The Hacker is Increasing His Presence
In recent weeks, there has been a noticeable spike in social engineering attacks – with one specific type known as “spear phishing” leading the pack. No, I’m not referring to some form of underwater fishing. It’s a targeted, personal attempt to gain access to your funds through fraudulent and deceptive tactics.
Phishing is a hacker term for attempting to gain access to an online account or to fraudulently obtain funds by tricking someone through email, websites or phone calls. It’s an alternate spelling of “fishing”, and rightly so – attackers often send hundreds or thousands of emails to get one “bite”. For example, let’s say you receive an email from what appears to be your bank. It has your bank’s logo, and some official-looking text asking you to update your account information. However, the email has a few grammar or spelling mistakes, and the link appears to go to a website domain that isn’t where you usually go for online banking. When you click the link, it takes you to a website that appears very similar to your banks website, and has a form to enter your information. Here, a hacker has create a fake website to resemble your banks official site, with the intent of capturing what you enter, and then using it to gain access to your real bank account. An attacker will send many of these emails out, with the hopes that one victim will fall for it.
Spear fishing takes this a step further, by targeting specific people (namely CEO’s and CFO’s) within a business, and using extremely well-crafted and personal techniques. In one type of attack, a domain name that is similar in spelling to your businesses domain is purchased – for example, abc123.com is the legitimate domain, and adc123.com is the fraudulent domain. The attacker then forwards an email from the fraudulent domain, and makes the email appear as though it was a conversation between two people, like a vendor and the business or two principles of the business. The attacker, posing as someone from within the business with authorization to transfer funds, asks to have money wired to a bank. They will often say it’s urgent and to keep it confidential. In today’s fast-paced society, we might not catch the domain misspelling – particularly if it’s a close match. They often wait until the person they are impersonating is out on vacation – so they aren’t easily available to ask. The attacker will provide destination details like routing and account numbers. Once the money is transferred, it’s often very difficult – if not impossible – to get back.
How To Avoid Falling Victim to a Hacker
Avoiding this scenario comes down to business process and policy, as well as scrutiny of emails asking for financial or confidential information. Businesses should have a process in place to verify fund transfers, so that fraudulent transfers can be caught. Also, being mindful of these types of attacks and how they happen will make you aware and more likely to catch them before it’s too late.
Recognizing the signs of phishing or spear phishing isn’t always easy, but there are clues that can help you spot a potential scam.
Phishing emails often contain spelling errors, grammatical mistakes and poor composition. Hackers are often located outside the US, and English may not be their native language. Official emails from companies are reviewed for mistakes before they get sent out, so mistakes like these should be a red flag.
Don’t click links in email from unknown senders, or unexpected messages from known senders. If you receive a strange email from a friend or coworker, asking for money or directing you to check out a website, you should make sure you know what you are clicking before you click it. Your friend’s account may have been hacked and the hacker could be sending these messages and hoping the trust you have for that friend will entice you to click the link. Pick up the phone, and call your friend or acquaintance if there is any question.
Compromised email accounts are a very common method hackers employ to gain access to other online accounts – such as banking – or to dupe coworkers into divulging confidential information. You might have setup an email account so that password resets require a code that’s send by text message to your phone. While this is a secure method, it’s possible to be duped into giving this code out. One method hackers use requires that they only know two bits of information – your email address and your cell phone number. They will attempt a password reset using the ‘forgot password” link, which sends the code to your phone. You may then receive another message, stating it’s from your provider, and saying something like “Your account has been compromised. Please reply with the code you just received”. Now the hacker has your code, resets your password, and accesses your account.
Be careful about what information you make public online. Never list your phone cell phone number, vacation schedules, home address or birthdates. This, and other personal information, could be used to gain access to an account, or trick a friend or coworker as part of a spear phishing attack.
If you own a business, it’s important to recognize that anyone can fall victim to these types of attacks. More and more, small businesses are being targeted not because they are insecure, but because they are plentiful. One thing you can do is provide your staff with security awareness training. Security awareness training provides employees with information on how to recognize a scam or hacking attempt, and how to avoid it. And like many educational subjects, you should provide regular training to remain up to date with new ways hacker’s employee to trick their victims. Most IT providers can recommend companies that specialize in this type of training, and often it can be done online. Don’t wait to become a victim, take steps now to avoid it.