We hear a lot about phishing scams and how easily some of us are fooled into opening a phishing email. These days hackers are focusing more on the user than the device or the application. Hackers play off human fear and distrust and the need to conform to gain access to a system or a person’s password.
For companies, hackers get email addresses and employee lists from websites or social media and then target them. Other scams involve emails sent to employees that look legitimate and that request sensitive info like passwords, email accounts, etc. Sometimes the email wants the transfer of funds — and again — it looks legit.
And we’re all aware of ransom viruses that often come through these emails.
Jeremy Barnett is the senior vice president of marketing at NAS Insurance says from an insurance point of view it is critical to stop phishing. And that point of view starts with the company and moves out to its cliental.
“Our number one job as an insurer is to control loss, and in order to do that in something as unique and challenging as cybercrime we are providing resources to our brokers and policyholders to help them understand social engineering, email phishing scams, and fraudulent wire transfers. We show them how to create better passwords and how to be generally be more alert to issues that could lead to problems for the business,” he said.
He says insurance’s top roles are first to protect themselves and second to create educational resources and online training materials for their employees and for policyholders. Barnett said he’s also found that many of his firm’s clients are demanding — as part of their cyber insurance agreement — help to implement proactive preventative measures.
“We offer them discounts on service providers who can help them train their workforce, evaluate their network vulnerability, and review their incident response plan. The more we can help them be proactive, the less likely they are to have an incident. That means they are more likely to feel better about their relationship with us as their insurer,” Barnett added.
A company called Virsage sent Weekly Industry News an op-ed piece authored by Dr. Lance Hayden on the topic. Hayden is the Managing Director for Berkeley Research Group and an expert in security culture and behavior. He is the author of People- Centric Security: Transforming Your Enterprise Security Culture.
In his editorial Hayden said email is now one of the primary ways we communicate with the world. We use it at work and we use it to connect with family and friends. In addition, companies are now providing confirmation emails about purchases. Banks use it for statement viewing and so on.
Phishing — Hayden says — uses email or a messaging service on a social media site to get access to your computer, tablet or phone. It wants you to click on a specific link or attachment to get that control.
“Attackers work hard to make their phishing emails convincing. For example, they will make their email look like it came from someone or something you know, such as a friend or a trusted company you frequently use. They will even add logos of your bank or forge the email address so the message appears more legitimate.”
Those sending the phishing email don’t know who’s going to open them. They just know the more emails they send, the more successful their endeavors will be. And here’s what Hayden said they want:
Harvesting Information: The attacker’s goal is to harvest your personal information, such as your passwords, credit card numbers or banking details. To do this, they email you a link that takes you to a website that appears legitimate. This website then asks you to provide your account information or personal data. However, the site is fake, and any information you enter goes directly to the attacker.
Malicious Links: The attacker’s goal is to take control of your device. To do this, they send you an email with a link. If you click on the link, it takes you to a website that launches an attack on your device that, if successful, infects your system.
Malicious Attachments: The attacker’s goal is the same, to infect and take control of your device. But instead of a link, the attacker emails you an infected file, such as a Word document. Opening the attachment triggers the attack, potentially giving the attacker control of your system.
Scams: Some phishing emails are nothing more than scams by con artists who have gone digital. They try to fool you by saying you won the lottery, pretending to be a charity needing donations or asking for your help to move millions of dollars. If you respond to any of these, they will say they first need payment for their services or access to your bank account, scamming you out of your money.
Hayden says the best offense against phishing is a good defense. “In almost all cases, opening and reading an email or message is fine. For a phishing attack to work, the bad guys need to trick you into doing something. Fortunately, there are clues that a message is an attack,” he wrote.
And then he lists the most common attacks:
• The email creates a sense of urgency, demanding “immediate action” before something bad happens, like closing your account. The attacker wants to rush you into making a mistake without thinking.
• You receive an email with an attachment that you were not expecting or the email entices you to open the attachment. Examples include an email saying it has an attachment with details of unannounced layoffs, employee salary information or a letter from the IRS saying you are being prosecuted.
• Instead of using your name, the email uses a generic salutation like “Dear Customer.” Most companies or friends contacting you know your name.
• The email requests highly sensitive information, such as your credit card number or password.
• The email says it comes from an official organization, but has poor grammar or spelling, or uses a personal email address like @gmail.com, @yahoo.com or @hotmail.com.
• The link looks odd or not official. One tip is to hover your mouse cursor over the link until a pop-up shows you where that link really takes you. If the link in the email doesn’t match the pop-up destination, don’t click it. On mobile devices, holding down your finger on a link gets the same pop-up. An even safer step is to copy and then paste the URL from the email into your browser or type the correct link.
• You receive a message from someone you know, but the tone or wording just does not sound like him or her. If you are suspicious, call the sender to verify they sent it. It is easy for a cyber attacker to create an email that appears to be from a friend or coworker.
And the solution? It’s easy. “If you believe an email or message is a phishing attack, simply delete it. Ultimately, common sense is your best defense,” Hayden concluded.
Here’s more info on Hayden: www.linkedin.com/in/drhayden.
Source links: Insurance Business America, Virsage