Don’t Let Your Guard Down, Attackers are Still Phishing
Phishing is alive and well — and being overconfident in your ability to avoid it makes you incredibly vulnerable.
When you imagine a phishing victim, your mind may immediately jump to your non-tech-savvy cousin or your elderly neighbor. While there’s no doubt that those people are vulnerable, they’re far from the only group at risk. The truth is that anyone can fall victim to phishing, especially now that phishing emails have become increasingly difficult to differentiate from legitimate ones and now that so many people have become confident in their ability to spot and avoid emails that seem suspicious.
In 2018, 83% of surveyed information security professionals experienced phishing attacks — and 67% experienced one to five incidents each quarter. In short, it doesn’t matter your level of expertise or tech savvy, you will likely face phishing attacks. And no matter how confident you are that you can spot and avoid those attacks no matter what, it’s critical that you remain on high alert.
After all, social engineering attacks like phishing, smishing, vishing, and more can have devastating consequences, not just on a singular employee, but on their entire organization. It only takes one person to fall victim to a phishing attack to put the entire corporate network at risk.
A successful phishing scheme could force you to cough up fines to regulatory bodies, cover customers’ and employees’ identity protection, or even compensate those impacted by a breach. What’s more, a phishing attack could destroy your reputation, cause customers to lose trust, and affect employees’ productivity levels. In short, it can be a death sentence for an organization.
At a time when many people believe they’d never fall victim to a social engineering attack, it’s more important than ever to remain fully alert. After all, it’s always better to be safe than sorry when it comes to phishing, as too much hubris could leave you more vulnerable to cyber criminals!
An Overview of Common Social Engineering Attacks
Phishing may be the social engineering attack we hear about most often, but it isn’t the only one you need to worry about. Social engineering attacks that should be on your radar include:
When cybercriminals go phishing, they toss out a wide net, hoping for someone to open their emails and follow their links. These emails may appear to come from a familiar address or even contain convincing content, but they will have a malicious link somewhere. If the recipient clicks the link, it will start downloading malware immediately and/or it will take them to a website that looks real but is actually set up by the scammer. If the recipient enters their credentials, they’ll be redirected to the real website, and the attacker will have all the information they need.
While most phishers don’t have a specific target, some execute spear phishing attacks, which are more directed. Here, attackers will target a specific victim or enterprise and tailor messages based on their victims’ job positions, contacts, and characteristics.
For example, a spear phisher might impersonate your boss or your organization’s IT consultant. While spear phishing requires more effort from scammers, it also offers higher success rates, as people have more difficulty discerning spear phishing attempts from legitimate emails. Whaling attacks are a form of spear phishing that involves high-profile targets, such as CEOs. Both of these attacks tend to prey on those who might quickly identify a standard phishing email, but who can easily fall victim to a directed email if they aren’t on high alert.
97% of U.S. adults owned a cell phone in 2021, so it’s hardly surprising that cybercriminals are starting to target people via text messages. Called smishing (SMS phishing), this tactic can be just as devastating as phishing. The main difference is that the scammers use text messages or messaging apps to contact targets. They may pose as your bank and request account verification, citing suspicious activity, or they might send a text requesting you to change your password. Either way, they’ll try to incite a sense of urgency, fear, or curiosity and encourage you to click on malicious links, open attachments containing malware, or reveal sensitive information.
If you’ve ever received a scam call, you’ve been the target of vishing, or voice phishing. This phishing method uses voice calls and voicemails to access sensitive information, but it’s not just individuals who are at risk. Vishing scammers have also turned their sights on businesses.
When targeting a business, a visher will likely put real people on the phone to manipulate you into providing financial account information, remote access to computers, company data, or private user information. Common vishing tactics to be wary of include messages regarding bank account fraud or suspicious activity, prize winnings, unpaid or overdue taxes, fake computer tech support requiring remote access to your device, and fake government agencies.
Vishers may use caller ID spoofing to ensure their phone calls appear to be from a local or legitimate source and increase the likelihood that you will pick up, and they may even try to record you saying things like “yes,” “no,” or a series of numbers so they can splice together authorization codes. Some vishers even use a delayed disconnect technique, meaning they’ll keep the connection open while you hear a faked dial tone. Then, when you try to call a legitimate bank, government, agency, or tech support contact, you will just end up speaking to another scammer.
Four Tips to Avoid Falling Victim to Attackers
To avoid becoming the victim of phishing and all the complications that come with it, you need to:
1. Stay Alert
Hubris is a dangerous thing. We tend to think phishing only happens to our less tech-savvy friends, but the truth is that it can happen to anyone. In fact, by being so confident we’ll never fall victim to phishing, we’re more likely to become victims!
After all, scammers are becoming more sophisticated by the day. Phishing scams aren’t as easy to spot as they used to be, especially if you’re overconfident and not even looking. It’s critical that you stay on top of the latest phishing techniques to avoid falling victim to one — and that you ensure all your organization’s users receive ongoing security awareness training that covers targeted attacks, like spear phishing, not just broad ones.
The key is to stay on your toes and never trust alarming messages, even if they appear to be from a legitimate source. Call companies directly to determine if you need to take action, and check your online accounts regularly to ensure nothing is happening behind your back. Avoid giving out sensitive information, and always check that a website’s URL starts with “https” or has a closed padlock icon before entering information or downloading files.
2. Don’t Click on Links, Attachments, or Pop-Ups
Whether you’re clearing out your email inbox or scrolling through your texts, don’t click on any links, especially if they’re from a stranger. Even if you know the sender, you need to be wary. They could have been hacked or their email could have been spoofed, so you should hover over any links to ensure clicking it will take you to the right place.
However, even this method isn’t foolproof, as some scammers set up URLs that look exactly like the real thing so they can steal your information or embed malware. That’s why navigating to a site using your search engine instead of clicking the link is best whenever possible.
You can’t let your guard down regarding attachments, either. Scammers have been known to use Word documents, Excel spreadsheets, PowerPoint slides, and PDF attachments to spread malware, so you should be extra careful here too. Never open attachments from suspicious emails no matter who the sender claims to be.
Similarly, pop-ups are often linked to malware and are usually quite sneaky. For example, a pop-up may display a “Close” button that will open another window or phishing site when you click on it. Avoid these deceptive buttons and search for an “x” in the top corner of your window.
Better yet, don’t even open emails from unknown senders without digging into the source. In that same vein, don’t answer calls from unknown numbers, as you may fall into a visher’s trap. Instead, let calls from unknown numbers head to your voicemail so you can investigate later.
3. Keep Everything Up to Date
Keeping everything current is one of your best defenses against phishing, smishing, and vishing attacks. Update your browser, use the latest security patches, check your antivirus software for updates, and stay on top of your software and operating systems.
You’ll also want to regularly rotate and update your passwords to prevent scammers from gaining access. One of the worst things you can do is use the same username and password across all your accounts. If a hacker accesses one account, all your accounts are compromised, so use different login credentials for each account.
4. Install Firewalls, Anti-Phishing Add-Ons, and Antivirus Software
Phishing is no joke, so you’ll want to have all the tools possible to defend yourself. You’ll want to use:
- Firewalls: Firewalls can serve as a shield between you and external attackers. Make sure to use desktop and network firewalls in tandem to minimize the chances of a phisher successfully infiltrating your network or computer.
- Anti-phishing add-ons: These days, most browsers have downloadable anti-phishing add-ons that can quickly identify malicious sites and alert you of known phishing sites. Plus, they’re usually free, so it’s definitely worth installing anti-phishing add-ons across your organization and on your personal devices.
Ad-blocker software: In a similar vein, many browsers are compatible with ad-blocker software that can automatically block malicious pop-ups.
Antivirus software: Antivirus software can help protect your organization from known threats and scams. As long as you keep your antivirus software up to date, every file that comes through the Internet to your computer will be scanned, giving your system an extra layer of protection.
Caller ID apps: While Android and iOS operating systems’ native caller ID has improved over the years, they still can’t cut it when it comes to spam calls and spoofed IDs. However, caller ID apps can automatically detect and block confirmed spam messages while allowing legitimate callers to connect.
Protect Your Organization From Bad Actors
When it comes to security, educating yourself and staying alert no matter how confident you are that you’ll never fall victim to an attack are some of the best things you can do to avoid phishing attacks. However, awareness can only get you so far. You’ll also want cybersecurity measures to prevent bad actors from getting through or at least to limit the damage if you do fall victim to a phishing scheme.
Turn-key Technologies, Inc. (TTI) is the best partner for implementing those security measures. We will not only help install cybersecurity measures, but we can also keep all your systems up to date with the latest updates and patches and even provide training to ensure you get the most out of your solutions and are as secure as possible. TTI’s team of experienced engineers ensure you’ll always be in excellent hands.
Contact us today to discover how TTI can help protect your organization!
By Sharon Carolan