Phishing is a prime method that cyber criminals use to gain control of a computer system and gather information within that system to steal funds or to conduct intelligence. Businesses and individuals are both susceptible to a phishing attack.
Cyber criminals will use social engineering to pose as a trustworthy friend or colleague or organization through an email, text, or sometimes a phone call. Like many scam techniques, the idea is to use social engineering to convince you to give over money to the scammer, or to give over information about yourself or your business that the scammer can use for their own benefit.
In a business context, cybercriminals will conduct Business Email Compromise (BEC) to target specific organizations, parts of an organization, and individuals who will best move funds to the cybercriminal or provide sensitive information that is useful to the cybercriminal. The cybercriminal will employ a phishing campaign, malicious software, and an imposter domain to collect information that will allow them to move around in the organization’s computer system.
BEC operations often have two phases. Phase 1 amounts to latent unauthorized access where the cybercriminal monitors email, learns who is who in the organization, what they do, and their relationship with other parts of the organization. Often, the people who dispense funds and authorize dispensing funds are important to the cybercriminal. Phase 2 is the fraud phase where the cybercriminal uses the intelligence that he has gathered to craft a story to convince a key financial employee to move funds to a place of the cybercriminal’s choosing.
While many businesses and organizations are targeted by BEC attacks, businesses that contract with governments have proven popular because the bidding process is public.
Individuals can be caught up with phishing scams. A Federal Trade Commission (FTC) study found that text messaging was a popular means of communicating for scammers in 2022 with a total of $330 million in losses to text scams reported to the FTC. The median reported loss was $1,000.
The 5 most popular text scams were,
·
Copycat bank fraud prevention alerts.
·
Bogus gift, reward, or prize offers.
·
Fake package delivery problems.
·
Phony job offers.
·
Fake Amazon security alerts.
·
Check out the address of the sender. For
example, if the sender claims to be from Amazon, but the address is not from an
“amazon.com” address (like .Gmail or .outlook) then there is something wrong.
·
Scammers will try to give a sense of urgency to
get you to act before thinking. If an email comes from your boss, call them
separately to confirm the message is genuine. If the message is from an outside
entity, contractor, financial institution, etc. contact them separately. The
more serious sounding the situation, the more the need to confirm that there
really is a problem.
·
If you are prompted to click a link, there is a
chance that you will be led to a fake website or malware will be downloaded
onto your device. Carefully, examine the link to ensure that that it is
genuine. Or better yet, don’t click on the link, but go to the website after a
web search.
·
If the message uses a generic greeting it
probably is a scam.
·
If the message has spelling and grammatical
errors, it probably is a scam.
Microsoft:
Federal Trade Commission:
https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2023/06/iykyk-top-text-scams-2022
https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/phishing
Cybersecurity & Infrastructure Security Agency (CISA):
https://www.cisa.gov/sites/default/files/2023-02/phishing-infographic-508c.pdf
No comments:
Post a Comment