Savvy IT pros rarely fall for phishing scams. But even the most experienced are sometimes tempted by the sophistication of these exploits. While you might not be pretty for these tricks your end users might, and that leaves your network exposed.
Like other exploits, phishing attacks are getting more dangerous all the time. The key, or course, is to build an e-mail message that appears to be from a trusted source such as a bank. Once a victim is convinced of its authenticity and clicks the link, they are sent to a clone of the real website, and asked for personal information, credit card numbers and other bits of data one should never give up.
Even more troubling for IT, phishing attacks often seek user names and passwords. Once the bad guys have these, your network could be in big trouble.
Phishing is prevalent because it works, is generally driven by financial gain, and uses both email and social media. Here is what the Verizon 2017 Data Breach Investigation Report had to say. “There were a little over 1,600 incidents and more than 800 breaches featuring social actions in this year’s corpus (all external actor driven). Phishing was again the top variety, found in over 90% of both incidents and breaches. Once successfully phished, a number of things can happen: software installation, influencing disclosure of sensitive data, repurposing of assets and so on. In last year’s report, we discussed how the majority of remote breaches began with the same chain of events; phishing to gain a foothold via malware, then leveraging stolen credentials to pivot off of the foothold. It also holds true this year—95% of phishing attacks that led to a breach were followed by some form of software installation,” the report explained.
So what can you do about phishing?
Can your spam
The hook for a phishing scam is a well-crafted email, which by definition is spam. That means getting a lid on the spam in your shop with a filter. Since spam may still get through, also make sure your antimalware solution can detect and take care of these messages.
Make sure end users can spot the fake stuff
Phishing works through trickery, so train your end users not to fall for it. Here are a few items to cover in a training session or handbook:
- How to spot a bogus e-mail.
- That they should only click links they know with 100% certainty are authentic.
- If they question the authenticity, but aren’t truly sure, they should go directly to the website, say of their bank, and see if there really is an issue.
- Uses should never give their credentials to a site they got to through e-mail.
Here what a phishing scam looks like
While it can be hard to tell a legit message from a fake, there are usually telltale signs. Here is an example from the Microsoft Security Center.
In some less sophisticated phishing messages there are misspelled words and bad grammar. And the address of the sender tries to look legit, but if you look closely is clearly not from the place it should be from.
The links within the mail are also sketchy, but hopefully the end user has spotted the scam before they try to check out the link address.
Microsoft Used as a Foil
Hackers try to use trusted companies as a phishing lure. I got a message purportedly from the Microsoft Outlook team. The message was well designed, and looked real at first blush. See if you can spot the signs of a fraud.
Dear Outlook.com User,
As part of our effort to improve your experience across our consumer services, we’re updating the Microsoft Services Agreement and the Microsoft Privacy Statement. We want to take this opportunity to notify you about these updates for your safety.
If you do not update your Microsoft account within 24 hours your account will be deactivated and deleted from our server and you will no longer have access to many of the outlook.com features for improved Conversations, contacts and attachments.
Take a minute to update your account for a faster, safer and full-featured Microsoft Outlook experience and to avoid your account being De-Activated.
Thank you for using Microsoft services.
Microsoft Admin:
Microsoft respects your privacy. To learn more, please read our Privacy Statement.
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
Making things trickier, the link to Microsoft’s Privacy Statement was authentic.
Two Final bits of Advice
Here are two things your end users should take to heart:
They must never even open e-mail from organizations they’ve haven’t done business with or given their address to.
If a user clicks a malicious link and sees anything suspicious, have them shut down their machine and contact IT to stop any further spread.
Stay Protected
Phishing is malware, so antimalware is a needed defense. Fortunately, Kaseya VSA offers multiple types of protection such as patch management, anti-virus and antimalware. Find out more about this end point management solution here.
