Did you know…In 2015, there were 1,966,324 registered notifications about attempted malware infections that aimed to steal money via online access to bank accounts. In 2013 there were over 3 there were at least 72,758 phishing attacks worldwide!
Social engineering and phishing scams come in many different forms, infinite forms really as attackers are constantly coming up with new ways to trick victims. One flavor of attack has become increasingly popular because it is so effective: Business Email Compromise (BEC). In 2015 alone, BEC attacks cost companies over $1.2 Billion. A BEC attacks all have these phases:
The IRS has just issued an alert about a specific type of phishing scam affecting payroll and HR professionals. (What is a phishing scam? Learn the basics from our guide). Most recently seen in a very high-profile breach over at Snapchat, this attack takes advantage of team members who have access to payroll or W-2 data on employees.
Social engineering attacks are constantly on the rise and becoming increasingly sophisticated (What is social engineering? Check out our blog post on the basics.). These attacks prey on our innate human desire to help others. It really sucks that so many attackers are ready to take a positive quality and use it for malicious purposes, but it happens all the time. So we want to help prepare you!
If you are a LastPass user, make sure you know how to avoid a newly discovered phishing attack type that can target LastPass users. This is one of those phishing examples that is a little different than most: the attack doesn't actually involve an email, which is what most people associate with a phishing attack. (What is a phishing scam? Find out from our basics guide). Phishing is essentially an attacker trying to trick a user into giving away information that they normally wouldn't via the web (social engineering is another method of doing this but requires human interaction, usually over the phone).
We've talked about phishing plenty of times in the past (What is a phishing scam? Check out our basics guide for a refresher!), but we always like to highlight phishing examples to give people an idea of just how creative the bad guys can be.
The Holidays always bring out the best and worst in people. It sparks a joyous and giving spirit among most people. Unfortunately this spirit is what brings out the attackers and scammers. They are always ready and willing to prey on the good intentions of others. As you are doing your holiday shopping or giving back, keep in mind the methods they use and protect yourselves using our tips below. Just remember that the holiday season always sees an increase in scams over social media, phone and email so treat everything with caution.
We all know by now how easy it is for attackers to target us using email. There are two major attack types that happen over email: 1) an attacker tries to get malware (for a non-techie breakdown of the types of malware, check out our infographic) on your machine or 2) get your personal information. These types of emails are typically known as phishing emails (what is a phishing email? Find out with our detailed post). Check out our infographic on email security tips below for the major rules you should follow when using email. You might even want to print a copy of the graphic to keep next to your computer as a reminder!
An attack known as CEO Fraud is seeing an uptick as a new favorite for attackers. These attacks are a very specific type of phishing attack where the email is very well crafted to look like it is coming from the CEO (or another high-level executive) from within your own company. The gist of these emails is typically along the lines of “I need to move some money around, can you provide me with the account numbers for X, Y, Z?” These attacks are often very well crafted and may even be well-planned enough to use language that is typical of your CEO in email communications, and they may be very difficult to distinguish from a real email from the CEO.
How prevalent is it?
The IC3 reports that in 2014 business email compromises accounted for more than $214 million in losses for victims. Just this week, Ubiquity Networks reported a loss of over $46 million from an attack of this type. And that’s just the tip of the iceberg. There are endless stories of scams like these wreaking havoc on businesses. The moral of the story: no matter how big or small, start preparing your business now.
How can you protect your business?
Get ahead of it! Send a company-wide communication to your team warning them of what to look out for. If people are prepared, it is much easier for them to recognize an attack (and not fall victim to it).
Educate your people. I know we sound like broken records over here, but education is key to protecting your people and your company. Invest in an education and awareness program sooner rather than later. Find out why we want you to create an education and awareness program rather than a training and awareness program.
Lay down policies and create methods for reporting possible attacks. Lay down what is and isn’t acceptable at your company (i.e. financial account numbers should not be shared via email) and communicate those to your employees. Now give your people clear procedures for reporting those fishy emails so your company can stay on top of what’s happening.
Partners Healthcare System, a Boston-based integrated health delivery network which operates several hospitals, is the one of latest of many healthcare organizations hit by a data breach attributed to a phishing attack (What’s phishing? Check out our blog post to learn about it!). The organization now has to notify 3,300 individuals that their protected health information may have been compromised by a phishing attack late in 2014.