Phishing is big business for hackers and you can rest assured that it’s a niche they’re keen to exploit, but how do you know when you’re being phished?

Kaspersky Lab reported around 246 million phishing attempts being executed in 2017, so it’s fairly clear that phishing is taking place on a monumental scale. And, to provide a little perspective, those 246 million phishing attempts are only the ones that were picked up by Kaspersky’s software. If you factor in all the other security providers’ data then you’re left with a staggering amount.

Phishing, therefore, is something that you’re likely to encounter and, the truth is, your organization is likely to receive a significant number of phishing emails every day. Thankfully, protecting your business from the dangers of phishing emails is relatively easy. And, to help boost your defenses, we’re going to show you four ways to tell if you’re being phished.

1.  Analyze the Email Address

While it’s straightforward to mask an email address with a false one, many hackers simply don’t bother. And that’s why you’re likely to find that most phishing emails are sent from unusual email addresses. Say, for example, you receive an email from your bank asking you to provide sensitive information regarding your account, it’s not going to come from a Hotmail address, is it? However, many people fail to check the sender’s email address and, instead, become distracted by the seemingly genuine contents.

2.  How’s the Grammar?

A tell-tale sign of a phishing email is poor grammar and even worse spelling. Hackers, after all, aren’t too bothered about honing their command of the written word. All they want to do is hack and hack big. Accordingly, their emails will fail to contain the type of language you would expect to receive from a work colleague or another organization. So, remember: if they can’t spell your name in their opening introduction then you should be highly suspicious.

3.  Did You Ask For Those Attachments?

Hackers love to catch their victims out with attachments that contain a nasty payload, so any attachments should always be treated with caution. Sometimes these attachments can be easily identified as malicious, but it’s not always simple. First of all, ask yourself whether the attachment is relevant to your job. If you work in the service department and you’ve been sent a spreadsheet relating to company finances then there’s no need for you to open it. Secondly, keep an eye out for file extensions you don’t recognize as opening these could easily lead to executing malware.

4.  Deceptive Links

One of the main objectives of a phishing email is to take the recipient away from the security of their PC and onto dangerous websites which are riddled with malware. And the best way they can do this is through the use of a deceptive link. While a link may look genuine on the surface, it can easily direct you somewhere else altogether. The best way to verify a link’s true destination is by hovering your mouse cursor over the link to reveal the true URL address.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


You may think that political parties understand the need for good security, but back in 2016 the DNC suffered a major hack due to phishing emails.

Thanks to a sustained attack, Russian hackers were able to infiltrate email accounts of those involved within Hilary Clinton’s campaign to become president of the United States. And, as you know, the rest is history. However, not many people are aware of exactly how the DNC got hacked so extensively that highly sensitive information was obtained and then leaked to the public.

Although not every single detail has been revealed, we know enough that the hack was, in relative terms, a fairly simple execution. Naturally, you’re unlikely to be targeted by the same people who are involved in political attacks, but their methods are likely to be similar. Therefore, we’re going to take a look at how the DNC was hacked by phishing emails, so you can understand how to avoid it.

Phishing for DNC Secrets

The hack began on March 10th, 2016 and involved a batch of heavily disguised emails, which appeared to be sent by Google, being sent to key members of Hilary Clinton’s campaign team. These emails purported to be advising the recipients that their passwords needed changing in order to strengthen their security. However, the links contained within these emails sent users to a malicious website where strengthening security was the last thing on their mind. With these email accounts compromised, the hackers were then able to access private contact lists held within them.

Within a day, the hackers had access to confidential email addresses for key targets within the DNC campaign. And, almost immediately, the hackers began to send phishing emails to these email addresses in order to work their way higher up the chain of command. Despite the presence of two-factor authentication, the hackers’ persistence paid off as they eventually managed to breach the defenses of John Podesta, chairman of the DNC’s campaign. This email account, alone, provided access to 50,000 confidential emails.

This assault is believed to have been organized and orchestrated by the Russian cyber-espionage organization known as Fancy Bear. Despite accessing such a huge amount of emails from Podestra, Fancy Bear intensified their hacking campaign and this led to security experts becoming suspicious of methods being employed to dupe Google’s spam filter into accepting malicious emails into the inboxes of DNC targets. The clean-up operation, however, was too late and Podestra’s breached emails were soon published on Wikileaks.

Be Clever, Don’t Get Phished

The 2016 attack on the DNC is probably the most famous, and damaging, phishing attack in cyber-history. Simply due to a few members of staff clicking malicious links, an entire election campaign was brought to its knees. Reinforcing good email security, therefore, remains a crucial practice for any organization in modern business. Even with millions of dollars of security in place, the DNC fell victim to a simple phishing scam and, next time, it could easily be your organization.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Phishing emails are the scourge of our inboxes and there seem to be more and more each week, so what should you do when you receive a phishing email?

The aim of phishing emails is for the sender of said emails to obtain sensitive information from the recipient. This goal is realized by cleverly disguising the email to make it look as genuine as possible and, therefore, gain the recipient’s trust. Data targeted by phishing emails usually relates to sensitive details including login details and passwords. And this data leakage can cause serious harm to businesses with the average cost of a phishing attack on a medium sized business costing around $1.6 million.

No organization that wants to remain productive and competitive wants to deal with the chaos of a phishing attack, so we’re going to take a look at what you should do when you receive a phishing email.

Do Not Open Phishing Emails

The best way to avoid the dangers of phishing emails is very simple: Don’t open them! This, of course, is easier said than done as phishing emails have become incredibly sophisticated over the years e.g. spoofing email addresses. However, if for any reason whatsoever you do not recognize an email address or there’s something unusual about the email subject then it’s always best to err on the side of the caution. Instead, move the cursor away and get your IT team to investigate it before going any further.

Leave Links Well Alone

Opening a phishing email isn’t enough, on its own, to activate the malicious payload, but it’s very simple to do so. Phishing emails often contain links which, once clicked, send the user to malicious websites where malware is automatically downloaded to the user’s PC. This malware is usually very discreet and is able to run silently in the background where it is able to log keystrokes or even take control of the user’s PC. So, remember: if you don’t recognize the sender of an email, it’s crucial that you never click their links.

Don’t Respond

Phishing emails will often try to gain your trust by establishing a connection, so you need to be mindful of these deceptive tactics. By hitting the reply button, for example, you’re demonstrating to the hacker that not only is your email account active, but that you’re willing to engage. And, if a phone number is provided, never ever ring it as it will involve further social engineering and potentially a very high phone charge to a premium member. It may be tempting to respond, but always say no and move away from engaging.

Report the Email

Any form of hacking represents a serious threat to the security of your organization, so it should be every employee’s duty to report a phishing email as soon as possible. This allows your IT team to analyze the email and its contents before taking action. This could be as simple as deleting it securely or telling you that, actually, it’s safe to open. Ultimately, shared knowledge allows your entire organization to stay on top of phishing emails, so, even if you’ve clicked something you shouldn’t have, report it immediately.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


hacking-apple-idHackers are now turning to employees of organizations to help breach their defenses and this can be knowingly or unknowingly, but how are they doing it?

As this hacking technique doesn’t rely purely on digital attacks, it’s a unique problem in the world of cyber-security. Sure, the end result is the same in that the hackers want to access digital information, but this method of getting a head start makes their attacks more covert than ever.

To help you understand how these exploits can be initiated and unfold, I’m going to show you 4 ways that hackers are hacking your employees.

  1. USB Stick Hacks

USB sticks can cause huge issues for your PCs due to the amount of automated hacking software which can easily be loaded onto them; in some extreme cases, USB sticks can also be used to completely destroy a PC. More often than not, these attacks can be initiated by old fashioned human curiosity. A recent study showed that of 297 flash drives left in a college parking lot, over half of these drives ended up being plugged into a PC. Therefore, staff need to be made aware that unauthorized devices should never be plugged into their workstations.

  1. Website Information

Many organizations display details of their employees on their website in order to show the people behind the business. Whilst this is a great method for engaging customers and clients, it also allows hackers to begin building a portfolio of information on targeted individuals e.g. with access to photos and email addresses, it’s possible to not only target these email addresses, but actually track them down in real life. This opens up your employees to direct approaches and is a good reason why information about employees should be minimized on the public internet.

  1. Phishing

The oldest, and perhaps simplest, method of hacking employees is by phishing. Deceptively convincing, phishing attacks often take the form of genuine looking emails requesting personal information. The most common technique is for the hacker to fake a company email in order to obtain sensitive data e.g. emails are often dispatched which appear to originate from the organization’s IT department and request login details, but actually originate from outside the business. Employees need to receive regular training on how to spot phishing emails.

  1. Vishing and SmishingsmishingSTILL

A relatively new approach to hacking employees is via vishing (obtaining information via phone calls) and smishing (mining for data through SMS messaging). Vishing often takes the form of a phonecall from a potential customer, but it’s actually a hacker trying to learn information about the organization’s structure and security through careful questioning. Smishing tends to target employees with links that they’re encouraged to click and then forwards them to a phishing website to extract data. Again, good training is crucial to ensure your staff can recognize these threats.

These four methods of hacking your employees use a number of highly sophisticated methods that prey on human curiosity and misplaced trust. They’re also remarkably easy to execute, so the key is to remember that regular training to increase awareness is the best defense against such attacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


thumb_shutterstock_79924000_1024

The tax season is a stressful time of year for businesses, but now hackers are targeting this period in order to steal employee data and funds.

Using a social engineering approach, hackers are able to trick businesses into relinquishing highly sensitive information and, in particular, W-2 details such as individual employees’ wages and salary. And with this form of social engineering becoming more and more active, it’s affecting an increasing number of businesses.

Seeing as every business has to deal with their taxes in a responsible manner, this is an area of hacking which needs to be closely guarded against; this need for security is even more necessary as it can affect individual employees. Therefore, we’re going to take a closer look at this increasing threat.

Tax Season Hacking

290x195cybercrime99Tax fraud has, traditionally, been a form of hacking reserved for only the most advanced hackers, but with the rise of relatively simple social engineering methods, this hacking technique has steadily become more accessible.  Many smaller businesses are now being targeted and these can include non-profit organizations, restaurants and schools.

And with tax themed spam traps increasing by over 6000% between December 2016 to February 2017, it’s a highly worrying time of year and businesses need to be on their guard. What form, though, do these attacks take?

Well, there are a number of attack methods and these are:

  • Processed Tax Refund – Spam emails which claim to originate from the IRS have been appearing in email inboxes and advise that they are due a tax refund which has now been processed. All the recipient needs to do is open an attachment to get started, but this attachment actually contains infected macros which can give hackers remote access to your PC.
  • W-8BEN Phishing Scam – the W-8BEN form is used by Non-US citizens to clarify their tax exemption details and involves passport and personal information. As this type of data is highly sensitive and valuable, hackers are now targeting this information by sending emails purporting to be from the IRS and requesting copies of the recipients’ completed W-8BEN form and scans of their passport.
  • W2 Data Theft – Due to the valuable data contained in W2 forms (wages, taxes etc), many cybercriminals are targeting these. Copies are sent to businesses for all their employees, so hackers are actively trying to breach network security to procure these forms and any associated tax databases in order to sell this information on the dark web.

Combatting Cyber Tax Crime

tax_id_theft-small

The most important factor to bear in mind with this form of cybercrime is that the IRS will NEVER email you to request personal information. Although this seems like common sense, many people are tricked by this approach and willingly give out information when they’re promised tax refunds. The main things to look out for and consider with these types of scam are:

  • Emails with poor grammar and spelling – Government agencies tend to have their emails thoroughly proofread before being sent out to the general public en masse.
  • Dubious links – Although links contained within phishing emails may appear genuine, if you hover your mouse cursor over these links then the true destination of the link will be revealed; if this address is different to the one written in the email then it’s highly likely this is a dangerous link.
  • Common sense – If you’ve already filed your tax reforms and aren’t expecting a tax refund then you should be highly suspicious of any emails regarding these issues.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More