Security exercises from QuantumHost: how to shield your organization from phishing

If you have received emails about fabulous winnings or have received calls from suspicious bank employees to find out the code from a text message, know this: this is phishing, an attempt to steal your data or money through malicious links. It can affect both individuals and large companies and have serious consequences.

We’ve written a long read on how scammers operate and what to do to avoid falling into their traps. In the end, you’ll find a list of recommendations on how to keep yourself and your employees safe.

What is phishing?

“Phishing” derives from the English word phishing, consisting of the words fishing and password. It is one of the most widespread types of internet-fraud, where the aim is to get identity data.

Phishers’ actions can lead to consequences of different severity: from an innocent banner on your PC to the company’s content loss without the possibility to recover it.

The main goal of phishing is to steal something valuable, use it for their benefit, or compromise or disrupt someone else’s business.

What phishers usually target:

  • Personal data, including passport data;
  • logins and passwords of all kinds;
  • data for logging in to individual accounts;
  • databases;
  • access codes;
  • personal correspondence;
  • bank card or account details;
  • proprietary information;
  • other sensitive information, etc.

Types of phishing

If you hear someone call you “smishing” or “vishing,” just know that they are not laughing at you. Both are different forms of phishing. Let’s understand the terminology.

Phishing is divided by the target of the attack:

  • Spear phishing – attacks on individuals.
  • Whaling is phishing on a large scale. The main target here is fishes of large companies, high ranking officials.

According to the channels of attack, phishing is divided into:

  • Phishing itself – sending messages with infected or fake sites. This is a general term for all phishing types.
  • Vishing – phishing attacks via phone calls.
  • Smishing is attacking via SMS.
  • Pharming is when the user is secretly redirected to an infected site without his/her knowledge.
  • Sending fraudulent messages to social networks.

Let’s analyze the types of phishing and find out how to protect employees and the company from it.

Phishing emails

A strange letter arrives in your mail informing you that you’ve won, asking you to go somewhere and enter your data, etc., urgently. This is how scammers play on emotions: unexpected joy, fear, curiosity.

Many such “chain letters” end up in the “spam” folder, but some manage to make it to your inbox. You can’t entirely rely on the anti-spam mail system; you must always be on the lookout.

Signs of a phishing email

  • No sender’s name or contact information.
  • The sender’s address consists of a meaningless set of letters.
  • The email is from a large organization, but their real website does not contain the sender’s address.
  • The sender introduces himself as an employee of the company, but he doesn’t write from a corporate email account but a regular one like gmail.com.
  • Hovering over a button or link in the email shows the wrong address in the page’s lower-left corner.
  • There are unusual symbols in the link address, e.g., @.
  • The attached files have an unknown extension and/or incomprehensible name.
  • Links are not inserted in the text but disguised by images, buttons, bright pictures, and QR-codes.

What phishing emails typically contain?

Let’s talk about the subjects of malicious emails. Note that this is not a complete list of all possible phishing scenarios: phishers are very creative and are always coming up with new ways to lure your data. Malicious buttons and links in such emails either trigger viruses or lead to pages where you enter essential data yourself.

  • Someone has hacked your email and learned your password / We found suspicious or fraudulent activity on your account / someone has changed your email security settings.
  • Your account has been blocked, or disabled / You’ve been added to our blacklist: We realized you’re a fraud or a bot!
  • You have an important document from the tax office, police, credit organization, etc. There are files with unknown extensions and strange names attached to the letter.
  • An email from your colleague/partner with documents or “important working” links.
  • You have won a prize! Follow the link to find out the terms of receipt and/or delivery.
  • You didn’t repay the loan – the case goes to court.

The most important rule:

Please do not follow the links in such letters, do not click on pictures, no matter how attractive they may look, do not enter your data on unknown pages!

Phishing sites

Links in phishing emails usually lead to malicious sites.

What sites are commonly spoofed:

  • Banks and microfinance institutions;
  • Payment services;
  • Search engines and email services;
  • Pages with authorization and payment forms in online stores;
  • Airlines, etc.

How to identify phishing sites:

Strange or suspicious domain name

To confuse the victim, scammers register domain names similar to the names of large organizations. But if you look closely, the inconsistencies will be apparent: look at the second-level domain. For example, instead of https://kbc.be, a phishing site will be called http://kbc.k.be. If in doubt, search for the original website and compare the addresses – so you’ll know if you’ve gotten to scammers.

Mistakes, typos, and oddities in design and layout

Everything on the page “jumps” and runs over each other, somewhere there is missing text, and somewhere whole sentences are written in a capsule. Gross spelling errors are mixed with calls to enter, type, click and buy. As a rule, such sites are phishing sites – large organizations, which the scammers masquerade as, cannot afford to look so sloppy.

You can always check a suspicious site for the authenticity and the presence of viruses and spam. Use the right service for you, such as:

  • AVG Threatlabs,
  • Google Transparency Report,
  • ScanURL,
  • PhishTank,
  • Urlvoid.com, and more

Phishing Calls: Vishing

How vishing, a voice phishing method, works:

  • A “bank employee” or security officer calls you, tells you about suspicious transactions on your card and offers to name the data from a text message. A real bank employee will not do this: these are scammers.
  • If you advertised for sale, for example, on “Avito”, you probably received a call from “buyers” asking for your card data to transfer the prepayment. This is also one of the vishing schemes.

Phishing via SMS: smishing.

What this type of phishing usually looks like:

  • You receive a message or an email informing you of a problem: something is wrong with your card or identity, someone has tried to charge your account, etc. To find out what the problem is, you need to call the number given in the message.
  • You have received a text message from an unknown person with a link: most likely, they are fraudsters. Don’t follow links in messages!
  • An SMS is received as if from an employee of a company, state services, or tax authorities, but the number is not official but private. Do not believe the message: these are scammers.

Phishing in social networks

What it usually looks like:

  • You receive a personal message that urges you to watch a provocative video starring you, learn something interesting, vote or leave a comment. The scammer sends you a link and wants you to click on it. There you go, your details or get a virus on your device.
  • Scammers hack communities of large companies, post articles with malicious links on the page wall, and collect a data harvest from its subscribers.
  • The “administrator” of the group you belong to writes to you and tells you that you have won a prize. But to get it, you have to pay for insurance or shipping. These are scammers, don’t pay anything, don’t reply to messages, and block the user.
  • And the most common: an acquaintance writes to you and asks for a loan or to vote for him in a talent contest or children’s drawing. Don’t reply to messages. Call this person right away and find out if they wrote to you on the social network.

Types of cyber attacks on companies

Attacking a company through employees

The scheme is simple: fraudsters launch a mailing to an employee of a large company, and the latter, forgetting about security, for example, clicks on a malicious link from his work device. Your employee could fall into any of the traps we described above and accidentally gave attackers access to corporate accounts and information. To prevent this from happening, educate your employees, conduct computer security training. And be sure to provide them with the memo from the end of this article.

Ransomware and other Trojans

These are hazardous viruses that can infiltrate your system in various ways, including through phishing emails. This is how scammers prey mainly on corporate clients, large companies, or government organizations. The Trojan gets into the computer and encrypts all of its contents, after which the scammers demand a payoff to restore the data.

Keyloggers

These viruses read the information you type on your keyboard and can steal a wide variety of data. Keyloggers can be brought in by clicking on a link from a phishing email or using physical media unverified by antivirus: a thumb drive or a disk.

Attacks on cloud storage

Since many large companies use cloud services such as Google Drive or OneDrive, scammers began to attack them as well. Lots of information, corporate data, databases, and personal information are all at risk. The user is often tricked into going to a phishing site that completely mimics a personal account login page, where the person enters his or her access data.

Programs to protect your data

Antivirus

Installing an antivirus is a prerequisite for the security of your devices and those of your company. All major antivirus programs have built-in phishing scanning. All you have to do is set it up and turn it on. Install antivirus software on your smartphone and PC and provide all your work computers with this protection. And don’t forget about timely updates.

You can choose any proper antivirus for cost and functionality.

How not to get phished. Security measures in a company

  • In our opinion, the most important thing: take cyberattacks seriously yourself and teach them to all your employees.
  • Use only two-factor authentication for company accounts. This is a method of identifying a user by two types of parameters; one thing he physically has with him and one he knows. For example, you need to enter your username and password first, and then a code from a text message or email. Less often, biometric data or a special USB-key.
  • For vital accounts, such as access to EDI systems and accounting programs, use eToken – a real security key.
  • Move your site to a secure protocol: HTTPS. It is better to use paid SSL-certificate; it minimizes the risk of hacking. “I’m in business and don’t understand what SSL-certificates are.”
  • When uploading content to the site or backing up, the site data use encrypted SFTP or FTPs protocol instead of open FTP.
  • Delete all irrelevant and unused accounts.
  • Use business security services; we talked about them above.
  • Regularly update passwords to employee email accounts, corporate accounts.
  • Forbid employees from keeping passwords in plain sight.
  • Regularly back up your content, especially the information on your site and cloud storage sites.
  • Immediately react to even the slightest hint of suspicious activity: change passwords, block fraudsters, and perform in-depth antivirus checks.

Drastic measures.

They will not suit everyone, but some companies successfully use them.

  • Block access to social networks on work devices.
  • Block all disk drives and USB connections of work computers.

What to do if you get trapped?

So, the scammers finally convinced you: you fell for their trap. What you can do:

  • Run an antivirus scan on your computer and smartphone.
  • Change your stolen password as soon as possible. If you use it for multiple accounts, change your password for them, too.
  • Set up two-factor authentication.
  • If you gave your card information or a code from a text message, call the bank at the phone number on your card. It will be blocked to protect it from money theft and check for potentially dangerous transactions.

If you want to protect other users from the actions of scammers, report their activities.

Rules for employees: a checklist

We suggest that you distribute this checklist to all employees in your company.

Protect your social networks

  • Do not click on suspicious links.
  • Don’t enter data from a page on third-party resources.
  • Don’t give your smartphone to strangers.

General rules

  • If you receive messages in social networks from a bank or other organization’s account, check the account on the official site or by phone from the bank/company. If there is no such account, do not reply to messages and block the suspicious account.
  • Do not trust those who ask you for money on social networks, even if the request came from your friend. Call the person from whose page the message came, and clarify whether he needs money. If not – don’t reply to the fraudster, block him and complain to the social network security service.
  • Check all the files which come in personal messages. If there is a book attached but with an .exe extension, it’s strange – don’t open the file.
  • Check periodically to see when your account was last active. If you become suspicious, end all active sessions and change your password.

Facebook

  • Read about Facebook’s security features.
  • Set up two-factor authentication.
  • If you suspect you’ve been hacked, use the instructions.

Instagram

  • Read Instagram’s security tips.
  • Set up two-factor authentication.

Twitter

  • Read Twitter’s security tips.
  • Set up two-factor authentication.

You received a strange email 

  • Do not click on links in emails from strangers, do not click on pictures or buttons.
  • If the sender presents himself as an employee of the company but writes not from the corporate mail but ordinary gmail.com, do not open the letter.
  • Do not believe in promises of sudden winnings, and do not fall for attempts to intimidate you.
  • Do not open attachments from strangers’ emails, no matter how tempting they may look. Do not download files like *.exe, *.scr, *.bat, *.vbs.
  • If you see a strange address in an email, e.g., with an error in the domain name, delete it.

A strange person calls you.

They may be calling you as a bank teller, a customer looking to buy something you have advertised, a company representative saying you have a big win, etc.

  • Don’t give your bank card data, mainly your CVC code, to anyone, especially over the phone to a stranger.
  • If you’ve already received a text message with the code, don’t give it to anyone, especially a “bank employee” – real bank employees won’t ask you for such data.
  • End the conversation. If the person introduced themselves as a bank employee, call your bank, outline the situation, and give the scammer’s phone number for verification.

You have found yourself on a suspicious site

  • Do not click on links, do not click on suspicious and shouting pictures and buttons.
  • Don’t believe the promises of sudden winnings, and don’t be caught up in these attempts to intimidate you.
  • If the site is unkempt, screaming, with gross mistakes in the text and lots of notifications, pop-ups, and calls to proceed or leave data, it’s probably a phishing site. Close the tab and don’t return to it.
  • Before you enter your details on a site, make sure it’s the right site: clones sometimes look very similar to the original. Check the address several times. If something about it confuses you, close the tab.
  • Sign up and buy only on sites with SSL-security certificates and two-factor authentication. To access your account, you will be checked on two parameters: in addition to the username and password, you will be asked, for example, a one-time password.
  • If you see HTTP instead of HTTPS before the site address, and your browser tells you that the page is untrustworthy, it’s right; you should avoid websites without an SSL certificate.

Tips not just for the job

Do not include personal information in public sources. Addresses, dates of birth, phone numbers: yours and your family members’.

Why: all of this can help scammers find out your password or secret word, hack your accounts and get access to your money and data.

Change passwords at least every six months. “I don’t change passwords at all, and I’ve never been hacked. Why start?” – you ask, and that would be a mistake for a victim.

Why: You’ll make it harder for cybercriminals because no one knows when their money and data may be hunted.

Don’t use the same password for all of your accounts. Don’t give crooks a key to all your doors.

Why: A scammer who knows the password to one of your accounts will immediately try to open your other accounts with that key. Don’t risk everything and be creative when coming up with new combinations.

Use incognito mode in your browser when you work at someone else’s computer, log into your accounts and enter personal information.

Why: When you close a browser tab, your passwords and data won’t be saved, and you’ll be logged out of all your accounts automatically.

Turn on two-factor authentication for all your accounts.

Why: This type of protection is better at preventing scammers from attacking your account because they’ll have to overcome a double barrier to break into your account. And it won’t be easy.

Install antivirus on all your devices.

Why: Cautiousness is good, but technical protection is still better.

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments