Let's face it, in the past few years hackers have gotten bolder, more directed, and more numerous. While previously they were always a risk, nowadays it seems like getting hacked is nearly an inevitability.
For every high-profile ransomware attack on a hospital or credit card processor, there are thousands of "smaller" security breaches happening to businesses every day. How do all these different businesses get hacked? Well, it's not only the black hat hackers of the movies with their trojans and worms creating all the problems; most companies are breached through a simple targeting technique known as phishing.
What is Phishing?
Phishing is an oddly spelled term that means luring an employee to open a malicious download by sending a false message, much like one might lure a fish. The most common form of phishing comes as an email, often pretending to be from a friend, coworker or boss. The idea is to get the employee to open the email thinking it's from a normal contact. Inside the email will be a perfectly reasonable request to open the attached file or click a link; however, rather than accessing a spreadsheet or account information, the employee instead downloads dangerous malware.
The biggest problem with phishing is that the 'known vulnerability' being targeted by the message is human trust. Therefore, while there are many technological answers to combat phishing, your best defense is to start by training employees not to get phished in the first place.
Watch for Spoofed Emails
The primary weakness in the phishing process is that the phishers don't typically have access to the real email of whomever they're pretending to be. This means that if you spot the 'spoofing' or fake email address, you can be sure that a message is meant to phish.
To spoof, the hacker first discovers the email address of one of your close contacts or business associates. This is sometimes done through social media, an innocent phone call, or from a previously successful phishing attempt of your colleague. In this example, let's say you have a coworker with the email address "firstname.lastname@example.org". The hacker will then register a similar domain name in order to send emails from "email@example.com". Can you spot the difference?
In modern email software, one way to be sure is simply to compare new emails to your contacts list. If the address registers as new, even if everything else looks right, you are being phished.
To see an example of a spoofed email, check out our recent post!
Watch for Illogical Web Links
Another weakness of phishing is that it needs to direct you to a page they control to harvest your credentials. This is often done by presenting a link you'd expect in the email you received, but actually bringing you to a completely different site. The harvested site is often mocked up to look amazingly close to the read thing, as evidenced by this recent Netflix email phishing scam.
By hovering your mouse pointer over the link in the email or document (BUT NOT CLICKING IT), you will see the actual website your click will bring you to. Does the web address look legitimate? If not, you are being phished.
Email Scanning Software
Other than training your employees to keep an eye out for fake email addresses and to have care when opening attachments and links, there are a few available software solutions as well. Certain email add-ons can scan email attachments for potentially malicious contents and some can even keep an eye out for web addresses that are very similar to but not exactly matching legitimate websites. This can help your employees maintain cyber-security protocols.
Not Falling for Pushy Hackers
It has been recently revealed that in a recent wave of phishing attacks on hotels, hackers made phone calls to the hotels pretended to be customers trying to make a reservation. They then sent infected emails to the staff and, as a "customer", insisted the attachment be opened. This way, they don't even have to spoof because they're pretending to be a new contact. Make sure to warn your employees to scan every attachment and consider having a special policy for any necessary file sharing with customers.
As security systems improve, in many cases phishing becomes the only way a hacker can penetrate your combination of firewalls and active admin protection. By keeping employees informed about the risks and trending attacks you will help protect your business from emerging cyber-threats.