Back to videos
Phishing: Don’t Get Hooked!
Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy source. Malicious actors send out thousands of phishing emails at a time in hopes of luring in victims.
Prefer to read? (Transcription)
BRAD: Looks like we have it 2:00. Kindsey, how are we looking? Is everybody showing up?
KINDSEY: Yeah, let’s go head and get started.
BRAD: All right, let’s do it. Hope everybody’s ready for an exciting ride into phishing. Welcome, everyone, to the webinar. My name is Brad Turner and I’m the Business Development Manager here at IronTech Security. Today’s Deeper Dive is going to be all about phishing. It’s going to be 20 to 30 minutes long.
This isn’t the type of fishing that you do next to a body of water, but the type of phishing that is done on the web to exploit people and businesses. I know we’ve mentioned this subject before, but today we’re going to dive a little deeper. We’re going to talk about exactly what phishing attacks are, how to spot them, and the different types of phishing attacks that exist. We’re also going to cover how to drastically reduce the likelihood of falling victim to a phishing or ransomware attack.
So what is phishing exactly? Phishing is a fraudulent attempt to obtain sensitive information or data, such as usernames and credit card details, by disguising oneself as a trustworthy source in an electronic communication. The hackers or bad actors behind these phishing schemes are trying to get you to release information about yourself or the organization you work for for their own financial gain.
Phishing scams and schemes are becoming more creative every day. Just as we’re getting smarter on how to avoid falling victim to a phishing email or text message, organized crime groups out there are learning new ways to steal our information for their own gain.
The most common platform for phishing attacks is email. Hackers know that most organizations and businesses use email to communicate inside of their company and to communicate with their clients. Hackers have the ability to send out massive amounts of emails at the same time. This is why email phishing is so popular.
How are these cyber criminals getting my email, you may ask? Oftentimes, emails are posted on company websites for anyone to see. Sometimes hackers are generating random emails and attempting to get a response just to verify that the email address is actually being used by a human being. Email phishing is the most prominent method for phishing attacks, but it’s not the only type of phishing attack out there. There are plenty. I’m going to go into detail about them at the end of this Deeper Dive.
In the previous slide, I mentioned how email phishing attacks are sometimes generated in large amounts and sent out. This type of phishing is a lot more personal. Spear phishing is a type of phishing that usually looks like it’s coming from a trusted or known source. Take a look at the image on this slide. It looks like someone is getting an email from what seems to be their boss. The names and emails are blurred out, but we can still get the main point: “Are you in the office? I need to know if you can process a wire transfer, as we need to pay for an invoice now.” At some offices, this may be a normal day to day thing, but there are a couple of red flags that stand out.
The sender is asking the receiver to email them back and to get the invoice paid right now. Also notice that the signature of the sender has no details in it. Most spear phishing attacks are trying to build a sense of urgency so the receiver doesn’t question the message until it’s too late. The lack of information in the signature is probably because the hacker doesn’t know that information. If the receiver will give the boss a call and make sure that he actually wants the wire transfer to happen, it’s possible for this person to potentially save the company hundreds, if not thousands, of dollars.
This is just one example of spear phishing attack. Spear phishing attacks are not only a threat to businesses; they can also be a specific threat to people. Spear phishing attempts may ask for your Social Security number, your login credentials for your online banking – or any other platform, for that matter.
The next type of phishing attack I want to talk about is a BEC scam. Business email compromise attacks, or BEC scams, are the most financially damaging of online crimes. It exploits the fact that so many of us rely on email to conduct business, both personal email accounts and professional email accounts. Take a look at this image I have on this slide. The image goes into detail on how the typical BEC scam is conducted.
Step 1 on the far left. An organized crime group will target an organization, typically a United States or European-based business. They’re going to start to gather information on the company from the information listed on its website. This is going to help them build a profile on the company and the people that work there.
Step 2, spear phishing emails or phone calls target company officials. Perpetrators use persuasion and pressure to try to exploit human nature. Once they’re able to find someone who’s falling for the spear phishing attacks, they’re able to move ahead to Step 3. The victim is convinced he or she is conducting a legitimate business transaction. The unwitting victim is then provided wiring instructions or some other type of money exchange instructions. Step 4, the money that that victim is going to transfer is going to be stolen by an organized crime group, never to be seen again.
Smishing and vishing may sound like funny words, but they’re not to be taken lightly. These are two more types of phishing attacks. The main difference between these two types of attacks from all the others is that they don’t involve the use of email.
Smishing involves criminals sending text messages, very similar to the content in email phishing attacks. In most cases, the text messages are going to be from a bank or maybe your credit card company, asking for you to click on a link because some login info is missing, or maybe there was some suspected malicious activity on your account. You can also expect these attacks to say you’ve won some type of gift card or redeemable voucher and to click this link to claim it.
If you happen to click one of these links, you’re more than likely going to be asked to reveal some type of confidential information, whether it be your birthday or your email address or Social Security number.
Vishing attacks work the same way, but instead of using text messages, the hackers or bad actors are going to be calling your house phone or your cellphone. An example of a vishing attack is a phone call that you have won a free prize, but you need to first pay shipping and handling to actually claim it. Once you pay the shipping and handling, hackers will stop communicating with you and you won’t receive any type of prize.
Another example of a vishing attack is you get a call from someone claiming there’s a $500 charge on your bank account, but first they need to confirm that you’re actually the owner of said account. The attacker is attempting to create a sense of urgency so that the person will give up information without thinking. The hacker will ask the person to confirm their identity by reading off a 6-digit number that’s being sent to their phone via text message or email. They’ll also be asked to confirm their email address.
What is actually happening is the hacker is attempting to reset the account so that further changes can be made and the hacker can get control over your bank account. These are things that are happening completely behind the scenes. All the while, the person on the other end of the phone is completely unaware.
How to spot a phishing email? It’s not as hard as you might think. A few simple practices can make this much easier. For instance, hovering your cursor over the email address a suspicious email is coming from may reveal that it’s not coming from the person or organization you think it is. The name could be right, but look closely at the email domain. If it doesn’t match up to the organization or company that the person works for, be wary of opening any attachment that’s coming from this person until you’ve reached out to them to verify they actually are sending these emails to you.
Another useful tip for spotting a phishing email is looking out for bad grammar or misspelled words. Like I said in a previous slide, hackers are getting more and more creative on how they word and set up these phishing emails, but sometimes they’re going to slip up on grammar and spelling because they may not actually be from an English-speaking country.
If you get an email requesting login information or payment information, that can also be a sign the sender of the email may have malicious intentions. Most of the time, when your login information needs to be updated, the vendor or provider will have given you notice beforehand. A lot of subscriptions that people commonly sign up for don’t actually make you update or change your password and username information at all.
If you’ve cancelled a debit or credit card in the recent past, it is possible for some services to reach out asking you to update your card information. You need to always be wary of who you give your credit card info to, especially if you haven’t made any changes to any of the cards you normally use. If someone is asking you to update your credit card information and you haven’t cancelled a card recently, give the vendor or provider a call before you click on any links. Just a few minutes can possibly save you tons of money.
How did a phishing scam find me? Phishing scams are very popular because of how easy some people share personal information to sources that may or may not be trustworthy. If you’re getting phishing scams frequently, you may be wondering how the bad actors got your email address in the first place.
Sometimes email addresses are sent phishing scams at random. They take your name, they might add some numbers to the end of it, and they’ll add “@gmail.com” or “@yahoo.com” or any other email domain you can think of. Emails just like this are sent out in the thousands if not hundreds of thousands at once. The only way they know your email is actually being used by a person is if you accidentally respond or click on a link that you shouldn’t have. After that, they’re going to add your email address to a list of known used email addresses, and these lists are going to be bought and sold on the Dark Web for other hackers and malcontents to use and exploit.
If you have responded or clicked on a link in a phishing email, hackers may be able to wreak all sorts of havoc on your business and personal life. They have the ability to open credit cards in your name, maybe hijack your passwords and usernames, make purchases or obtain cash advances, or even possibly use and abuse your Social Security number. All of these things have a huge effect on a person’s life.
Another big reason why we are so passionate about making sure people are aware of phishing scams and the threat they pose to you is that phishing is the number one vehicle for ransomware.
I know we’ve talked about ransomware in the past, but what’s the harm in going over it again? Ransomware happens when cyber criminals encrypt your information and demand a ransom before they will return it to you. In order for a cyber criminal to gain access to your data and information, you must first fall victim to some type of phishing scam. This can allow them to get inside the door of your network and start poking around to find that critical information that you can’t run without.
Once that info is found, these cyber criminals will steal that information or possibly encrypt it so that you don’t have access to it anymore. You’ll be informed that you must pay some sort of ransom to get your information back. Be it $5, $5,000, $5 million, they’re going to demand some amount of money, and more than likely they’re going to have great customer service.
An example of a ransomware attack that happened recently took place in June of this year in Florence, Alabama. A hacker was able to gain a foothold into the city network using the username of the city’s IT manager, ironically. Shortly after the foothold was established, a ransomware attack was launched from another group of cyber criminals. They were able to shut down the city’s entire email system. This information came from the mayor, Steve Holt. The group was able to simultaneously compromise networks belonging to 4 other victims within an hour of Florence, Alabama, including a municipality.
Initially the ransom was set at $378,000 in bitcoin. Using an outside security firm, they were able to negotiate down to $291,000 in bitcoin. On June 10th, in an emergency meeting, the city council approved the ransom payment. They said that Florence couldn’t afford to see its citizens’ personal and financial data jeopardized by not paying. This is just one example of a large ransomware attack that has taken place this year.
Ransomware and cybersecurity is something that we have to take seriously, or things just like this could happen to your organization or to someone else’s organization that you know.
How can I protect myself from phishing? First of all, don’t provide personal information to anyone unless you’re 100% sure that that source can be trusted. Make a habit out of calling to verify that an email or text message is really coming from the organization it claims to be.
Another great way to protect yourself or your organization from phishing is to use a security vendor like us here at IronTech. We have the ability to deploy best of breed security tools that will enable you to practically wind the clock back if you or one of your employees falls victim to an attack. A security vendor will consult you on best practices to make sure your business is staying as secure as possible. A good security vendor will make sure there are multiple backups in place and that you are using an active spam filtering on your email to help prevent malicious emails from getting to your employees.
Keep in mind that no one can stop all malicious emails from coming through. This is why all employees should be taking part in continuous cybersecurity training to keep them up to date on possible threats and things to look out for. Do your employees know how to spot a phishing email? Did you know that 97% of people in the world cannot identify a phishing email? I want to repeat that one more time: 97% of people in the world. That percentage is way too high.
On the next slide, I’m going to show you a short video on the continuous cybersecurity training that we here at IronTech Security offer to our clients. Let’s see if I can get it to play.
Video: Humans cause data breaches. IBM found that 95% of all data breaches are caused by human error. That is shocking. It shows that companies need to do more than just install firewalls and antivirus.
Humans make mistakes. Your employees are getting emails from Nigerian spammers, and they are clicking on links. They are getting fake emails from banks and logging into fake websites. They are using public Wi-Fi and logging into social networks and having their passwords stolen. They are using the word “password” or “123456” for their network passwords. They are leaving laptops in their car and having the laptops stolen. They are sending personally identifiable information, such as credit cards, Social Security numbers, and banking information, via email. They are using personally owned smartphones and laptops without securing the devices.
How do we know your employees are doing all these dumb things? We hear it every day. Humans need security training. Your employees need security training to stop making mistakes. Your employees need to know how to spot a phishing scam. They need to know how to use strong passwords. They need to know about physical protection of mobile devices, and they need to understand the risk of sending confidential information via email.
PII Protect makes it easy. Our training is concise, engaging, and makes it easy for employees to understand the risk of data breaches and how to avoid them. Unless you have been living under a rock, you are probably worried about data breaches. Now you can address 95% of the cause of data breaches: employees making mistakes. Sign up today for our PII Protect security training. Start providing security training to your employees.
BRAD: This continuous cybersecurity training platform is one of the best training platforms I have personally seen or used. Here at IronTech, we have all of our employees participate in the program. This training will enable a manager to monitor each employee as they take courses and complete the weekly micro courses that are going to be sent to them weekly.
My favorite part about this is the ESS score that is generated for each user as they work their way through the modules and simulated phishing attacks. We try to make it a competition here to see who has the highest score. I think I’m winning right now, but I may not be.
Since we’re talking about phishing in this Deeper Dive, I want to explain how the simulated phishing feature on this training stuff works. Whoever is set up as the manager of the training account is going to be able to send out simulated phishing attacks to their employees and see who clicked on the link or who fell victim to the scam firsthand. If someone falls for the phishing attempt, they’re instantly directed to a learning module about the phishing attack platform that was taking place there. This tool is key to maintaining a security-oriented culture.
As I’m nearing the end of today’s Deeper Dive virtual event, I highly suggest that if you haven’t already scheduled and completed a free security assessment, to get with us and have one scheduled and put on the calendar now. Take advantage of this opportunity to meet with us for 30 minutes to an hour and talk about making your organization as secure as possible.
Reach out to us at commandcenter@irontechsecurity.com, or you can email me directly at brad.turner@irontechsecurity.com. As always, you can still call us at (479) 434-1400.
Thank you guys very much for coming, and I want to open up the floor if anybody has any questions. Kindsey, we got anything in the Q&A?
KINDSEY: I’m not seeing anything.
BRAD: Guess I did a really good job of explaining it. What are we talking about next week?
KINDSEY: Next week we’re going to be covering the importance of data backup.
BRAD: Okay. Well, I guess I finished up a little early.
KINDSEY: I’m going to put that link in the chat right now if you guys want to go ahead and register for next week’s. Brad, it doesn’t look like we have any questions, so I guess we can go ahead and end the webinar and see you guys next week.
BRAD: Yep. Thank you, everybody, for coming, and I hope to see you next week.
KINDSEY: Bye, guys.