Cyber criminals are always trying to improve their schemes to trick careless users into clicking on a link that will download malware, and one of their favorite techniques is a phishing attack.
Net-Security has the details on a new phishing scheme that sends emails disguised to look like messages from Facebook. This particular scam tells users their Facebook account has been temporarily disabled. The attachment in the email contains ransomware, which encrypts the user's data until they pay a ransom (usually somewhere between a few hundred and a few thousand dollars).
These schemes aren't very sophisticated, but phishing attacks can be effective because it only takes one mistake from an employee to infect your client's network with malware. Because phishing attacks target individual users, your clients need to teach their employees what a phishing email looks like and how to avoid them.
So let's get down to brass tacks and explore…
- How to spot a phishing email.
- What makes phishing emails so dangerous for small and large businesses.
Preventing Data Breaches: How to Spot a Phishing Email
The good news about phishing attacks is that they're often relatively easy to spot. Some telltale signs are…
- Bad grammar.
- Email addresses that are close to the right domain, but aren't exact (e.g., the Facebook scam used the address noreply@mail.fb.com).
- Slightly "off" header designs, logos, and graphics.
- Urgent calls for action in the header.
A phishing attack that uses poor grammar and bad graphics is fairly easy to spot, but as we reported in "Re: Your Recent Spear Phishing Attack," hackers may be improving their techniques. Studies show that hackers have increased the number of small, targeted phishing attacks, often sending emails disguised to look like they come from financial vendors that a small-business owner actually uses.
These emails have also been disguised to look like package tracking information (see our write-up "Give the Gift of Spam Awareness This Holiday Season"), bank alerts, software updates, and correspondence from a payroll-processing company.
Why Your Clients Need to Be Prepared for Phishing Attacks
You may be wondering why you should train your clients on phishing emails. Won't their spam filters catch these fraudulent messages? Well, yes and no.
A DomainCite article explains that new phishing domains doubled from 2012 to 2013. Hackers are always reinventing these basic techniques, using new malware and domain names that will sneak past spam filters and antivirus software.
Furthermore, hackers are smart to use phishing attacks because the modern workplace is susceptible to them. Consider the following:
- With more BYOD workplaces and company data stored on personal devices, there are simply more ways for hackers to access their targets.
- Regardless of how sophisticated our technology becomes, human error is still a leading cause of data breaches.
For these reasons, hackers often use phishing attacks as a foothold that allows them to scale your client's defenses and break into their data. In fact, Target and Home Depot's data breaches can each be traced back to simple phishing attacks on their systems or their vendors'. Even companies with million-dollar data security systems can be exposed by simple user errors.
The takeaway: your clients should invest in data security software, but employee education is an invaluable part of preventing data breaches. To learn more about educating your clients, check out TechInsurance's Customer Education Kit, a free resource you can distribute to clients to teach them about their data security.
