Phishing Remains Top Cyber Threat to Small Companies — and It’s Getting Sneakier
Before COVID-19 was even designated a pandemic by the World Health Organization (WHO), criminals launched phishing campaigns to steal money and sensitive information by imitating WHO emails. Like a virus, this crime adapts quickly. And small companies are a favorite target.
Two thirds of all small- to medium-sized businesses surveyed by the Ponemon Institute in 2019 had suffered a cybercrime within the previous year. The top threat? Phishing, which rose from 48% to 57% of these SMBs over the previous year.
This trend is fueled by emerging phishing tactics, and the vulnerabilities created by mobile devices.
Most of us who run companies that store clients’ sensitive financial data and/or process online financial transactions understand that we’re targets for phishing. But even if you’re familiar with the word, it’s worth reviewing the basics and learning about some new tactics.
What is Phishing?
Phishing is a method by which cybercriminals attempt to get one or more victims to divulge login IDs and passwords for critical accounts or IT networks, or to download malware. Scammers use bogus emails, phone calls, text messages, and other communications to appear legitimate to their victims.
The malware a phishing attack delivers to your computer or mobile device can do a variety of dangerous things, such as:
- Record your keystrokes. Whatever you type on your keyboard is relayed to the phisher, who can harvest login IDs, passwords, account numbers, Social Security numbers, and other sensitive data.
- Harvest specific data, such as email addresses, financial account transaction data, etc.
- Open a backdoor that allows a hacker to take remote control of the device and access networks it’s connected to.
- Install ransomware which encrypts network files. The cyber thieves then demand a ransom (usually paid in cryptocurrency) to unlock the data.
The varieties of malware and the “trojans” they install are constantly changing, as are the phishing tactics used to deliver this malicious code.
Why Phishing Attacks Target Mobile Devices
As more SMBs conduct business via mobile devices, cyber thieves have naturally targeted these devices. Even if your employees don’t have sensitive company/client data stored directly on their mobile devices, they’re likely to have access to your company’s IT network.
This means that hackers may be able to gain access to your network simply by snagging your employees’ login ID and password through their smartphones. And phishing is a perfect way to attack mobile devices, for two key reasons.
1. Mobile devices hide web page and email addresses
Even experienced cybersecurity experts can be fooled by phishing emails they view on their smartphones rather than on a full-sized computer screen.
One reason this happens is that many smartphones hide the address bar when you open an email, or when you open a browser window, such as for a sign-in page.
So even if you’re in the habit of checking email and web addresses (a.k.a. the URL) to spot anomalies, you have to work harder to do that when you’re using a smartphone. (For even worse news about spotting fake URLs, see “Punycode” section below.)
2. Many mobile apps aren’t secure
According to a report about the state of mobile security in 2020 by the cloud security company Wandera, 87% of successful mobile phishing attacks take place outside of email. Mobile apps are often the culprit.
The report points out that even apps from the two major app outlets, Google Play and the Apple App Store, can no longer be trusted to be free of malicious or easily hackable code. Also, some of your employees may also “jailbreak” their devices to install sketchy apps from outside of these mainstream outlets.
Wandera’s recommendation: Use a mobile security solution that includes an app vetting component and the ability to automatically detect and shut down suspect apps.
Read more about mobile device management tools in this previous post.
Whether phishing attacks arrive via mobile or other computer hardware, learn to detect them by looking for some common characteristics of popular phishing techniques.
How to Spot Three Common Phishing Attacks
1. Mass email campaigns
You may think you’re immune to attacks in which the identical phishing email is distributed to thousands, even millions, of recipients. You’ve seen so many lame attempts at this tactic over the years. But these emails tend to be more professional-looking now.
Also, remember that these emails are sent to large numbers of people to find just a few that happen to be susceptible to emails from a particular well-known source–and once in a long while, that could be you.
Say you happen to be tracking a FedEx package one day, and you get an official-looking message from FedEx, so you click automatically, and…oops.
WHAT TO LOOK FOR:
- A seemingly credible source. An email or text message that appears to be from Microsoft, Amazon, Google, UPS, the IRS, the state lottery, etc., designed to get your attention.
- Urgency. There’s either some problem you must address RIGHT AWAY–like a hacked email or banking account that requires you to reset your password or “validate” your credentials–or an offer of something really juicy, like a cash rebate.
- The “call to action” link. The text that opens the link often ratchets up the urgency by saying something like, “Act now to protect your account.”
- A fake login page. If you take the bait and click on a phishing link, you may be taken to a realistic-looking page with fields in which to enter an account ID and password. Or it may appear to be a PDF you can only partially see, with a login box in which you’re required to enter your email account ID and password to “unlock.”
2. Spear phishing: Using “spoofing” to target you specifically
While basic phishing’s main goal is usually planting malware that steals credentials, spear phishing usually targets specific employees, trying to get them to give the fraudsters information directly.
This can involve fake phone calls or texts in addition to emails. The goal is to trick you into thinking you’re dealing with a familiar, trusted source. Scammers use the details of our lives and businesses that so many of us divulge on social media to create sophisticated scams.
The quality of identity “spoofing” — which in this context means mimicking a legitimate company’s web address (URL), email addresses, website, graphics, and personnel — is generally better in spear phishing attacks.
Hackers can spoof your company’s identity to make you believe you’re getting a message from a co-worker or boss (as in the “whaling” description below), or an outside entity. The authentic look is designed to make you overlook certain warning signs.
WHAT TO LOOK FOR:
- New electronic payment instructions from an existing contractor or client. Get verbal confirmation on ANY email or text telling you to change previously-established transfer accounts.
- An e-commerce site you already use asks for identification and/or financial information via email or text. If you buy things on Amazon.com, for example, you enter your ID/password and payment information on a secure site — you shouldn’t be asked for that information via email.
- Familiar senders asking for account information. Similar to the basic phishing request for you to reset a password or verify account information, but with more convincing touches, such as accurate logos and your name in the body of the email.
3. Whaling: Targeting and/or impersonating top executives
The target victims of whaling are usually your company’s CEO, CFO, HR exec, or someone else with access to your most critical accounts and data. The fraudster’s goal is a much higher payoff than a standard phishing scam.
Because the thieves are going for a big score, they’ll often put far more time and effort into customizing their messages with accurate information about your company and/or executives. They’ll create more believable fake login or wire transfer sites.
WHAT TO LOOK FOR:
- A slightly different domain name in an executive’s email address. Scammers will buy a domain name very similar to your company’s, and create an email that may have one character different from your executive’s real email. For example, your CEO’s real email is firstname.lastname@example.org — would you notice if an email came from email@example.com?
- Emails from an executive who’s out of town. Scammers can time whaling emails by gleaning from social media when an executive is at a conference or on vacation. They’ll then spoof that executive’s email account and request wire transfers or sensitive information from subordinates.
- Urgent requests for electronic funds transfers. This seems obvious, but if your company frequently sends payments electronically, thieves (literally) capitalize on that routine.
- Offers for luxury goods or entertainment you wouldn’t normally get on your work email. Fraudsters use information about your hobbies, favorite drinks, cigars — whatever they find on social media — and try to get you to click on links for “special offers.” Sounds silly, but it works.
Two New Tactics That Make Phishing More Effective
Those three varieties of phishing have been around for many years, in part because criminals continue to innovate and make these schemes more difficult to detect. Two more recent innovations make it more difficult to spot bogus web and email addresses.
1. Punycode: Making domain names appear legit
“Punycode” is a play on “unicode,” which is the code that determines how text characters are displayed on a web page.
Hackers have learned to monkey with this code so domain names like “amazon.com” look completely real, but the code underlying the characters belongs to a fraudster’s domain.
2. Certified phishing domains: The “s” in “https” doesn’t always mean “secure” anymore
When you’re using a website to sign into an account or make a transaction, it’s a good idea to look for a padlock symbol and a URL that begins “https” instead of “http.” The “s” stands for secure, meaning the site has been certified to use a specific type of encryption.
However, it’s now possible for domain owners to use free services that issue this certification, which means cyber thieves can now get domain names with the padlock symbol and https at the beginning of their domain’s URL.
Educate Yourself, Your Staff, and Your Clients
Perhaps the worst thing a phishing attack can do to your company is wreck your reputation.
With a successful phishing attack on your IT network, hackers can make your business the platform to launch phishing attacks against your clients, vendors, contractors, and other associates.
This is why it’s important not only to train your employees to recognize phishing attacks, but to tell your clients and other key contacts what your firm will and will not ask them to do via email, text, etc., such as:
- We won’t email or text you a link to change the login ID/password for any account linked to our company.
- We won’t email you with a request to return the email with any sensitive financial information.
- We won’t email/text instructions for changing the method or account number for transferring funds to our firm.
Encourage clients to follow up on any suspicious communication that appears to be from your firm and get verbal confirmation from their representative.
I suggest sending this phishing-prevention communication once a year to your key contacts. But make sure you update it every year, because chances are good that phishing perpetrators will have added a new wrinkle or two.