Phishing anyone?

Digital Treat Management, eCrime, Cyber Security; all terms associated with one of the fastest growing areas of risk facing business operations.  Today, criminals do not need to break through network firewalls to have access to a company’s private information.  In most cases, access through network security can be provided by unsuspecting computer and mobile device users.  In a recent report by APWG (an international coalition of governments, law enforcement sectors, and NGOs to combat cybercrime) the volume of cyber-attacks has continued to increase.  These attacks are most often carried out through phishing scams.

In this post, we will discuss a general overview of phishing and five ways to protect yourself and your firm from a phishing scam.  We will also look at malware and ransomware (usually the result of falling prey to a phishing scam), and five ways to protect against a ransomware attack.  Finally, we review a couple of good resources to get some additional information about cybercrime.

What is Phishing?

Phishing is when someone uses fraudulent emails, texts or copycat websites to get valuable user information or to gain access to your computer or company network.  Once inside the network, these people can install programs like ransomware that will lock out users from important files.  Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or co-worker.

In a 2017 survey conducted by Wombat Security, 70% of the working Americans surveyed knew what a phishing scam was, but only 37% of the same group knew about ransomware.  Education is the best defense against phishing since phishing requires the user to take some sort of action.  While awareness will allow the user to recognize a potential threat and take the appropriate precautions, here are five other things you can do to protect against a phishing scam. 

1. Be suspicious of any email or communication (including text messages) with urgent requests for personal financial information.
2. Avoid clicking on links. Instead, go to the website by typing the Web address directly into your browser or by searching for it in a search engine. Calling the company to verify the legitimacy of a request is also an option.
3. Don’t send personal financial information via email and avoid filling out forms in an email that ask for your information.
1. You should only communicate information such as credit card numbers or account information via a secure website or telephone if you have called the company requesting the information.
4. Use a secure website (https:// and a security “lock” icon) when submitting credit card or other sensitive information online.
1. Never use public, unsecured WiFi for banking, shopping or entering personal information online, even if the website is secure.
2. When in doubt, 3/4G or LTE connection is always safer than using public WiFi.  Most computer security software programs will offer a virtual private network (VPN) option for mobile devices, or they will recommend a VPN app. 
5. Typically, phisher emails are not personalized, but they can be. Messages from the bank and eCommerace institutions are usually personalized. When in doubt, call the company directly to see if the email is in fact from them.

What is Ransomware?

Even with education and vigilance, there is still the chance that your computer or company network will receive malware.  Malware (malicious software) is any program or file that is harmful to a computer user. Malware includes computer viruses, worms, Trojan horses, and spyware. There are ever increasing news reports about a type of malware called ransomware.  Ransomware is a type of malware that accesses a victim’s files, locks and encrypts them and then demands the victim to pay a ransom to get them back. Cybercriminals trick users to click on attachments or links that appear legitimate but contain malicious code to attack the system. Under a ransomware attack, the victim has a certain amount of time to pay to get “the code” that will unlock and release the files.  Even if the victim pays, there is almost never a code provided that will unlock the files.  Any individual or organization can be a potential ransomware target.

Education and awareness are the best defense against a ransomware attack, but combining an awareness with the steps below can help mitigate the risk.

1. All critical software, including computer and mobile operating systems, security software and other frequently used programs and apps, should be running the most current versions.
2. Back up all files, photos, music and other digital information by making a copy and storing it in the cloud or on a removable device or both. 
3. As a departure from traditional password schemes, use a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember.
4. Links in email, are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
5. If you use USBs and other external devices to share files, or if you use email to attach and share files, these can all be infected by viruses and malware. Use your security software to scan them before downloading files onto your computer.

Resources

There are a number of great resources centers to get a better understanding of cybercrime and how to protect your business from any malicious attacks.  

Anti-Phishing Working Group, Inc. (APWG) - APWG is the international coalition unifying the global response to cybercrime across industry, government and law-enforcement sectors and NGO communities. 

STOP. THINK. CONNECT. - STOP. THINK. CONNECT.™ is the global online safety awareness campaign to help all digital citizens stay safer and more secure online. The message was created by an unprecedented coalition of private companies, non-profits and government organizations with leadership provided by the National Cyber Security Alliance (NCSA) and the APWG.

Associated with these organization are a number of private companies that can provide additional resources in the protection against cybercrime. Cybercrime is a rapidly changing and evolving risk to individuals and businesses.  The more we know, the better we can be vigilant and protect. 

Until next time, stay safe and be kind to one another.