Phishing Attacks on the Rise – WebCam Cover
Phishing attacks have been a factor in more than two-thirds of cyber-espionage incidents for the past three years. Cybercriminals have long used phishing and other social engineering methods to trick their victims into providing access to confidential data. Phishing is one of the most common and efficient (less time, less complexity and low cost) social engineering methods used by cybercriminals. Health insurer Anthem Inc. believes that the attack that compromised up to 80 million individuals’ personally identifiable information may have begun with phishing e-mails sent to a handful of its employees. This is just one of several options being investigated as the cause of the breach. The insurer also warned members that the data breach is being used as a lure by online and telephone scammers. The techniques are growing in sophistication, according to Verizon’s 2015 Data Breach Investigation Report. The Verizon study noted that more than 23% of recipients open phishing emails at some point, and 11% open the attachments — an unsettling number, especially for large business and corporations with thousands or hundred of thousands of employees.
Cybercriminals are now using social media to launch their attacks. With many of these phishing schemes targeting employees, business leaders should be aware of the risks that social engineering can pose to their operations, reputation and customers.
While your business may invest heavily in its information security infrastructure, with methods such as firewalls, antivirus software and webcam covers, these measures may not be adequate for mitigating the risk of social engineering attacks. If you want to protect your company from cyberthreats, do not underestimate the importance of the “human factor.”
Examples of Spearphishing attacks
Spearphishing is a specific type of phishing attack in which the attacker uses a fake email address to deceive an individual in an attempt to gain unauthorized access to personal information. This is a highly targeted operation in which the hacker has at least some information that he can use to make himself seem familiar to the intended victim.
Here are just a few examples of the types of phishing attacks that you or your employees could fall victim to:
- Via LinkedIn: A hacker creates a fake LinkedIn profile in order to target employees at a specific company. He uses the fake profile to access information about the targets’ current and past employers, job titles, email address and connections.
- Via LinkedIn email: A hacker sends a fake email that looks like it is coming from LinkedIn. When the victim clicks on the link in the email to “accept connection request,” it takes him to a fake LinkedIn login page. If the user logs in, his login information will be compromised.
- Via email attachment: An employee within the targeted organization receives an email with an attachment (e.g., fake invoice or report) for review. The attachment could look like a .zip file with an embedded PDF file icon, although it is actually an .exe (an executable file that runs a program). The downloaded malware file is installed on the business network where it has access to sensitive data, putting the company and its clients at risk.
- Via email link: A victim receives an email pretending to be from a financial institution or other trusted source. The email contains a fake link to a fake website where the victim’s computer becomes infected with malware, allowing the hacker to access the computer remotely and steal personal information, passwords, user IDs and online transaction information.
How to boost your employees’ ‘Phishing IQ’
Many firms start with a real world test to see what an employee’s phishing IQ is with an email containing a fake link which is sent to employees. Employees who click on the link will be taken to a website with training resources about phishing, and test performance is measured and reported to management.
Organizations should conduct cyber training for employees on email and browser security with these 6 key tips:
- Resist the urge to click links in a suspicious email.
- Check the Web address of a link (by placing your mouse cursor over the link) and the sender’s email address before visiting the destination website.
- Keep all web cameras that are not in use covered with a webcam cover
- Visit websites directly rather than clicking links in emails.
- Be cautious of email attachments, even if it looks like it’s from a familiar sender.
- Check for signs such as poor quality of the logo or email, poor grammar or misspellings.
Your employees can also be one of your company’s greatest vulnerabilities in the face of growing cyberthreats. However, with proper training, they could also be one of your best defenses against social engineering attacks.