Phishing, and not for fish!

August 26, 2015

Have you ever received a “junk email” claiming to be American Express and speaking of an unauthorized charge to your account say from a recently known cyber attack such as, Home Depot and they are asking for you to follow a link to correct the problem?  The sophisticated web user knows this to be a “phishing” expedition and not to fall into the hacker’s trap.  You should hit the “Delete” button immediately! How many though are not so Internet savvy?  Could it be one of your employees?  Perhaps, it is just one of those days for a veteran employee who was not thinking clearly before clicking where they should not.  Disaster!

FishingThe 2015 Data Breach Report from Verizon tells us that phishing expeditions are still present and stronger than ever.  Phishing expeditions have been around since AOL installation and CDs were in vogue.  The first  “phishing”  campaigns typically involved an e-mail that appeared to be coming from a bank convincing users they needed to change their passwords or provide some piece of information.  A fake web page and users’ willingness to fix the nonexistent problem led to account takeovers and fraudulent transactions.

According to the report, phishing campaigns have evolved in recent years to incorporate installation of malware as the second stage of the attack. Lessons not learned from the silly pranks of yesteryear and the all-but-mandatory requirement to have e-mail services open for all users has made phishing a favorite tactic of state-sponsored threat actors and criminal organizations, all with the intent to gain an initial foothold into a network.  The user interaction is not about eliciting information, but for attackers to establish persistence on user devices, set up camp, and continue their stealthy march inside the network.  Financial motivation is also still alive and well in phishing attacks. The old method of duping people into providing their personal identification numbers or bank information is still around, but the targets are largely individuals versus organizations.

So what can you do?

See some of the tips and advice from APWG Anti-Phishing Working Group’s STOP.THINK.CONNECT campaign:

Connect with Care.

  • When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
  • Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
  • Protect your $$: When banking and shopping, check to be sure the sites is security enabled. Look for web addresses with “https://” or “shttp://”, which means the site takes extra measures to help secure your information. “Http://” is not secure.

Be Web Wise.

  • Stay current. Keep pace with new ways to stay safe online: Check trusted websites for the latest information, and share with friends, family, and colleagues and encourage them to be web wise.
  • Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true, or asks for personal information.
  • Back it up: Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.

Find more tips at: STOP.THINK.CONNECT

The Armstrong Company Insurance Consultants  (License #0440075)