Many of us have spent the past year trying to avoid COVID-themed cyberattacks while working from home. As employees start to return to their offices, phishers are deploying new tactics that specifically target them.
These new phishing scams are easy to fall for because the emails look like they come from a colleague, the HR department, or the CEO. They take the form of workplace health and safety updates, COVID-19 vaccine information, or other virus-related subjects that employees expect during their transition back into the office.
Phishing is still one of the most common types of cyber attacks because it’s a fairly low-effort way for cybercriminals to steal data or infect files and networks with ransomware or other malicious code. Our over-reliance on email makes it easy for phishers to use social engineering to trick users. Their goal is usually to convince the target to complete an action, such as opening an email attachment or clicking a link to a malicious website. Then, they use ransomware to reveal confidential company data like login credentials or corporate account numbers. Although email is the most common delivery method for phishing scams, it is far from the only way cyber criminals attack their victims. Other approaches include:
- Telephone calls
- Social media
- Mobile/messaging
- Pop-ups
- Infected apps
- Malvertising (i.e., ads that look legit but aren’t)
Common Phishing Vectors
Just as there are many ways for phishers to reach their targets, there are also multiple techniques used to lure victims in. For example:
Spray and Pray
The target receives an email “from” a legitimate source such as a well-known business or government agency. The scammer uses intimidation or urgency to convince the target to take action to resolve a problem, claim a prize, or similar. If the target completes the action, they may be prompted to enter account credentials, which the scammers then collect, or malicious code is embedded on the victim’s system.
Spear
Spear phishing takes a more personalized approach to stealing information. These attacks use the target’s real name, job title, company logo, and so on, so they appear trustworthy. This type of phishing most commonly occurs on social media sites, where it’s easy for the scammer to find the details needed to make the messaging sound authentic.
Whaling
Whaling is a phishing scam targeting CEOs or other high-level executives. A successful whaling attack essentially gives the scammer the keys to the castle. The CEO’s credentials can be used to generate emails authorizing fund transfers to the scammer’s account or to access sensitive employee data that can be sold on the dark web.
Vishing
Most people equate phishing with emails, but sometimes scammers take a more old-school approach and call their targets through the telephone. Some vishers use VoIP software to spoof caller ID so the number seems legit, and others use intimidation to get the information they want from the target.
Smishing
Smishing is the text version of phishing in which the scammer sends a malicious link or attachment to the target via text message. Smishing is a growing threat for businesses, as more employees use their personal devices to access company files and applications.
Unfortunately, mobile security is overlooked in many protection strategies. This oversight further broadens the organization’s attack surface and creates further weaknesses in its security perimeter.
Red Flags That Can Help You Recognize Phishing Scams
Phishing emails used to be pretty easy to detect, thanks to poorly structured email layouts or sloppily written copy. Nowadays, cybercriminals are producing more sophisticated phishing scams that are easy to fall for if the target doesn’t know the red flags. Here are 10 of the most common “tells” that an email or text may not be what it seems:
- Invalid SSL certificate
- Nonsecure connection type
- Generic greeting or signature
- Spoofed hyperlinks and websites
- Poor spelling and grammar
- Poor formatting
- Suspicious attachments
- Low-resolution images
- Blank pages
- Discrepancies in email addresses “from” trusted senders, such as slight spelling differences, missing letters, or altered punctuation (e.g., underscore instead of a period)
How to Protect Against Phishing Attacks
A multilayered strategy is crucial to keeping your network systems and applications protected. When it comes to design, addressing the human component is one of the most important steps. With the proper training, your employees can transform from a weakness to your organization’s first line of defense.
Ultimately, phishing relies on human decision-making to gain access to a company. Arming employees with knowledge and best practices will prevent attacks from succeeding and minimize the need for damage control. Scheduling regular cyber security awareness training will teach employees tips and tricks to avoid becoming a victim of a phishing scam, including:
- Watch for red flags.
- Hover before you click.
- Install anti-phishing add-ons.
- Don’t enter personal information on an unsecured site.
- Change your password often or, better yet, get a password manager.
- Stay current on updates.
- Ignore pop-ups.
- Don’t give out info unless you are 100% sure who you are giving it to.
How IT Weapons Can Help
IT Weapons is an award-winning Canadian managed services provider with deep knowledge of cyber security best practices and threat mitigation techniques. The No. 1 goal of all IT Weapons partnerships is ensuring clients feel safe. With more than 20 years of information security experience, we have the knowledge and ability to detect, identify, and isolate suspicious activity before it causes harm. IT Weapons turnkey and advanced security services include advanced threat detection, next-generation email and network security, 24/7 security monitoring, and identity management solutions. To learn more about how IT Weapons can help secure your organization against known and unknown cyberthreats, take the Ransomware Readiness Assessment now.