Phishing, Social Engineering

In an article by a Kaseya Security manager, phishing was one of the top three (3) cybercrimes in 2020 per the FBI. Phishing incidents doubled from 114,702 in 2019, to over 241,000 in 2020. And, 90% of incidents that end up as a data breach start with phishing.

So what’s phishing anyway? Hackers put out some ‘bait,’ something they think you’ll nibble at so they can engage you. Sometimes they’re looking for specific data, pieces of information that by themselves seem innocent enough, but when combined with other data they’ve found, bought, or stolen, gives them all the pieces they need to impersonate you or gain access to your network, email, or shared files.

Social Engineering often involves tricking you into thinking you’re communicating with a trusted source, someone you know or work with. They present themselves in reasonable communications—you have a fax (wonder what it is and who it’s from?); they use scare tactics such as your password expiring; they claim to be helping you because they noticed a problem with your computer. Let’s face it—they’re trying to trick you!

Spam relays are another popular tool so I thought I’d clarify how this works and why it’s so insidious. The hackers find a server, a network, and gain access. They use all these servers to send out their ‘bait’ and bogus email messages, so they come from many sources that regularly change—no way to just block a specific sender or location because they are using many computers and often, the offending sources don’t even know they’re part of the problem! Imagine I could use 100 servers from 100 different companies to send thousands of phishing email. Now imagine one of those 100 is an actual company you know or do business with; it’s an uphill battle.

So you’re in a rush and don’t notice the company name is mis-spelled; the email address has a typo; you don’t know if you’re expecting a fax or a package and you’re curious; you struggle to remember your password and the thought of it expiring makes you panic; your office manager is tickled that you’ve trusted them with the secret gift you said you’re giving and is anxious to help order those gift cards; you didn’t know you had a new vendor so you click the link to the invoice; if Microsoft sent you an email to confirm your password, you type it in. All of these are SCAMS!

When kids are little, you repeatedly remind them to look both ways before crossing, not to talk to strangers, not to open the door to strangers, to say please and thank you, and in our house, to hold the door for others, especially Mom! When it comes to your business, one study indicates that 55% of remote workers rely on email as their primary form of communication. How often do you remind yourself, your team, your family members about these villains? There’s an interesting quote I’ve run a few times—’People need to be reminded more often than they need to be instructed.’ – Samuel Johnson.

Here are five (5) of the most common phishing attacks as listed in MSP Success Magazine—these might be worth pinning up in the break room, reading in the monthly company meeting, and including in all new hire documentation:

1) Notification that you have received a voicemail or fax

2) Fake tech support email alleging malware on the computer and requesting remote access to install software to fix the issue

3) Business email compromise (BEC) with a fraudulent invoice embedded with malware

4) Phony emails from HR asking new employees to change their direct deposit information

5) Spoofing and social engineering attacks designed to trick employees to reveal confidential information.

The last one is interesting: We’re your vendor and your staff won’t share your email or cell phone but they’ll send them to a stranger via email!

You know you have to send out a certain number of bids to get the work—it’s often a numbers game. If you win 50% of your quotes and you only add two jobs you won’t have enough work. Bid 30 jobs with a 50% ‘win’ ratio and that’s a different story! These hooligans play the numbers, too.

So now what? We can add filters, block senders, and use tools to limit exposure. BUT, you and your staff still play an important role. Assume it’s a Scam! Even with great locks and alarms, you still have to lock the door!-  CMW