There’s much debate going on today about what to do if your organization gets hit by ransomware. There’s really only two choices: pay it or don’t. And which side you come down on says a lot about your big picture perspective.
Recently, U.S. Mayors, at their yearly conference, which represents over 1,400 mayors from U.S. cities with over 30,000 people, adopted a resolution not to give in to ransomware demands. Of course the mayors “admitted that ransomware attacks can result in the loss of millions of dollars and months of work to repair damage, but highlighted that paying the attackers only ‘encourages continued attacks on other government systems, as perpetrators financially benefit.'”
Phishing has been on the rise in form or the other, ever since users have started to use emails, messages, phones, etc. Every other month, around 1.5 million new phishing sites are created by cyber-criminals and add to the growing cybercrime world. Several of these sites employ ransomware as a tactic in order to extort money from unsuspecting users who accidentally click on a fraudulent link in an email or text message sent to them.
They say nothing is certain in life except for death and taxes. You can add one more to that list: phishing attacks. Hackers continue to do their homework and innovate as the number one cybersecurity threat refuses to be contained.
According to an article on the Dark Reading website, “Email continues to be an extremely effective vector for delivering malicious content because of how adept attackers have become at tricking users over the years.”
From itswebsite, the Department of Homeland Security’s (DHS) mission is “to secure the nation from the many threats we face.” In essence, the DHS’s job is to create trust, for Americans, in their own security. So, it shouldn’t come as any surprise that hackers would try to exploit that trust by launching an email phishing scam that impersonates email alerts from the DHS.
You wouldn’t put up a neon sign outside your home that says “rob this house” before you left for a week’s vacation. The last thing you want to do is give a crook a heads up. But that’s exactly what people unwittingly do when they post complaints about companies they do business within their social media accounts.
By now, most people know that 91% of cyberattacks start with a phishing email. In recognition of this, companies are now beginning to offer security awareness training. According to an article on the website Dark Reading, “45% of organizations provide employees mandatory, formal cybersecurity training; another 10% give optional training.”
The objective is simple: teach employees not to click on the links in suspicious emails. Given the sophisticated nature of some phishing exploits today, that’s easier said than done. With that in mind, we present five phishing tactics being used today that are sure to trick you into clicking, no matter how much awareness training you’ve received.
If you’re doing business, then you’re sending, receiving and reading PDFs.
PDFs have become ubiquitous in business as a way of sending documents over the web. And why not? There are a lot of advantages to using PDFs. For starters, it’s ubiquitous—everyone has a PDF reader. The files can include embedded links and images. The files tend to be small compared to other formats. They can be password protected. They can work on any operating system. And they’re not likely to go away any time soon.
If you haven’t been paying attention, a lot of organizations have been hit by ransomware lately, almost all of which are triggered by a phishing email. Hackers use all types of exploits to extract money from their victims too. Their favorite, by far, is to encrypt the victim’s hard drive with a promise to decrypt it if the ransom is paid, usually in something untraceable like Bitcoin.
In cybersecurity, there’s a best practice called Defense in Depth. The idea behind Defense in Depth is very simple. Put up a bunch of different types of barriers instead of just relying on one. This way, no matter what attack vector the enemy chooses, you’re covered.
Defense in depth is a pretty sound cybersecurity strategy, one which many companies employ, except for when it comes to phishing protection.
It sure is a good time to be in the phishing awareness training business, especially if you’re looking for investors to invest in your company. A couple of multimillion dollar deals were announced just last week.
First, “start-up security awareness firm CybeReady has expanded into the U.S. market with an initial funding round of $5 million led by Baseline Ventures,” according to an article on Security Week website.
Google is great. It offers a lot of useful services for free. And those services are tightly integrated so they work well together.
Google services are also used by a lot of people. According to an article on Forbes.com, “Google’s Gmail email service is used by upwards of 1.5 billion people. The Google Calendar app, meanwhile, has been downloaded more than a billion times from the Play Store”
What about the cost of these attacks? The city of Baltimore, which was hit with a ransomware attack but refused to pay the $80,000 ransom, has spent $18 million trying to recover. And it’s not just money.
Software-as-a-service (SaaS) is being used more and more to deliver mission critical services to business of all sizes. SaaS provides tremendous benefits to businesses, including eliminating the need for a software development team and eliminating expensive patching and upgrades. Examples of SaaS services include customer relationship management (CRM), eCommerce, storage and email delivery.
When you think of phishing attacks, you think about some hacker directly sending you a malicious email with the hope that you’ll trust them and click on a link or download a file. But, people are getting wise to phishing emails, because there’s plenty of phishing awareness training out there.
The bottom line is, people have their radar up now for phishing emails and it takes a lot for them to let their guard down. Of course hackers know this, so, unfortunately, they’ve upped their game too. (more…)
If you’re in the C-suite, you’d better get yourself some phishing protection. The hackers are coming after you, and they’re not going to stop because you’re just too lucrative a target.
According to the 2019 Verizon Data Breach Investigation Report, social engineering attacks were up last year against C-level executives. Further amplifying the point, an article on SC Magazine website went on to say, “Compared to previous years covered by the report, C-level executives last year were 12 times more likely to be the target of a social engineering incident and nine times more likely to be the target in a breach caused by social engineering.”
Phish protection technology is needed more than ever for fans of the wildly popular TV show Game of Thrones. Scammers are out there with official-looking websites trying to steal everything from personal information to credit card numbers. According to Checkpoint Research, “The fraudulent websites exploit the popularity of the brand to display ads, (more…)
If you haven’t already heard, Hackers compromised Microsoft support agent’s credentials to access customer email accounts, according to an article on TechCrunch. The article states that “Microsoft has confirmed to TechCrunch that a certain limited number of people who use web email services managed by Microsoft — which cover services like @msn.com and @hotmail.com — had their accounts compromised.”
You might think that the worst thing you can do with a phishing email is to click on the malicious link embedded within. You’d be wrong. There’s something worse, much worse. What’s that? How about forwarding the email to other employees, lots of them?
When it comes to phishing attacks, you probably don’t give it a second thought when someone else gets phished. But maybe you should.
According to a new article on theHelp Net Security website, “Cybersecurity threats are a rising problem in society, especially for healthcare organizations. Successful attacks can jeopardize not only patient data, but also patient care, leading to cancellations and disruptions in the critical services that hospitals provide.”
In our phishing prevention best practices eBook, we provide ten best practices for small and mid-size businesses. We know these practices work. We know they’re right on point today. We want small and mid-size business to get and use this information. And once again we’ve been vindicated.
Internet security company Webroot came out with their2019 Threat Report and wouldn’t you know it, the tried-and-true attack methods are still going strong. This means the phishing prevention best practices within the eBook are still applicable and essential for protecting your business.
For instance, best practice #6 states “Anti-phishing technology should check more than just embedded email links.” In addition to checking embedded email links, it’s imperative to check the linked-to website for malicious content. Characteristics to be checked on the linked-to website include on-page content, hidden fields and JavaScript with injection code.
The Webroot report confirmed that “A massive 40% of malicious URLs were found on good domains, since legitimate websites are frequently compromised to host malicious content.” The link you click on may be a good one and take you to the website you want to go, but that doesn’t mean the website you want to go to hasn’t been compromised. And there is no way you will know unless you let scanning technology like that available fromPhishProtection intervene on your behalf.
Between January and December 2018, the number of phishing sites detected grew 220%.
Another example is best practice #7. “Anti-phishing technology should conduct all checks in real time as well as provide alerts in real time.” Like we always say at PhishProtection, if you’re not checking things in real time, don’t bother.
It’s good to check embedded links when an email first arrives, but that’s not good enough. Links need to be checked every time a user clicks on them, right at that moment. In real time. Why?
According to the Threat Report, “It’s important to keep in mind that IP addresses are not static and may cycle from malicious to benign and back multiple times. While 60% of the millions of malicious IP addresses we saw in 2018 only appeared on the list once, hundreds of thousands appeared at least two or more times.”
The report goes on to point out that blacklisted IP addresses do not stay on the blacklist indefinitely. “IPs on the blacklist are revisited to see if they still exhibit malicious behavior. If not, they leave the blacklist. Hundreds of thousands of new IPs are added to and removed from the blacklist multiple times a day.”
It does you no good to only check embedded links upon arrival. If you’re going to invest in an anti-phishing software to protect your business from phishing attacks, you better make sure the technology includes real-time scanning protection, like that found inPhishProtection.
If you run a small business and are new to the subject of phishing protection, step one is to download your free copy of the best practices eBook.
If you run a small business and you’ve already decided it’s time to protect your employees from phishing attacks, and you want to protect your entire company in 10 minutes for less than you think, head on over and try anti phishing solution risk free for 30 days. You’ll be glad you did.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
