Phishing has become one of the fastest-growing threats to company IT systems. And the sophistication of these criminal practices is increasing every single year.
It has come to a stage where email is no longer the only place where criminals attempt to commit identity theft, and that has opened the door to an increase in successful hacking attempts.
Mobile users are now starting to see a lot of SMS phishing scams (aka smishing attacks), and that makes companies more vulnerable than they have been in a long time.
But let’s start with some phishing basics.
WHAT IS A PHISHING SCAM?
Anyone with an email account has quite probably received an email that’s an attempt to receive your private and sensitive information in an effort to get you to get into something fake or an attempt for you to click into something malicious.
This type of email is called a phishing scam.
Phishing scams can be as clear as a Nigerian prince asking for cash, but they may also be rather deceptive. They can look like your lender (or another account that you understand and trust), needing you to click on a link to reset your password.
Some could seem like an advertisement for an extremely appealing product. They are also able to look like a design for the latest hurricane victims. In recent years, these attempts have become more sophisticated than ever.
The Nigerian princes continue to be out there; however, scammers are creating increasingly more persuasive emails that look as though they come from sources that you understand and trust — such as your bank, your friend, or perhaps your own work or boss.
To be secure, it’s important to be one-hundred percent certain the sender is accurate before clicking a link and following through with whatever the email is asking you to do.
PHISHING SCAM CHECKLIST
If you think a phishing scam might have landed in your inbox or you simply want to know how to spot one when you see it, follow our phishing scam signs in our email checklist below:
Ask yourself, “Were you expecting this email?” If the email is asking you to reset your password and you did not initiate that request, be cautious.
Check the “from address” to make sure it looks familiar and/or legitimate.
Is the email personalized to you? “Dear User” is an indication this could be a scam.
Does the email footer match the footer that typically comes from the sender?
Does the “from address” match up with the email sender?
Check for unusually poor grammar, spelling, and punctuation. Often, this can be a sign of malicious intent.
Does the email ask you to respond with personal information? You should never send passwords, credit card numbers, or social security numbers through an unsecured email.
Hover over any linked text. Does the link address look legitimate?
HIGH-PROFILE PHISHING ATTACKS
Barbara Corcoran became a victim of a phishing attack, and the story should be a big warning sign for everyone.
WHO IS BARBARA CORCORAN?
Barbara Corcoran is one of the hugely successful Sharks on ABC’s hit television show, Shark Tank. Shark Tank has been on the air since 2009, with Corcoran being one of the original Sharks.
She is still on the show today and is known for making a deal with entrepreneurs she feels have the “it factor.” But Barbara Corcoran was successful in her own right long before she joined this popular television show.
She started her career as a waitress but had aspirations to become her own boss. While working as a receptionist for a New York real estate company, she formed her first real estate company of her own.
This was the start of The Corcoran Group, which she eventually sold in 2001 for $66 million.
WHAT EXACTLY HAPPENED?
“Shark Tank” star and real estate mogul Barbara Corcoran disclosed that she was scammed out of nearly $400,000 after scammers maliciously tricked her bookkeeper by sending an invoice that appeared to come from one of her assistants.
She learned her lesson: “Be careful when you wire money” Corcoran tweeted after the incident. She confirmed to news outlets that she sent $388,000 to a fake bank account located in Asia.
So how did such a savvy businesswoman and successful entrepreneur get tricked? The same way that many firms have lost $26 billion via email wire fraud since 2016, according to the FBI.
Corcoran said that her bookkeeper Christina received what seemed to be a routine invoice from Corcoran’s assistant Emily to approve a $388,700 payment to a company in Germany named FFH Concept.
The bookkeeper responded, asking, “What is this? Need to understand what account to pay out of.” The cybercriminal, pretending to be Emily, was able to provide a credible, comprehensive answer that FFH was designing German real estate that Corcoran had invested in.
Corcoran does invest in property, and FFH is a legitimate business in Germany. But that is about where the truth ends.
Since it turned out, Emily had never sent the bill; the bogus bill came out of an email that closely matched hers, but it was missing an “O.” Corcoran’s team didn’t understand something was off about the “from” email until after the cash was transferred.
Corcoran does not place blame on her bookkeeper for getting duped by the tricky scam. “When she showed me the emails that went back and forth using the false address, I understood immediately it is something I would have fallen for if I’d seen the exact same emails,” Corcoran said.
HOW COMMON ARE PHISHING SCAMS?
According to the FBI, more than 100,000 individuals report being a victim of that type of scam every year.
We usually warn that small businesses are a prime target, as scammers think that they will not have as high of security measures in place. But as you can see in the case of Barbara Corcoran, no one is safe from phishing attacks, whether you are a small business owner or a multi-millionaire.
WHAT TO DO IF YOUR BUSINESS IS SCAMMED
If you think a phishing scam has victimized you, then begin by reporting it to your own email security service provider or IT company. You want to make sure they know what happened immediately.
The quicker you alert them, the quicker they can spring into action to help prevent further damage. It could look like you just accidentally gave personal data, but scammers very well might have managed to download malicious applications to your PC.
Next, if the scam has been impersonating an organization that you trust, it is good to allow the company to know that somebody has been imitating them with malicious intent. This could help lead to others falling victim to the same scam as you.
Even though scammers have gotten more complex than ever, you can still protect yourself by taking a few straightforward precautions by learning signs.
If you and your team look for these signs of phishing attacks in our phishing email checklist, you will be able to protect yourself from a costly scam such as what happened to one of America’s favorite Sharks.
THE LATEST HACKING TREND: SMS PHISHING ATTACKS OR “SMISHING ATTACKS”
Hackers and cybercriminals are always on the lookout for new ways to steal your information through ransomware and phishing attacks.
They need to constantly evolve their game in order to make it past email security systems around your technology as well as humans better reacting to such attempts.
Many of the tricks they use now are only accessed by you opening a message or clicking on a link you shouldn’t. In order to pass a strong security presence, a hacker needs to be exceptionally skilled, and most just don’t have this kind of capability.
That doesn’t stop them from trying easily to avoid yet possible to fall for phishing techniques.
One of the latest hacking trends is known as Smishing attacks or SMS phishing.
What exactly is smishing, and how can it possibly affect you? Here’s what you need to know about SMS phishing/smishing as well as how to avoid it.
WHAT IS SMS PHISHING OR SMISHING?
Most phishing forms are done where someone sends you a message that’s requesting some kind of information. It’s straight to the point and doesn’t try to skip around. It will directly ask for account information, login credentials, credit card numbers, and so on.
It’s very much like a phishing email designed to look like a message from Apple, Netflix, your credit card company, or anything else that’s official.
The most successful phishing emails are designed to look like an official email, using the same phone, adding images, and perfectly copying what the real companies would add in emailed correspondence.
The big difference is the source address it is sent from. The same is true with smishing text messages; the messages are sent via text message asking for information or to click on a malicious link.
It might be a basic text message or an image and link within the message. Unlike an email, in which you can directly look at the sender’s email address and know for sure it is fake, that is a bit more difficult with smishing attacks through malicious text messages.
It comes from a phone number that you might not know unless you Google search the number. It will likely tell you it’s coming from Visa, Target, or Verizon. The text may also look official, so it is easy enough to be tricked into selecting the link provided and ending up on a fake website.
Before clicking any link sent to you in scam text messages, you need to do what you can to identify the sender.
HOW TO SPOT THE SENDER
First, if your mobile service provider has any kind of text message filter, make sure to activate it. This will block out most spam text messages. Some will work better than others. Apple is, for the most part, okay with this.
Pure Android, such as those phones on Google Pixel phones, are also good with this. But it can be hit and miss.
But SMS phishing text messages, even when your filter is activated, can find their way through.
So how do you know when a message is fake?
First, look at the phone number. Does it actually look like a phone number, or is the number too short? If it doesn’t look like a real phone number, it probably isn’t legitimate, and you could be on your way to identity theft if you continue.
Next, most companies are going to call you. If there’s a problem with your Visa credit card, you’re not going to receive a text message from them. It’s going to be via a call. Very few official companies will actually message you, and almost nobody will ask for personal information via text. So keep this in mind.
Finally, if it is a real phone number and it feels like a real message, but still you’ve never received any kind of message from the number before, you can always Google the number (in fact, you should).
Copy the number, then paste it into your mobile search engine. You’ll know almost right away whether it is a fake number or if it is real. If it is fake, make sure to go back to your text message and check it off as “phishing spam.”
This will block the number from ever contacting you again, and it will report the number. While it will never fully stop these kinds of SMS messages, it will prevent this particular number from reaching you again through smishing attacks.
VIRUS PROTECTION FOR YOUR PHONE
Yes, you need to have virus protection for your phone. As you now likely use your mobile devices more than you do your computer, you’re more likely to get hacked via your smartphone than with a computer.
To prevent this from happening and putting sensitive information at risk, you need to have the same kind of virus protection you have installed on your computer. But which one is right for you?
That’s where our team here at Charlotte IT Solutions can help. We’ll work with you and your staff to make sure the right software is installed based on your usage, the phones you use, and the kind of mobile operating system you are using in order to protect your sensitive information, especially login credentials.
KNOWLEDGE IS POWER IN PROTECTING YOUR BUSINESS
Your company’s Internet security is only as good as its weakest link. This is why you need to do what you can to educate your staff so they know how to avoid these kinds of SMS phishing attacks.
If your employees have company phones, a hack on the phone may result in the ability to infiltrate your company’s network. This is just as bad as making it through the computer system (in fact, it is often easier to hack a network via a smartphone as smartphones do not always have the same kind of protective firewalls in place).
Beyond educating your staff, though, you do need to do what you can to protect your entire network, data servers, computers, sensitive information, and all other technology you use that’s connected to the Internet.
The best way to do this is with the help of a dedicated IT service provider and IT security expert, such as our team here at Charlotte IT Solutions. Big or small, old or young, it doesn’t matter what kind of business you own, we’re here to help.
So give us a call or send us an email today, and we can arrange a free consultation.