Cybercriminals always look for the easiest way into a network, and phishing remains the most popular initial attack vector. Barracuda networks (a provider of hardware and software based filters) reports that it has blocked more than 3.2 million phishing emails since May 1 of this year. That may seem like a low number but consider this: each of those 3.2 million emails are sent to thousands, or even millions of email addresses harvested through data breaches (think Equifax, Facebook, Target and Home Depot) resulting in virtually tens of billions of phishing emails containing malware every year. Phishing emails generally contain links to malicious websites that steal login credentials. They may also contain ransomware, which if you either click a link or attachment, will cause the malware to encrypt (and cripple) an entire network. Ransomware also sends an extortion message, demanding payment in cryptocurrency for the key to decrypt (or unlock) a system’s data and applications. Even if paid, (and much like real life extortionists), the ransomware may lie dormant, and periodically execute and re-lock, encrypt data in exchange for payment.
Among the most widely used (and effective) phishing emails are those that purport to come from well-known and premier brands as (such as Citibank, Keybank, Netflix, Wells Fargo and FedEx). Some of these phishing emails are even more sophisticated - If you’ve been the victim of a data breach, and your email address was purchased by a cybercriminal on the dark web, you (and your clients) may receive a phishing email purporting to be a “Customer Support” “Data Breach Alert,” “Compromise Alert,” or “Account Suspension and Investigation Notice.”
The best line of defense is a dual defense. In addition to technology-based filtering solutions, user training is essential. Users (and employers with staff) should:
- Check the email header (by hovering over the address, not clicking it) to see whether it matches the displayed email
- Check to see if you are the recipient (whether you’ve been “cc’d” or “bcc’d”, especially when you do not know the sender or other recipients - a clear indication of fraud).
- Check the spelling or grammar in the email subject line or body (typically Phishes are crafted by non- or poor English speakers in other countries). If there is spelling or grammar error (even in one spot), that’s a clear indication of fraud.
- Never click a link in an email advertisement. Instead, open up a separate browser window and visit the vendor’s website to confirm the legitimacy of the domain address.
- Always suspect “account suspension” notices. If you have an account described in the email, call or visit the merchant/bank’s website to inquire.
Be especially careful of “spear phishing,” where cybercriminals take the extra step of investigating you, or your client, and send an email from what appears to be a legitimate source (employee, accounts payable, etc.). Always telephone (best practice) or send a separate email (not a reply email to the one received) to confirm the message legitimacy.
These precautions are especially important within a corporate environment. Proper employee, staff and contractor education and training, together with a clearly articulated set of rules, goes a long way to avoiding having to cope with a blackmailer’s ransom, not to mention the legal, regulatory, and reputational consequences of a data breach.
Sure, this means taking extra steps, but keeping your data (and your finances) safe should take priority over a little inconvenience.
As always, if we can be of any assistance, please do not hesitate to contact us.