Social engineering serves as an open back door for cybercriminals. Attackers don’t bother to create an elaborate plan of how to get into a company’s system. Phishing can guarantee their goal will be achieved. According to Verizon’s 2021 Data Breach Investigations Report, this attack is leading the top of breaches in 2020 with 38%. That explains the serious financial company losses due to phishing. Let’s find out what it is and how to identify it.
$5.3 billion – this is the FBI’s estimate of the total losses in the last three years suffered by businesses around the world to phishing attacks. Understandably, phishing is a severe crime in the cyber world. These cyber-attacks are successful because people fall prey to them very quickly, through spoofed emails. It’s not as easy as it sounds to protect from phishing since the attackers are nowadays using new and ingenious technologies.
Cybercrimes such as spear phishing, SMiShing, and phishing have been statistically proven to be increasing at a high pace. The rise in the sophistication and effectiveness of methods used by cybercriminals is leading to a very pressing need to improve on the cybersecurity and control mechanisms of organizations and adopting to anti-phishing solutions.
Ideal for users who work in a team, Dropbox is the place where all their team’s content comes together. It is the world’s smartest workplace, which helps team members cut through the clutter and bring to the surface, things which matter the most. Users can store their files in a safe place, and access them through a computer, phone, or tablet. They need to login to Dropbox, and all the changes they make will sync across all the accounts. Dropbox makes team management super simple. Team members can send an e-mail to Dropbox, and keep their projects moving forward.
Recognizing Online Identity Thefts And How Enterprises Can Ensure Identity Theft Protection For Their Employees
Enterprises encounter various online threats while thriving in the digital age. Online identity theft happens to be one of the prime threats that all businesses need to address. Identity theft refers to any instance of an unauthorized entity using an entity’s confidential identification data to impersonate them for malicious purposes. Such information includes addresses, names, email addresses, login credentials like username and password, passport numbers, driving license numbers, social security numbers, or bank details.
GDPR, or General Data Protection Regulation, is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It’s a law that gives control of people’s personal data back to the people. It includes the right to see all the data a company has on you, as well as the “right to be forgotten.” In other words, a company that is covered by the GDPR has to delete your personal data at your request.
The one thing you could always count on with a phishing page is that something would give it away as a phishing page. After all, it’s not the real page, so there must be something different about it. Protecting yourself from a phishing attack simply came down to being able to identify the clue that gave away the web page as a phishing page. But what if attackers could find a way to phish you with the legitimate page you actually intend to visit? There wouldn’t be any clues giving it away as a fake page because it isn’t. That would be a problem, and unfortunately that problem has become reality.
The first wave of pandemic-related phishing attacks targeted vulnerable employees and consumers. There were attacks that used home delivery services and attacks that used travel-related services. There were attacks on spoofed resumes and attacks on the SBA’s Office of Disaster Assistance. Now hackers have moved on to the gainfully employed by attacking the virtual private networks (VPN) that remote workers use to connect to the office while working remotely.
Let’s face it, hackers do whatever they can to get you to click on their link. And they have a lot of tools in their toolbox to get you to click. Everything from social engineering to display name spoofing to domain name spoofing. It’s all to get you to do one thing: click the link.
The US Small Business Administration (SBA) does the important work of supporting small businesses in the US. They provide a lot of resources, but none more important than small business loans. And with the onset of COVID-19, the organization has come up with unprecedented emergency financial relief options for small businesses. And of course, with that much money being made available, it was only a matter of time before hackers tried to get their hands on it.
The latest Threat Intelligence Report is out. Its findings are based on an analysis of 195 billion emails analyzed from January through June 2020. Of that large number, an astonishing 47% were flagged as malicious or spam.
It won’t come as a shock to learn that there were two main themes in the threatening emails this spring. According to HelpNetSecurity, “Two main trends ran throughout the analysis: the desire for attacker’s monetary gain and continued reliance on COVID-19-related campaigns, especially within certain vertical industries.” From the report, “One of the most significant observations of this research is that threat actors are launching opportunistic and malware-based campaigns across multiple verticals at volumes never seen before.”
It’s 2020, which means it’s time for another Presidential election in the U.S. The big question is, who will win? But an even bigger question is, will we be able to trust the outcome? There are evil forces out there who’d love nothing better than to manipulate the outcome of the election for their own purposes. And what way are they most likely to do that? Through phishing, of course.
If you take an email security awareness training class, you’ll learn a dozen ways to spot phishing email. There are a lot of clues. Maybe the email contains poor spelling or grammar. Or maybe it contains an offer that’s just too good to be true. All of those are giveaways. But there is one clue that’s a more reliable predictor of a phishing email than any other one: the “from” address. If you truly know who the email is from, you’ll know whether or not it’s legitimate.
There are a lot of companies that depend on their employees to stop phishing attacks. In effect, their employees are their last line of defense. Seeing as how the cost of phishing attacks is now in the tens of billions of dollars per year (nobody knows the exact amount since victims are so reluctant to come forward), it seems like the employees stopping phishing attacks thing isn’t working too well. And now we know why.
Most phishing attacks are pretty straight forward. You receive an email that convinces you to log into some website you’re familiar with. But, it’s just a convincing looking replica of the website and what you’re really doing is entering your credentials into a bogus site. Once you do that, the bad guys have your credentials, and depending on which ones, they can create a whole lot of havoc for you.
For the longest time, the number one delivery mechanism for ransomware was a phishing email. As much as 91% of ransomware was delivered that way. And then things changed.
According to an article on ZDNet, “in recent years, attackers have successfully pivoted to using remote ports, insecure public-facing servers and other vulnerabilities in enterprise networks to encrypt entire networks – often demanding hundreds of thousands of dollars in payment to release the data again.”
What’s more dangerous than a phishing attack that uses a social engineering tactic to get you to click? How about a phishing attack that uses a combination of TWO social engineering tactics to get you to click? And that’s exactly what was detected this week according to InfoSecurity Magazine.
In this case, the two social engineering tactics are phishers hiding COVID-19 malware in both CVs (curriculum vitae or resumes) AND medical leave forms. According to the article, “Cyber-criminals are taking advantage of the evolving jobs market and employee health situation under COVID-19 to disguise malware in various emailed documents. The phishing campaigns spotted center around spoofed CVs and medical leave forms.”
If your organization is the unfortunate victim of a phishing attack that leads to ransomware, you have a very important decision to make. Should you pay the ransom or not? The answer depends in large part on how much the ransom is. Hackers are smart not to ask for so much ransom that not paying it seems like the best alternative.
I hope to never receive an email from the United States Supreme Court. It couldn’t possibly be good news. I would be very suspicious. But there is one small group of people who, if they received such an email, might not be suspicious: C-suite executives. And that’s exactly what some hackers thought as they targeted such individuals with a zero-day credential phishing attack impersonating the Supreme Court.
One of the ways the world has responded to the COVID-19 pandemic is to take a lot of the entertainment we used to enjoy live and in person and move it online into the world of virtual entertainment. The entertainment is still live, but now instead of watching musicians in a bar or theater, you get to watch them live streamed on your smart TV or mobile phone. The hackers know this, and they are aiming to do something about it.