Have you been getting emails from yourself or questionable emails from business contacts? Receiving a lot of spam emails lately? Is it becoming harder to differentiate between legitimate emails and phishing emails?
You're definitely not alone. Spam, phishing and spoofing are happening more and more these days. According to the FBI, phishing attempts increased 60% in 2018.
Phishing, spear phishing, spoofing, smishing and social engineering... First, let's talk define all these terms:
so·cial en·gi·neer·ing /ˈsōSHəl ˌenjəˈni(ə)riNGIn the cyber security world, social engineering is the art of manipulating, influencing, or deceiving you to get you to divulge confidential or personal information in order to gain control over your computer system. The hacker might use email, text message, phone, snail mail or even direct contact to gain access to your information.
According to www.phishing.org, Phishing is a cybercrime in which many targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details and passwords, or to install malware on a user's computer.
Spear Phishing is a form of phishing that is targeted towards a specific individual, organization or business.
Email Spoofing is the practice of sending emails with a false sender address to hide where the email actually originated. If you are getting strange emails from yourself, this is what is happening.
SMiShing is a newer form of phishing, where someone tries to trick you into giving them your private information via a text or SMS message instead of email.
Phishing has been around for a long time, but it's evolving and getting more sophisticated. Spear phishing and spoofing seem to be merging together into mutant spam, making it harder and harder to identify the fake from the real. Hackers are now posing as legitimate senders like FedEx, Dropbox, DocuSign, PayPal, Amazon, your bank, your credit card company, your coworkers... or yourself. These emails are using attachments, links, images, forms and even ransom tactics to get you to give up your information or money.
Over the past year, people have been receiving emails from themselves that go a little something like this (I'll paraphrase): "Hello [your name]. I'm a hacker who cracked your email and device a few months ago. I know your email password was [password] at the moment of the hack. But even if you've changed your password, my malware has updated and I know about all of the sites you've been going to. I have control of your email and if you don't send [bitcoins, money, information, etc.] I'm going to send your browser history, etc. to all of your email contacts."
Sound familiar? There are other ones going around that say they've hacked into your webcam or phone camera and have watched you, but it's the same gist. They are holding you for ransom and know one of your (old, we hope) passwords... which is slightly terrifying. Now if that password is, indeed, old and you've changed it long ago, good for you! Delete the email because there is no real threat. The hacker probably got that password from a dark web list from the various breaches over the last ten years- Yahoo, LinkedIn, Target, Twitter or [insert other company that has been breached].
However... many people are still using old passwords or variations of old passwords. And those people probably are terrified. If you are one of those people... QUICK! Change your passwords now, and make them hard to crack. Better yet, use two-factor authentication if possible. <<More on passwords here>>
But let's get back to phishing. It used to be that you would have to download an email attachment to get the hacker's malware, but now you just have to click a link. And these cyber attacks can't be scanned by your computer's defense systems, which makes you an easy target if you aren't careful.
Speaking of being careful, you need to make sure that the email is legit before you click anything. Not expecting a package from FedEx? Don't click the link! Business associate sent you an email asking you to pay an invoice, but you don't have anything to do with AP? Don't click the link! Hackers will really tempt you to click that link, so you need to learn how to keep yourself from being a victim of phishing. The key is to be informed.
How can I prevent myself (or my employees) from becoming a phishing victim?
- Know the telltale signs of a phishing email
- Spelling, punctuation, or grammar errors
- Oddly worded, as if the person isn't a native English speaker
- Domains that are slightly off (Linked1n.com, gooogle.com, etc.)
- Logos that are not quite right
- The email provokes anxiety or urgency
- The message asks for your personal information
- You didn't initiate the action
- Unrealistic threats
- Something just doesn't look right
- Always check the sender
- Put your cursor over the sender and see if it is actually coming from who it says.
- If the email comes directly from an acquaintance or source that you would typically trust, forward the message to that same person directly to make sure they were the correct sender. Do not simply just hit reply to the email.
- Check the links before clicking
- Hover, don't click on the link. If the domain of the link to which you are being directed doesn't match the company domain, then the link is a fake.
- Use a spam filter
- Most of us have these, but if you don't, set it up!
- Educate and test your employees
- Education about phishing is the most important thing you can do. Regularly inform your employees about phishing and other cyber attack techniques, as they are constantly changing. Also, you can regularly test your employees with fake phishing emails. There are many companies that offer services where you create phishing campaigns that tell you how many people clicked on the links so you know who needs more training.
In addition to the list above, you should have firewalls, antivirus software and other means of cyber security in place. From helping you develop processes to performing security audits, a technology partner, like BizTech, can help you get on the right track. Have questions about cyber security? We can help.
For more on spam, phishing and other hacker social engineering tactics, read these articles: