll give in without a fight—an ideal victim. Expect your attackers to remember that when they run low on cash—or share that knowledge with other cyber-gangs looking for their next “easy mark.”
  • The demands will grow bigger. Think of ransomware attacks in terms of simple economics—the “seller” charges what the market will bear. Today’s most lethal strain of ransomware, CryptoWall 4.0, currently charges victims a standard flat rate of 1.83 Bitcoin ($700). If most readily paid $700 for their precious data today, why wouldn’t they pay $900 tomorrow—or even more?

Protect Your Company Now

  • Back up your entire network regularly. Most ransomware will seek out external backup drives (connected to a computer via a USB port) and infect those files as well—unplug the drive after every manual backup.
  • Make sure all software is fully updated and patched. Ransomware and other viruses seek out vulnerabilities in all common office apps.

The middle of a robbery is too late to create your anti-robbery plan! Contact us to help design and implement your company’s strategy against ransomware and other emerging cyber-threats.

Fake Phishing: The Ultimate Security Training?

Tuesday, January 5th, 2016

no-entry-909933_640

What is the current state of your company’s IT security training program—if you have one? Many companies settle for an annual group training session to broadly review the major types of cyber-threats—viruses, malware, and phishing.

The problem with once-a-year “standardized” training is that once employees go through it the first time, they may not fully pay attention in the future, thinking they’ve “heard it all before.” That’s when they’re most vulnerable.

“It Won’t Happen To Me”—Until It Does

Recently, a friend of ours—who normally prides himself on being “smarter than the average bear” when it comes to computer hygiene—confessed he finally got duped into downloading malware directly to his desktop PC. He tried updating to the latest version of CCleaner, a popular, trusted freeware utility which removes temporary files, cookies, and other unwanted clutter from a hard drive. But the page he was directed to had two different “Download” buttons… and he clicked the wrong one. After ignoring dire warning screens from his anti-virus program (“It’s only CCleaner,” he reasoned), he discovered he’d actually just downloaded several unfamiliar programs, masquerading as system processes in his Windows “Task Manager.”

The first consequence: an uncloseable pop-up window requesting payment to remove multiple “detected threats” (which he of course declined to pay). Fortunately, he immediately deleted all the “scamware”—via several malware-removal apps—before hackers could unleash more havoc. He was reminded to stay reasonably skeptical of almost everything online—and to never again let his guard down.

Time For Some “Tough Love”?

You can warn someone of looming cyber-dangers until they’re tired of hearing it… but sometimes the best education is simply “learning the hard way.”

A handful of security contractors are helping companies actually test their employees by providing fake phishing emails—which mimic the sophisticated tactics of genuine scams (offering bogus apps, phony “updates,” and more). When they click on a deceptive link, they’re quickly informed they’ve dodged a bullet:

“Oops! You’ve just fallen for a fake phishing email test. Luckily, your computer remains unharmed for now, but keep in mind this is how hackers regularly trick victims into compromising network security…”

One strong proponent of fake phishing is the Department of Homeland Security—which recommends federal employees who repeatedly fail such tests should have their security clearances revoked.

The point of fake phishing tests isn’t to anger or shame employees who unwittingly take the bait. The goal is to prove that cyber-threats are definitely real, and they should take security very seriously. Nobody wants to be the real victim.

For management, the overall “conversion rate” of a fake phishing test is a true metric of an IT security training program. If too many employees allow themselves to be conned by a simulated phishing scam, their existing training isn’t working.

For more ways to boost security measures within your business, get in touch with a local MSP.

Malvertising: The Next Big Cyber Threat

Thursday, July 16th, 2015

road-sign-579554_640

We’ve spent plenty of time here talking about safeguarding your company against phishing and other forms of cyber-attack. As we’ve discussed, the first line of defense against phishing is to make sure your employees remain vigilant by avoiding email links and shady websites. But there’s a bigger threat on the horizon for anyone who simply surfs the Internet. Hidden malware delivered via online ads, or malvertising, is rapidly spreading across the web—including the most trusted news and entertainment sites millions of us visit every day.

Via banners, pop-ups, and animated ads, cybercrooks can embed hidden lines of code that instruct a web browser to automatically retrieve and install malware programs from an unseen URL—literally a “drive-by download,” undetectable by most common anti-virus programs. Some malvertising scams entice viewers to click on an ad (most often pop-ups offering “software updates”). Others infect a computer simply by loading the page.

Successful malvertising immediately renders a computer susceptible to any of the following:

  • Outright theft (identity, financial, or data) or extortion via ransomware, such as CryptoWall or CryptoLocker, a high-encryption virus which can’t be removed without paying off the crooks—usually in untraceable Bitcoin or wire transfer.
  • The computer can be hijacked into a botnet, a ring of “zombified” computers which are silently manipulated for criminal activities, such as repeatedly clicking on bogus pay-per-click ads, bilking websites out of artificially inflated profits.
  • The malvertising can leave behind a browser exploit kit, malicious code that constantly probes a computer for vulnerabilities within the browser as well as standard plug-ins including Adobe Flash Player, Java, and Microsoft Silverlight. When a weakness is found from the inside—as little as missing the latest security update—the door is open for even more lethal malware.

No Sheriff in Town

Most high-traffic websites outsource their advertising to third-party networks who sell space to advertisers—usually simply accepting ads from the highest bidder—and directly insert ad applets into a web page. You’d think these ad networks would bear the responsibility for screening ads against malvertising, but they’re simply not responding fast enough. Like so much of the Internet world, the frenzied volume of online advertising grew much faster than anyone’s ability to regulate it.

Everyone still assumes law enforcement can effectively police criminal activity in cyberspace… but there’s literally no sheriff in town.

How Can You Protect Yourself?

There are a number of measures you can take right now to defend your company against malvertising:

  • Keep your anti-virus and anti-malware software up to date, and make sure the software continues to update on a regular basis. Some manufacturers update their software daily to combat new threats.
  • Use a Firewall with an activated subscription service for UTM (unified threat management). UTM is a service should provide at least two forms of protection:
  1. Filtering out some viruses and malware as they attempt to pass through the Firewall into your office or home network (whether in an email or on a website).
  2. Prohibiting you and/or your users from visiting sketchy websites—the kind a phishing email might direct you to, with or without your knowledge, in an attempt to infect your computer.
  • Regularly check your browsers for the latest security patches.
  • Modify your browser settings to prevent Flash and Java-based animated ads from running automatically, as well as to flag suspicious website content.
  • Create multiple user accounts for each computer, including a “web surfing” account without administrative rights to install or modify software, and to block malicious exploit kits. Some firms have all desktop accounts for their employees configured without administrative rights for this reason.
  • Consider signing up with a Managed Services Provider (MSP) for a Managed Services Program that supplies anti-virus, anti-malware, and security patching, keeps these systems up to date, and manages the process for success—so you can focus on actually using your technology.

To learn more about the dangers of malvertising and other emerging cyber threats, contact us.

 

Know Your Enemy: These New Phishing Schemes are Hard to Spot

Thursday, April 16th, 2015

Information technology phishing schemes to be aware of SF Bay Area.

A friend called me recently to gripe about his personal email account. His ISP has done a pretty good job of virtually eliminating the annoying spam he used to receive (remember your inbox way back when?), but now he’s the target of two particularly relentless phishing schemes I’d like to share with you.

“Unsubscribe” with Caution

The first involves multiple emails supposedly selling products he’s not interested in—life insurance, home security systems, new tires, and more. Of course, the sender hopes that if my friend prefers to quit receiving these unwanted “offers,” he’ll click the prominently-placed “Unsubscribe” link. But hovering his mouse over the link reveals a bogus-looking URL—that with one double-click could infect his computer or smartphone with troublesome or dangerous malware.

My friend is obviously smart enough not to take the bait, but that isn’t stopping the scammer. They send multiple clusters of these emails several times a day. His ISP offers a Blocked Senders List to exclude unwanted emails, but this sender always uses a different return address made up of gibberish (such as “eirithtnydkr@prmdjentod.edu”) to evade blocking. He hopes this jerk will soon be arrested or just get tired of bothering him. Good luck with that.

Unfriendly “iTunes” Updates

The second scam involves Apple’s iTunes. My friend receives new music “updates” from “itunes@new.itunes.com” that include logos, fonts, and graphics very similar to genuine marketing emails from Apple. While he does often download music from iTunes, he’d rather not get these emails and was about to click that boldfaced “Remove Me” link—until he noticed the URL likewise had nothing to do with Apple or iTunes. Go to a phony iTunes website, input your username and password, and you’ve walked into a massive headache.

Why would iTunes be an inviting target for a scam? Because their customer service is notoriously bad, and without talking to a live customer service rep, an emergency—say, an unexpected $5,000 charge to your account—would be very difficult to fix. (In Apple’s defense, manning an efficient call center for the volume of iTunes customers around the world is nearly impossible). In the meantime, Apple warns the public to ignore all likely “spoof” emails that aren’t sent directly from “@apple.com.”

Everyone is a Target

My friend considers himself reasonably web-savvy and isn’t sure how he got on a mailing list of potential “suckers.” His best guess is that he’s been sending out resumes for quite a while and probably replied to a bogus online want-ad meant to collect email addresses.

As you know, at MPA we pride ourselves on the comprehensive email services we provide our customers and do everything possible to protect them from malicious phishing.

But crooks will never quit trying to find new ways to sneak past email security, and we’ll never be able to completely prevent human error—i.e., a careless click on the wrong link. Make sure your employees are always on guard.

How to Identify a Malicious Email

Wednesday, December 4th, 2013

phishingContinuing our blog series about Cryptolocker and Ransomware virus attacks, it is necessary we explain the basic fundamentals of identifying a malicious email or attachment. Only through education and proper awareness can we effectively avoid Ransomware and other malware attacks.

Identifying a Malicious Email: The Fundamentals

Below is a list of five basic safeguards you should know and practice before opening email messages and attachments. These rules should become second nature to you.

(more…)