Our post last week discussed cyber-attacks and the dangers to SME’s. We specifically stressed the importance of adequate training since in its absence employees may inadvertently compromise their organization’s security systems. This week’s post builds on this idea through a discussion on phishing attacks.

Phishing attacks attempt to steal sensitive information and data through emails, websites, school text messages and other forms of electronic communication. Attackers socially engineer reliable applications to deceive the unsuspecting, appearing to look legitimate.

Cybercriminals usually attempt to steal usernames, passwords, credit card information, bank account details and other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, and fraud.

If you feel you have been a victim of a phishing attack:

1. Contact your IT admin if you are on a work computer.
2. Change all password’s associated with the accounts.
3. Report any fraudulent activity to your bank and credit card companies.

How phishing works

Phishing attacks are scams that attempt to use social engineering to bait or lure individuals to divulge sensitive information.

A simple but sophisticated tactic is the use of pdf’s through deceitful email scams. This socially engineered scam sends an email with a pdf attachment, password protected for your safety, from real companies and the only way to enter and see the contents of the document are to re-enter your email credentials. This gives the attacker your email credentials thereby risking access to other personal information.

Phishing trends and techniques

Payment/Delivery Scam

This describes when a person is asked to provide their credit card details or other pertinent personal data for the purposes of updating their information with commonly known vendors or suppliers. This is especially troubling since these scams target well-known companies with a higher likelihood of familiarity. A person’s prior knowledge of the company lures them into a false sense of security. Generally speaking, a person will likely have done business with the specific company in the past. However, most are not aware of any recent purchases. Information updates are normally requested so that a person can steal your personal information. It is critical to be aware of these scams and to stay vigilante.

Tax-themed phishing scams

A common CRA phishing scam is receiving an urgent electronic mail letter indicating that you owe money to the CRA. These emails often threaten legal action if you do not access the site in a timely manner and pay the identified balance owed on your taxes. Upon accessing the site, attackers steal personal credit card and banking information in addition to receiving the requested sum. These emails use legitimate governing bodies and regulatory institutions to evoke fear, this unfortunately works all too often as persons are compelled to rectify any apparent concerns with CRA regardless of their legitimacy.

Downloads

This describes when an attacker sends a fraudulent email urging a person to open or download a document that requires their email credentials for access. 

How to protect against phishing attacks

These kinds of attacks are designed to take advantage of a user’s possible lapse in decision-making. Whether it is personal information through email or unknown websites, or over the phone.

Software solutions for organizations

• Microsoft Edge and Windows Defender Application Guard offer protection from the increasing threat of targeted attacks. If a browsed website is deemed untrusted, it will isolate that device from the rest of your network’s electronic net, preventing access to your company’s data.
• Microsoft Exchange Online Protection (EOP) offers business-class reliability and protection security against spam and malware, while maintaining access to email during and after emergencies. It can control different m filtering, such as bulk mail controls and international spam, that will further enhance your protection services.
• Office 365 Advanced Threat Protection (ATP) helps protect your email, files, and online storage against malware. It offers full protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. It protects against unsafe attachments and provides additional protection against malicious links.

Other Types of Email Attacks

This post is focused on phishing attacks and the personal and professional difficulties that may arise from these incidents. It is important to note, that phishing attacks represent a single category of cyber-attacks. Future post will further explore other types of cyber-attacks like email spam and viruses.