Cybercrime is high this holiday season. Phishing is the top threat to small businesses at this time of the year.
Small and medium-sized businesses (SMBs) need to be trained in security awareness. It can be difficult to keep up with the changing cyber threats and learn how to stay safe. It seems, just like the mythical Hydra with many heads that produced two new heads for each one Hercules cut off, that every cyber threat that has been mitigated will produce at least two more.
What is Phishing?
Phishing is a type of fraud that aims to obtain sensitive information from an unsuspecting target by posing as a trusted entity and contacting them via email, instant messaging (IM), or SMS (“SmiShing”) Phishing refers to a social engineering attack in which threat actors psychologically manipulate victims to give away personal identifiable information (PII), credit card details, and other valuable information. To convince victims into giving out sensitive information, phishers use technological mimicry (also known as spoofing) to present themselves as trustworthy individuals or organizations and facilitate the “retrieval of” the victim’s private information.
A typical phishing attack targets many email addresses and sends a message with malicious attachments or links. To appear to be a trusted entity, an attacker uses email spoofing in order to trick recipients into believing that the message was sent from a well-known agency or company.
The email template also looks like the official logo of the impersonated company. This message is designed to instill a sense of urgency among readers by describing a problem that needs immediate attention.
Victims are told, for example, that their user accounts must be reset or updated to ensure security. Victims are informed that they can resolve the problem by entering sensitive information such as login credentials on the website of the alleged source. The link takes victims to a fake website, although the URL may closely match the official one. The attacker can harvest any information victims enter on the fake site if they comply.
The risks for SMBs
Phishing is a popular attack method used by threat actors. It is often considered to be the greatest cybersecurity threat to small businesses. A recent industry report found that 93% of security breaches resulted from cyberattacks using phishing or similar social engineering methods.
A successful phishing attack against a small company often signals the beginning of a larger campaign in which criminals use information obtained from targeted employees to infiltrate the company network and execute a BEC fraud or commit other crimes. Phishing messages can also be used to distribute malicious software (malware), such as ransomware, onto targeted systems.
Similar to charity donations and retail sales, phishing attempts increase during the holiday season. A recent report found that the annual average was 50% higher for attacks in November, December, and October 2017. This phishing surge is bad news for both individuals and organisations. Every year, the United States Computer Emergency Readiness Team(US-CERT), issues a warning about seasonal scams.
SMBs are more at risk than larger companies because 32% of them do not organize simulations and training sessions to teach staff how to spot and avoid phishing scams. A mere 30% of small businesses have an IT security specialist to help them keep their company safe.
These examples are based on real holiday phishing scams
There are many ways to phish during holidays. While some campaigns look similar to those seen throughout the year, others are more specific to holiday-themed attacks. These two scenarios are fictional and show how holiday phishing scams actually work. They also illustrate the devastating effects that an attack can have on small businesses.
Scenario one: Shipping notification scam
The office manager at a small accounting firm gets an email in December that appears to be from UPS. The email contains a link that includes a tracking number. It states that the shipment was not delivered. To resolve the problem, the employee is asked to contact UPS via the URL provided. The office manager assumes that the shipment is an important order he is expecting. He clicks the link quickly and fills in the details of his company and address on the UPS page. He enters almost immediately the details of his office credit card when he is asked for payment for minor extra charges. The next day, the shipments arrived and the office manager quickly forgets all about it. The office manager realizes that he was a victim of a phishing scheme after the new year. His boss asks him how company credit card was maxed out over the holidays. The UPS email and the website where he entered his credit card details were fakes. The office manager didn’t pay for any shipment, but instead gave cybercriminals the information they needed in order to steal tens and thousands of dollars from the small company.
Scenario two: Holiday E-card scam
The owner of a small online shop finds an email from Hallmark in her inbox a few days before Christmas. The message claims that she received an E-card for Christmas. She thought the card might have been from a customer and opened the attached file. It appears to be a Microsoft Office document. Instead of an E-card, however, the file opens as a text file containing gibberish. Although the webshop owner intends to contact Hallmark regarding the issue, she doesn’t get around to it during busy holiday seasons. The webshop owner eventually admits to her regret that her business won’t survive another holiday season after falling for an E-card fraud a few weeks later. The E-card contained a malicious XML file which launched a PowerShell script as soon as it was opened. This resulted in the sophisticated Emotet banking Trojan being installed onto the victim’s computer. The Emotet malware was easily detected by an anti-malware program running on the targeted system. It also harvested the victim’s PII and credit card information, as well as login credentials for different user accounts including online banking systems. This information was used by the cybercriminals to delete the bank accounts of the webshop owners, leaving them with insufficient funds to continue her business.
Another example of holiday phishing scams is:
Phony vouchers are fake discounts or gift coupons that victims can use to shop online. To redeem the voucher, recipients must click on a link to fill out sensitive information. This is a fake website.
Bogus donations: Victims are asked for money in Christmas spirit to support a charity. Victims who fall for this scam end up “donating” their credit card details as well as their PII to cybercriminals.
Scammers use fake e-commerce sites and social media channels to lure victims into placing orders. They will require credit card details and sensitive data.
How can you stay safe?
There are many things you can do to help protect your business against holiday phishing scams.
Keep your software current by installing a trusted anti-malware program
Protecting your system starts with proper patch management. A professional security suite is a good investment. You can get a free solution from any reputable developer if you are hesitant.
managed firewalls Wilmington NC
Use a secure email gateway
Secure email gateways (SEGs), which provide enhanced protection against phishing attacks, check incoming messages for spam, evidence email spoofing, and impersonation attacks.
Promote phishing awareness training and simulations.
Staff can learn about phishing scams through phishing awareness training. Meanwhile, SMBs can use phishing simulations to evaluate their employees’ cybersecurity habits.
Adopt multi-factor authentication (MFA)
MFA isn’t suitable for most SMBs, but it can be a great way to protect small businesses from security breaches due to phishing. It will ensure that your business accounts are protected even if login credentials are compromised by an employee falling for the phishing scam.
For electronic communication, you must ensure that your vetting process is thorough
Never open an email attachment or click on links or images in emails from unknown senders. Double-check the sender address for messages that appear to be from familiar sources. Remember that just because the address appears to be legitimate, it doesn’t necessarily mean that the message is secure. Threat actors could have compromised the account or spoofed it. Notice that messages may contain language errors, strange phraseology, lucrative offers, urgent requests, desperate pleas, or threatening language. Avoid interacting with attachments and images that you don’t expect to receive. Always hover over links to verify the URL. It is possible to type the URL into your browser to open the website directly. Do not trust URLs that start with HTTPS.
For malicious code, scan email attachments
You don’t really have to open an attachment from an email. Instead, scan the contents for malicious code using a sophisticated antimalware solution or a web-based antimalware service like VirusTotal. Concerning the last option, ensure that you agree with the privacy policies of the solution.
Don’t give sensitive information away
Legitimate organizations won’t ask for credit card information or login credentials via email, text, or IM. You almost certainly have to deal with a threat actor if you receive such requests.
Last but not least, please share this report with your business partners/colleagues.
Your organization will be safer if you share information about phishing prevention.
Call SpartanTec, Inc. now for more information about managed IT services and they can help protect your business against online threats.
SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255
http://manageditserviceswilmington.com
Serving: Myrtle Beach, North Myrtle Beach, Columbia, Wilmington, Fayetteville, Florence, Charleston
No comments:
Post a Comment