phishingPhishing emails represent a huge risk to your business’ data security, so it’s crucial that you can identify the unmistakable signs of a phishing email.

Data released by the Anti-Phishing Working Group has revealed a huge spike in phishing websites of 250% in Q1 2016. This represents a concerted effort by hackers to target unsuspecting computer users through a relatively old method of cyber-crime.

However, you don’t have to fall foul of the hackers’ attempts to extract sensitive data out of you. And if you follow my 5 ways to spot a phishing email you should be safer than ever!

1. Asks for Personal Information

xphishing-example-6.png.pagespeed.ic.HAQkjzgBUe

A legitimate email will never ask you to disclose personal information, but a phishing email will, literally, be fishing for this information. For example, your bank will never email you and request your online banking details for ‘verification’ purposes.

Your bank wouldn’t need to verify this as they would already have the definitive details on their database, but you would be surprised by how many people fall for this scam.

2. Spelling Mistakes

Big brands take their marketing very seriously, so any emails released by them will have been crafted by people who know how to write. And, more importantly, they’ll know how to spell!

Hackers, on the other hand, aren’t well known for their dedication to spelling and grammar. That’s why their phishing emails are littered with spelling mistakes. If you pick up on at least one spelling mistake, then that’s enough to start treading carefully.

3. Mismatched Links

Amazon-Customers-Tricked-with-Ticket-Verification-Number-Phishing-Email-473445-2

In order to drive you towards phishing websites (which can install malware and steal data from you), hackers need to trick you into clicking their links. Now, a quirk of web design is that your link can say something like bankofamerica.com but the coding behind this link will actually send you somewhere else.

And the best way to test a link is to simply hover your mouse cursor over the link, a small preview window of the actual link will then appear and you can judge whether this is genuine or not.

4. Misleading Display Names

nigerian-prince

Phishing emails attempt to gain your trust by spoofing the sender’s display name, so you need to be vigilant that you don’t take this at face value. Many pieces of email software will, by default, only show the sender’s display name in your inbox.

And this display name can be changed to anything the hacker wants. For example, if you receive an email which has a display name of ‘Microsoft Security Team’ it doesn’t mean the email has actually been sent by the Microsoft Security Team!

When you look a little closer at the email, you’ll discover that the email address it has been sent from isn’t a genuine Microsoft one, so it’s time to delete that email!

5. Threatening Content

Many hackers hope to intimidate email recipients in order to deceive them into clicking their links or downloading their attachments. It may be that they claim they’re from a government agency such as the FBI and that they’re accusing you of illegal activity.

With this fear in mind, many users feel as though they have to comply with the email’s demands, especially when it’s accompanied by official logos and signatures. However, no matter what you think of the government, they are not going to send you threatening emails which demand money, so please feel confident in deleting these!

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


phish

Phishing attacks have long been a concern for anyone using computers, but a recent report has highlighted how these attacks have now risen by 250%.

Compiled by the Anti-Phishing Working Group (APWG), the report states that, during Q1 2016, there were nearly 290,000 active phishing sites online. This may not sound huge considering that there are around a billion websites online, but this is the highest number of phishing sites online since records began in 2004.

Phishing, therefore, is a credible and growing threat, so I think its best we get up to date with what phishing is and how these attacks are taking place.

What is Phishing?

spear-phishingPhishing is the process of stealing personal information (login details, credit card details etc) from consumers through the following methods:

  • Social Engineering – This is perhaps the most well-known method for extracting sensitive information from individuals. Using emails which convincingly spoof official emails, from corporations such as banks, they use disguised links to send victims to fake sites which contain features such as login screens. Obviously, these are false and simply record login credentials which can then be executed on the genuine site by the phishers.
  • Technical Subterfuge – This method employs the use of crimeware which is a type of software that hides in the background and records sensitive information such as login credentials. Also, many crimeware kits hijack users’ browsers to redirect them to phishing sites where the users unwittingly provide personal information.

What Does the Report Show?

A number of interesting insights have been provided by APWG’s report, so let’s take a look at these to understand how they unfold:

  • The most infected country is China where 57% of all computers are infected with malware. Considering how productive China is, at present, this makes for an alarming statistic as it’s likely that any business involved in production will be receiving emails containing crimeware from China on a regular basis.
  • Around 77% of all phishing websites are based in the US and the majority of these are forcibly set up by phishers who break into web hosting networks. This highlights major security flaws in US web hosting networks which is of particular concern for US businesses who own a website.
  • The two most affected industry sectors are Retail (43%) and Financial (19%). These two also happen to be two of the most popular industries housed online. After all, who doesn’t shop or bank online these days? Therefore, it’s a clever move by phishers to target these industries and use them to deceive consumers.

How Do You Combat Phishing?

browser-safety-built-in-phishing-protectionOnce phishing has completed its mission of stealing personal information, it can create utter chaos for those affected. And, for a business, this could include gaining access to sensitive areas of your network e.g. confidential client information such as financial records. This is bad news for any business, so remember the following:

  • Just because an email features an official logo it doesn’t mean it’s an official email from that company, so don’t rely on this for authenticity.
  • Safe websites will always begin https:// and not http://, so make sure you always check whether that all important “s” is present.
  • Although phishing is best known for stealing bank information, phishers are likely to target anything from your personal email details to your Facebook login credentials.
  • Credible companies will never ever request that you email personal information to them. If you receive emails demanding such information then just delete them as soon as possible.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


SNapchat620px

Phishing scams are well known within technology circles, but this doesn’t mean those in the tech industry are immune as Snapchat discovered in February.

Snapchat, for those of you who are not aware, is a social media app which allows users to send each other photos and videos with a limited viewing time. Once that time is up then the media disappears forever. It’s proved to be phenomenally successful and the company is estimated to be worth $20 billion.

However, even with the funds available to invest in state of the art cyber security, they still found themselves falling foul of a good old fashioned phishing scam. We are going to show you what happened in order to equip you with the knowledge needed to avoid a similar occurrence.

How Was Snapchat Hacked?

6357613873537576411298140331_snapchat-app_500-100224643-large.imgopt1000x70

The hack at Snapchat used a relatively simple phishing scam to gain access to sensitive employee data. The payroll department at Snapchat received an email which claimed to be from the company’s CEO requesting payroll information on employees. Unfortunately for the payroll department, this email was not genuine. It was a scam.

Not realizing the fraudulent nature of the email, an employee duly forwarded the required information to the hacker. The nature of the data disclosed has not been confirmed by Snapchat, but it’s suspected that it would include the following:

  • Bank details
  • Social security numbers
  • Salary information
  • Personal ID and addresses

Why Do People Still Fall for Phishing Scams?

Computer-Hacker

It may seem strange that such a master of modern technology can fall victim to such a simple phishing scam, but it’s by no means unthinkable. These scams have evolved over time to become more sophisticated and it’s often their simplicity which makes them so deceptive.

In the case of the email sent to Snapchat purporting to be from their CEO, it’s more than likely that it genuinely appeared to have been sent by the CEO. With even the most basic software, it’s possible to fake outgoing email addresses and, if I wanted, it wouldn’t be difficult for me to send an email apparently from bill.gates@microsoft.com

And although this particular Snapchat employee was left thinking “I should have known better”, they most likely thought they were being a helpful employee and were keen to impress their CEO. However, it’s this type of tempting payoff which makes phishing scams so hard to resist.

The Aftermath of the Scam

To Snapchat’s credit, they responded fairly quickly and within four hours they had managed to confirm this was an isolated attack. A report was filed with the FBI and employees affected by the scam were offered two years’ worth of identity theft insurance and monitoring. More importantly, Snapchat underlined their determination to increase the intensity of their security training within the next few weeks.

Snapchat’s case highlights just how vulnerable even multibillion dollar corporations can be when confronted with even the simplest hacks. The importance of good quality security training which focuses on even the most intricate details of phishing scams is paramount to ensure yours and your customer’s data.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Phishing

Do you know how to spot a phishing email? Phishing emails are not only a nuisance, but can also lead to theft. Our guide will show you how to spot them.

The term “phishing” is likened to the word fishing, which sounds almost the same and is used with the same notion to reel in some information such as a username/password or to hook you into taking some action via an unsolicited email. The aim of a phishing email is to “phish” a user by having them fall for the bait without initially realizing it.

Convincing phishing emails work well for the originator without raising too much suspicion to the end user.  So how does one avoid this? First, let’s understand the damage a phishing email can generate before we delve into how to spot one.

What harm can phishing emails cause?

There are two major risks that can result from opening up links or attachments from phishing emails.

  1. Many email authors aim to trick users into believing that they’ve been contacted by a legitimate company that may prompt them to visit a link which can lead to a fake website. This site may be a copy-cat site of a legitimate one, for instance a banking site, complete with a login screen. The spoof site then captures and records login credentials which can be used again by the originator of the dummy site.
  2. The email itself may pretend to pose as the legitimate company, such as a bank, prompting their targets to take action through their link. Usual email wording triggers the user to prompt some action such as “your account is suspended”, “update your information”, or even that an account has had “unauthorized access”. Anything which triggers panic or confusion is enough to get a user to follow through the phishing email’s instruction.

Such scams can lead users to give away their credentials, passwords, and private information, which can be used to steal their identity and money.

Many phishing emails also attempt to infect systems with malware. This is a common entry point for a large majority of infections at companies leading to infecting one’s computer system and network with nasty malware. The worst case scenario includes the malware holding a user’s data hostage in exchange for a ransom.

How to spot phishing scams

Below are usual signs of phishing email to watch out for.

  • Unrecognized sender. This is usually a big giveaway. If you don’t recognize the sender, treat it with suspicion. Even if the recipient appears with the same domain, always question this as clever phishing attacks can use the same company domain to trick users.
  • Unexpected emails. Unless you’re expecting an email from a company i.e. a delivery shipment notification, or a lottery win, treat this with suspicion. If unsure about a delivery shipment, contact the official company – acquiring their contact details through their official website.
  • Prompts to open up attachments. Avoid clicking any links or opening attachments.
  • Odd looking website addresses. Another clue to phishing emails are links in the email having suspicious website addresses, which can redirect you to a dodgy website.
  • Odd looking or out of place emails. If you’re able to look at the sender’s details, see what email address it displays. Most of the time their email domains will not match the company they claim to be from. For instance, an email claiming to be from your bank could have @yahoo.com domain. This is an obvious giveaway!
  • Impersonating institutions and companies. As mentioned earlier, be suspicious of so-called emails posing to be Banks, the IRS, Social Security Office and so forth. They rarely contact users through email. If in doubt, contact them directly and not through any telephone numbers given in the message.
  • Poorly written English and grammar. Many phishing emails contain poorly structured sentences and grammatical mistakes which sound like they’ve been written by a ten year old or a non-native English speaker.

Anatomy of Phishing-1

If ever you’re in doubt, don’t hesitate to notify your IT administrator who can help to block as many phishing emails as possible. Even if some manage to filter through, which does happen, put this guide into practice.

For more ways to secure your business systems and networks, contact your local IT professionals.

Read More