Friday, August 11, 2023

PHISHING- A Major Threat to Business and To You

Phishing is a prime method that cyber criminals use to gain control of a computer system and gather information within that system to steal funds or to conduct intelligence. Businesses and individuals are both susceptible to a phishing attack.

Cyber criminals will use social engineering to pose as a trustworthy friend or colleague or organization through an email, text, or sometimes a phone call. Like many scam techniques, the idea is to use social engineering to convince you to give over money to the scammer, or to give over information about yourself or your business that the scammer can use for their own benefit.

In a business context, cybercriminals will conduct Business Email Compromise (BEC) to target specific organizations, parts of an organization, and individuals who will best move funds to the cybercriminal or provide sensitive information that is useful to the cybercriminal. The cybercriminal will employ a phishing campaign, malicious software, and an imposter domain to collect information that will allow them to move around in the organization’s computer system.

BEC operations often have two phases. Phase 1 amounts to latent unauthorized access where the cybercriminal monitors email, learns who is who in the organization, what they do, and their relationship with other parts of the organization. Often, the people who dispense funds and authorize dispensing funds are important to the cybercriminal. Phase 2 is the fraud phase where the cybercriminal uses the intelligence that he has gathered to craft a story to convince a key financial employee to move funds to a place of the cybercriminal’s choosing.

While many businesses and organizations are targeted by BEC attacks, businesses that contract with governments have proven popular because the bidding process is public.

Individuals can be caught up with phishing scams. A Federal Trade Commission (FTC) study found that text messaging was a popular means of communicating for scammers in 2022 with a total of $330 million in losses to text scams reported to the FTC. The median reported loss was $1,000.

The 5 most popular text scams were,

·         Copycat bank fraud prevention alerts.

·         Bogus gift, reward, or prize offers.

·         Fake package delivery problems.

·         Phony job offers.

·         Fake Amazon security alerts.

 

 No matter the communication method, email, text, phone, take a few seconds to evaluate the message.

 

·         Check out the address of the sender. For example, if the sender claims to be from Amazon, but the address is not from an “amazon.com” address (like .Gmail or .outlook) then there is something wrong.

·         Scammers will try to give a sense of urgency to get you to act before thinking. If an email comes from your boss, call them separately to confirm the message is genuine. If the message is from an outside entity, contractor, financial institution, etc. contact them separately. The more serious sounding the situation, the more the need to confirm that there really is a problem.

·         If you are prompted to click a link, there is a chance that you will be led to a fake website or malware will be downloaded onto your device. Carefully, examine the link to ensure that that it is genuine. Or better yet, don’t click on the link, but go to the website after a web search.

·         If the message uses a generic greeting it probably is a scam.

·         If the message has spelling and grammatical errors, it probably is a scam.

 

 

 

Microsoft:

https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/breaking-down-business-email-compromise/

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/phishing-trends?view=o365-worldwide

 

Federal Trade Commission:

https://www.ftc.gov/news-events/news/press-releases/2023/06/new-ftc-data-analysis-shows-bank-impersonation-most-reported-text-message-scam

https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2023/06/iykyk-top-text-scams-2022

https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams#:~:text=If%20you%20got%20a%20phishing%20email%20or%20text,the%20phishing%20attempt%20to%20the%20FTC%20at%20ReportFraud.ftc.gov

https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/phishing

 

Cybersecurity & Infrastructure Security Agency (CISA):

https://www.cisa.gov/sites/default/files/2023-02/phishing-infographic-508c.pdf

 

 

No comments:

Post a Comment