If you’ve been paying any attention, you’ve seen that the healthcare industry is under a constant threat from phishing attacks that lead to ransomware. Every week it seems there’s another healthcare organization hit with a data breach or ransomware. The question is, why? And now we know the answer.
The short answer is, healthcare organizations are an easy target for hackers because their cyber defenses stink. So, the real question is, why do healthcare organizations cyber defenses stink? The short answer here is, it’s just not a priority for them. And apparently, the hackers know it.
By now you should know that coronavirus is being used to phish victims. And now apparently, it’s also being used to launch ransomware…on smartphones. From SC Magazine, “A malicious Android app that supposedly helps track cases of the coronavirus actually locks users’ phones and demands a ransom in order to restore access.”
Candidates running for political office today, especially those running for president, have to get their message out. And more and more that means sending out emails. Lots of emails. Emails that can easily be misinterpreted as spam.
You have to hand it to those hackers, they’re always innovating. This week comes news of two new phishing exploits designed to do one thing: convince you it’s NOT a phishing email.
First, fromThreat Post, comes a clever exploit that uses YouTube redirect links, which are whitelisted by many security defense mechanisms, to evade detection. From the article, “If certain malicious URLs are blocked by web browser phishing filters, attackers commonly use a redirector URL to bypass these filters and redirect the victim to their phishing landing page. URL redirects have been used in previous campaigns, including malicious redirect code affecting Joomla and WordPress websites and HTML redirectors being used by Evil Corp. Now, a new campaign is using legitimate YouTube redirect links.”
Worried that your security certificate is out of date? You should be, but not because it’s out of date, but because the notice you get informing you it’s out of date is a scam.
You almost have to be living under a rock or in a cave to not be aware of the constant threat from cyber events in general and phasing attacks and ransomware in particular. But that’s what seems to be the case for a lot of small and mid-size businesses today.
This week’s first scam comes courtesy of the U.S. Postal Service. From an article online, “USPS® and the Postal Inspection Service are aware of the circulation of a fake email/email scam claiming to be from USPS officials including the Postmaster General.
Security Awareness training companies love to point out how important employee training is in keeping organizations safe from ransomware and malware. And to be sure, training employees to spot phishing emails is better than not doing it. But, the ubiquity of security awareness training advertising has led to two large problems.
Got an Amex or a Chase credit card? Then you were the target of a new phishing campaign this week. According to Information Security Buzz, “A new phishing campaign involves scammers sending fake Chase and Amex fraud protection emails asking users if the listed card transactions are valid. Victims who click the no button in the message to dispute the transactions will be redirected to a fake yet legitimate-looking Chase or American Express login site where they will go through a fake verification process that invites them to enter their username, password, birth date, social security number, as well as their bank and credit card information.” (more…)
You can take every precaution imaginable and still have your company get hit with a successful phishing attack. Why is that? Because hackers are just that good and employees are, well, just that human.
Our first scam of the week “Says it will pay for data breaches.” Really? You don’t say?
“A new phishing scam that masquerades as a U.S. government consumer agency is supposedly paying data breach victims for the loss of their personally identifiable information. Instead, once consumers enter their name, birthdate, credit card number and Social Security number, you can probably guess what happens next.” Yes, we can.
Do you ever use an online service that gives you multiple ways to sign in? For example, there’s the online storage service Dropbox which lets you login with your Google credentials, Yahoo credentials, Office 365 credentials and others. Seems very convenient, because you don’t have to remember as many login credentials. Well guess what? Attackers know that and they’re now using it to phish you.
You know it’s a bad week when the scam of the week involves professional sports teams’ social media accounts getting hacked. From SC Magazine, “According to multiplenews sources, the hackers compromised the NFL’s league Twitter and Facebook account, as well as social media accounts belonging to the Buffalo Bills, Arizona Cardinals, Chicago Bears, Cleveland Browns, Dallas Cowboys, Denver Broncos, Green Bay Packers, Houston Texans, Indianapolis Colts, Kansas City Chiefs, Los Angeles Chargers, Minnesota Vikings, New York Giants, Philadelphia Eagles, San Francisco 49ers and Tampa Bay Buccaneers.” A lot of teams lost this week…and they didn’t even play.
Now that we’re in 2020, the phishing numbers from 2019 are starting to trickle in. Numbers which attempt to quantify the state of phishing, such as how many emails were malicious and how many were effective. And so far, things look pretty bleak.
For starters, what percentage of people do you think can spot all of the phishing scams out there? It’s important to spot them all because it only takes one click to bring down an entire organization. The answer? 5% according to a survey from Security.org.
FedEx is back in the news for…phishing scams. According to the Tullahoma News, “Law enforcement is warning about a new FedEx phishing scam. The company’s customers from across the country, including locals, have received a text message showing a tracking code and asking to click and set delivery preference. The link is fraudulent.”
The only thing most people know about two-factor authentication (2FA) is that it’s supposed to make online activity safer, and for the most part, it does. But, as you’ll see, it doesn’t do anything to protect you from a phishing attack if the phishing attack is really good.
Think you’re getting paid back for that data breach? Think again because it’s a scam. According to Kim Komando, “Scammers appear to have set up a website claiming to be run by the ‘US Trading Commission’ that promises financial compensation for the leakage of personal data.” There’s only one problem with this. There’s no such thing as the US Trading Commission. “Instead, this highly detailed fraudulent website preys upon hapless data breach victims.”
The real trick to any phishing scam is getting the victim to let their guard down. Every technique imaginable has been tried. But maybe the most effective one is the one that’s now being used in more phishing attacks: conversation hijacking.
DuoCircle is pleased to announce that it recently received its AICPA Service Organization Control 2 (SOC 2) Type 1 Report. This report provides detailed information regarding DuoCircle’s policies and controls relevant to security, availability, and confidentiality of data. DuoCircle meets the SOC 2 standards for Security and Availability Trust Services Principles with zero exceptions listed.
