Phishing, and not for fish!

October 8, 2017

A Cyber Risk Update

Have you ever received a “junk email” claiming to be American Express and speaking of an unauthorized charge to your account say from a recently known cyber-attack such as, Home Depot and they are asking for you to follow a link to correct the problem?  The sophisticated web user knows this to be a “phishing” expedition and not to fall into the hacker’s trap.  You should hit the “Delete” button immediately! How many though are not so Internet savvy?  Could it be one of your employees?  Perhaps, it is just one of those days for a veteran employee who was not thinking clearly before clicking where they should not.  Disaster!

The 2015 Data Breach Report from Verizon tells us that phishing expeditions are still present and stronger than ever.  Phishing expeditions have been around since AOL installation and CDs were in vogue.  The first “phishing” campaigns typically involved an e-mail that appeared to be coming from a bank convincing users they needed to change their passwords or provide some piece of information.  A fake web page and users’ willingness to fix the nonexistent problem led to account takeovers and fraudulent transactions.

According to the report, phishing campaigns have evolved in recent years to incorporate installation of malware as the second stage of the attack. Lessons not learned from the silly pranks of yesteryear and the all-but-mandatory requirement to have e-mail services open for all users has made phishing a favorite tactic of state-sponsored threat actors and criminal organizations, all with the intent to gain an initial foothold into a network.  The user interaction is not about eliciting information, but for attackers to establish persistence on user devices, set up camp, and continue their stealthy march inside the network.  Financial motivation is also still alive and well in phishing attacks. The old method of duping people into providing their personal identification numbers or bank information is still around, but the targets are largely individuals versus organizations.

So What Can You Do?

See some of the tips and advice from APWG Anti-Phishing Working Group’s STOP.THINK.CONNECT campaign:

  • Connect with Care.
  • When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
  • Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
  • Make sure you comply with all state and federal laws
  • Have a written cyber breach policy
  • Follow all HIPAA laws
  • Hire an IT Director, or make one person responsible for network security
  • Focus on using long passwords (longer than 13 characters) and change frequently
  • Develop notification procedures
  • Do not open emails or open attachments from email addresses you do not recognize
  • Train employees on the use of laptops and out of office access
  • Invest in the latest anti cyber software
  • Verify that all your vendors comply with laws and statutes
  • Download How to Spot Phishing Attacks: A complete Guide

Be Web Wise.

  • Stay current. Keep pace with new ways to stay safe online: Check trusted websites for the latest information, and share with friends, family, and colleagues and encourage them to be web wise.
  • Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true, or asks for personal information.
  • Back it up: Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.

Cyber Insurance

We can provide your firm with the right combination of pricing and coverage. Cyber insurance is available at very reasonable premiums. Many of our companies offer coverage to help protect your business from loss.

Find more tips at: STOP.THINK.CONNECT

The Armstrong Company Insurance Consultants (License #0440075)