Cyber expert James Fisher discovered a new phishing method he calls the “inception bar.” He named it after the movie Inception, and just like the movie, the phishing method traps you in a fake reality. You can see an example of how it works on his website.
He discovered the exploit in Chrome for mobile, confirming what we already know: mobile is the number one threat target going forward.
Willie Sutton had a famous response when asked why he robbed banks: “Because that’s where the money is.” Hackers seem to be following Willie’s advice. When it comes to phishing attacks, hackers go where the people are. And as Instagram catches up in popularity to Facebook, it’s become the go-to destination for hackers looking to exploit victims via phishing attacks.
You might think that the worst thing you can do with a phishing email is to click on the malicious link embedded within. You’d be wrong. There’s something worse, much worse. What’s that? How about forwarding the email to other employees, lots of them?
If you get hit with a phishing attack today, most likely it will be your mobile device. That’s because mobile is where hackers are spending their creative energy.
According toan article on Hacker News this week, a new phishing attack was uncovered that is “based on the idea that a malicious web page could mimic [the] look and feel of the browser window to trick even the most vigilant users into giving away their login credentials to attackers.”
In our phishing prevention best practices eBook, we provide ten best practices for small and mid-size businesses. We know these practices work. We know they’re right on point today. We want small and mid-size business to get and use this information. And once again we’ve been vindicated.
Internet security company Webroot came out with their2019 Threat Report and wouldn’t you know it, the tried-and-true attack methods are still going strong. This means the phishing prevention best practices within the eBook are still applicable and essential for protecting your business.
The Webroot report confirmed that “A massive 40% of malicious URLs were found on good domains, since legitimate websites are frequently compromised to host malicious content.” The link you click on may be a good one and take you to the website you want to go, but that doesn’t mean the website you want to go to hasn’t been compromised. And there is no way you will know unless you let scanning technology like that available fromPhishProtection intervene on your behalf.
Between January and December 2018, the number of phishing sites detected grew 220%.
Another example is best practice #7. “Anti-phishing technology should conduct all checks in real time as well as provide alerts in real time.” Like we always say at PhishProtection, if you’re not checking things in real time, don’t bother.
It’s good to check embedded links when an email first arrives, but that’s not good enough. Links need to be checked every time a user clicks on them, right at that moment. In real time. Why?
According to the Threat Report, “It’s important to keep in mind that IP addresses are not static and may cycle from malicious to benign and back multiple times. While 60% of the millions of malicious IP addresses we saw in 2018 only appeared on the list once, hundreds of thousands appeared at least two or more times.”
The report goes on to point out that blacklisted IP addresses do not stay on the blacklist indefinitely. “IPs on the blacklist are revisited to see if they still exhibit malicious behavior. If not, they leave the blacklist. Hundreds of thousands of new IPs are added to and removed from the blacklist multiple times a day.”
It does you no good to only check embedded links upon arrival. If you’re going to invest in an anti-phishing software to protect your business from phishing attacks, you better make sure the technology includes real-time scanning protection, like that found inPhishProtection.
If you run a small business and are new to the subject of phishing protection, step one is to download your free copy of the best practices eBook.
If you run a small business and you’ve already decided it’s time to protect your employees from phishing attacks, and you want to protect your entire company in 10 minutes for less than you think, head on over and try anti phishing solution risk free for 30 days. You’ll be glad you did.
For most people, phishing scams are not high on the list of potential sources of comedy, although there are plenty of examples of blundering scammers and inept cybercriminals who got their due.
When it comes to phishing awareness training for organizations, however, humor can be a powerful tool for maintaining compliance. Considering the alarming number of employees who admit to falling for phishing scams even after training, plenty of organizations are ready to change their security training approach.
Phishing attacks are hard to stop because hackers are extremely sophisticated and they use every method available. What hackers have discovered is that one of the best methods available is to target mobile devices. As challenging as it is for users to identify well-constructed phishing emails on a desktop, it’s much more difficult on mobile devices and hackers know it. And they’re starting to take advantage of it.
According to an article by security firm cyperscoop,Phishing attacks against mobile devices rise 85 percent annually. Why is that?From the article,“It’s harder to spot phishing websites on mobile devices compared to a desktop computer which puts the most important device in people’s lives at a distinct disadvantage. As a result, mobile users are historically more likely to fall for phishing attacks.”
Of course, many people are getting wise to phishing emails and aren’t so easily fooled. But what if you receive a phishing email from the last place you’d ever expected to receive one from? Would you still have your guard up?
A recent study by news agency Axios discovered that only 6% of news organizations deploy DMARC on their email newsletters. DMARC (Domain-based Message Authentication, Reporting and Conformance)is a sophisticated but widely-available technology that ensures emails are authentic.
The study found that of 98 news sites tested, only one had fully operational DMARC. “The list of sites not protected by DMARC includes influential news sources, from the New York Times and USA Today to Fox and NBC networks to Voice of America and major international outlets.”
Without DMARC deployed, hackers can compromise email newsletters to send out fake news and potentially compromise an election. Or worse. They could use the compromised newsletters to send phishing emails to all the recipients.
Hackers are getting more sophisticated. They target emails they know have a high likelihood of getting the recipients to lower their guard. Until news organization start deploying existing technologies like DMARC to protect their readers, it’s incumbent upon the readers to protect themselves. Fortunately, there are easy-to-deploy, inexpensive, cloud-based email protection solutions like PhishProtection.
To learn more about how PhishProtection can protect you from news organization phishing attacks and many other vulnerabilities,
If you’ve been trained to detect phishing emails, then you know it’s best not to click on links in an email. And if you do decide to click on a link, you’ve also been trained to hover your mouse over the link to check to see if the link is legitimate. But, what if the hackers are so good they make you think a malicious link is genuine? Would you click on it? You might.
Does it look legitimate to you? It did to me. If all you do is what I did and look at the first part of the URL, you’ll be deceived into thinking it’s the real thing. But it’s not! As things turn out google.com is just a subdomain. The actual website is a redirect of the domain tinyurl.com.
Are most users sufficiently trained to recognize these deceptive links? Probably not. That’s why, if you really want to protect your users from phishing emails, it’s best to leave it to technology. Technology that doesn’t get fooled by deceptive links.
PhishProtection’s email security service doesn’t get fooled by deceptive links. Not only does it scan all embedded email links, but it also scans the websites those links point to. So, no matter what a link “looks” like, if it ultimately leads to a malicious website, PhishProtection will protect you.
If you’re a small business, on a limited budget, but you’d still like to be protected from advanced phishing techniques like these, there’s good news. You can now get advanced phishing technology at a price that fits your budget.
Two factor authentication (2FA) is supposed to make logins more secure. Using 2FA requires two private pieces of information to login: your password and one other, typically a code received via text message. The challenge is the more secure the approach seemingly is, the less attention you pay while logging in. And therein lies the problem.
Phishing is possibly the single most dangerous form of cyber attack facing individuals and corporations in today’s world because it exploits people rather than systems. At a very high level, phishing is any form of attack that trades on the trust of a person or corporation to reveal some information they wouldn’t normally reveal.
Filtering and time-of-click protection can produce results where training fails.
First, the facts: Employees who are unaware of the dangers of phishing are far more likely to become victims of phishing attempts than those who understand the process.
The FBI estimates that organizations across the United States lose $1.2 billion every year due to email scams. Since phishing is by far the most popular way to get malicious code into an organization’s network, it follows that training employees to recognize phishing attempts is an effective strategy to prevent phishing attacks.
Learn how to protect yourself by studying the biggest phishing scams in history
If we draw an analogy between phishing and fishing, some scam artists are industrial-sized trawling operations that scrape the sea clean.
Automated software and sophisticated tools make it possible for enterprising cybercriminals to scale their fraudulent emails in ways never imagined. Processes that used to be laborious and time-consuming can now be coded into automatic routines that cast a wider net than the previous generations of cybercriminals were ever able to.