How to Protect Your Company and Prevent Phishing Attacks

phishing attacks
This entry was posted in Security on by .

It should come as no surprise that it’s essential for you to take steps to protect your company’s data. This is true regardless of what industry you operate within, as there always be someone who can benefit from compromising sensitive information. Phishing attacks are some of the most common ways hackers look to procure this data. But, not everybody knows how they can protect themselves.

We’ve put together a comprehensive guide that details everything you need to know. Let’s get started.

What Exactly Is a Phishing Attack?

For those who are unfamiliar with this term, a phishing attack is a method that hackers use in order to compromise valuable information. More often than not, this can include financial data, login credentials, etc.

To make matters worse, it’s not always easy to recognize this malicious tactic. In fact, some individuals are entirely unaware that they have been a victim of a phishing attack until it’s too late.

The primary ways the hacker will get in touch with the victim is through text message, email, or direct message on a social media platform. Once the hacker has gotten in contact with the victim, they will likely send a fraudulent link or pose as someone the victim would trust.

In the event that the victim clicks on a fraudulent link, a handful of different outcomes could occur.

One of the most common is the victim being redirected to a false web form that aims to procure the credentials they type. In some cases, though, this link could install malicious software onto the victim’s computer.

Depending on the situation, the consequences could range from minor concern to catastrophic.

How Can I Recognize One?

The first step toward protecting your organization against a phishing attack is learning how to properly recognize one. Unfortunately, there is a handful of different varieties of phishing attacks that hackers use, and some are more difficult to discern than others.

Let’s take a look at a few of the most notable.

Spear Phishing

In many cases, phishing attacks seem to use more of a shotgun approach in order to achieve the results the hacker desires. To elaborate, the main goal is to target the largest number of people possible in order to maximize your chances of somebody falling for the scam.

Spear phishing, on the other hand, uses a much more precise strategy. This type of phishing gets its name from the fact that the cybercriminal will add personal touches to the message in order to make it seem more legitimate.

This can include the victim’s name, phone number, the business that they work at, or other personal info. More often than not, this succeeds in getting the victim’s attention and makes them more susceptible to the scammer’s influence.

An example might involve a hacker sending a spoofed email to the victim that claims to be from an employee of a financial institution they use. The message could declare that they need the victim’s immediate feedback on a particular document and then provide a downloadable attachment.

As you might guess, this attachment is malware that activates when the victim downloads it.

Executive Fraud

At first glance, it doesn’t seem likely that executive fraud phishing attacks would work. During particularly stressful or fast-paced times, though, they can be highly effective.

To elaborate, let’s assume that nearly every employee at a particular company is working overtime for the remainder of the quarter. Internal emails are constantly being sent at a large frequency on a daily basis.

Somewhere in the mix, a hacker slips an email to their victim that is disguised as being from the company’s CEO. The message conveys that the victim needs to provide certain financial documents in order to receive their overtime pay for the past few weeks.

When certain factors align, the victim might provide this information without thinking twice about it only to later discover the CEO never sent an email asking for these documents.

Vishing

Unlike conventional types of phishing attacks, vishing utilizes phone calls as opposed to emails or messages in order to take advantage of their victim. But, this type of attack is far more different than a conventional scam call that you might get.

Criminals who use vishing even go as far as spoofing the identification credentials that appear with the victim receives their call. With the right technology in place, it’s possible for a malicious actor to pose as virtually any individual or institution.

When the victim answers the phone, the scammer will also typically use a large amount of technical jargon in an attempt to convince the victim of their false identity. This is particularly true when scammers target people who work in the technology or healthcare sectors.

Occasionally, they may even mumble when posed with a direct question in hopes that the victim will simply accept the answer. In both scenarios, those who conduct vishing attacks are very aggressive on the phone and are likely to use fear as a motivator.

In the past, it wasn’t uncommon for people to receive phone calls declaring that their Social Security number was currently under investigation due to being associated with a federal crime. They are then asked to provide a certain amount of information in order to prove their identity, which the hacker then steals and uses for their own gain.

Cache Poisoning

Just like how hackers are able to spoof caller ID, they can also spoof the identity of an entire website. These scenarios are far more dangerous because it is often the individual themselves who is attempting to access the website.

In the case of receiving a phone call, the victim more than likely did not expect to receive a call asking for sensitive data.

Cache poisoning most often occurs when a hacker hijacks a DNS server and reconfigures it to return the hacker’s IP address as opposed to that of the site owner. For example, let’s assume that a cybercriminal managed to successfully hack the login page of Twitter and create a false version of this page that is accessed through a specific link.

When users interact with this false page, they might have their login credentials stolen if they enter them into the appropriate fields. Additionally, they might also inadvertently have malware installed on their computers.

Using the aforementioned Twitter example, you might receive an email that fraudulently poses as being from Twitter’s support team. In context, this message might say something like “our team flagged a recent post you made. Please review it here.”

It’s exceedingly unlikely for this scenario to occur if you type the address of the website into your browser on your own. So, keep this in mind when you receive a link from a suspicious source.

What Can I Do to Protect Myself?

Protecting yourself against phishing attacks might seem overwhelming. This is especially true given how many variants exist.

Fortunately, there is a handful of steps that you can take in order to protect your organization. Listed below are some of the most effective.

Be Vigilant When Reading Emails/Messages

One of the easiest ways to recognize a phishing attack that you encounter is through the presence of errors in the message. For example, there could be numerous misspellings, the message could be addressed to the wrong individual, etc.

Additionally, the message might ask for information that you don’t have access to.

To keep yourself safe as possible, though, it’s highly recommended to vigilantly read messages they receive even if they are from a trusted source. As previously mentioned, even a single mistake could have adverse consequences that can be difficult to recover from.

It’s also worth mentioning that you should keep an eye out for messages that you receive from foreign sources. Unless your organization frequently deals with international clients, there’s a large chance that these messages are attempting to procure valuable data from you.

Watch Out for Threats or Short Deadlines

Like we mentioned before, fear is an effective motivator in many scenarios. So, many phishing attacks will incorporate threats or quickly approaching deadlines in an attempt to scare people into providing their personal data.

In most cases, the deadlines imposed by a legitimate source will be fairly lenient.

For instance, the financial institution might give someone 30 days to take a particular action before the consequence occurs. They wouldn’t give somebody 24 hours to do so.

Similarly, a legitimate source would never use aggressive language that aims to instill fear into the victim.

Using the financial institution example, you won’t get a message from a bank that tells you that they are about to immediately remove access to your accounts, freeze your funds, etc. unless you take a certain action.

Things can get a bit complicated when a malicious actor poses as a representative of a government agency, though.

Consequences for not following government regulations are often harsh and even legitimate messages can seem threatening. If you are unsure, follow up with the institution the message claims to be from.

Generic Greetings

Messages that require you to take a specific action will almost always be addressed to you as an individual. So, they will often start with your name, title, etc.

If a message already seems suspicious and then you notice it begins with “dear lady,” there’s a strong chance that this is a phishing attack that has been sent to hundreds of thousands of people.

More often than not, a message that begins with a generic greeting will ask you to follow a link or download an attachment in order to learn more information about the reason behind the message.

Inconsistent Email Domains

This is an attribute of a phishing attack that many people tend to overlook. But, it’s a notably common occurrence.

In practice, the malicious actor will send the victim a message under the guise of being from a legitimate source. However, the email domain that they use will not align with the institution they claim to be from.

To elaborate, let’s assume you receive a message from Apple claiming that your Apple ID has been compromised and that you need to immediately change your password. But, the email comes from an address called [email protected] and not the official source.

If you overlook this information, there’s a chance that you may believe the message and click the link they provide in order to change your password. Of course, this link will ask you for your login information, which will then be relayed to the hacker.

First-time senders

All senders are first-time senders at some point. But, if you receive a message claiming to be from a familiar source that your email application marks as a first-time sender, this is a huge red flag that you need to consider.

More often than not, any email that has a link or attachment will be flagged if it is sent from an address you have never interacted with. Phishing attacks are relatively common, so receiving a message like this isn’t an abnormal occurrence.

What is out of the ordinary, however, is having a message flagged by your email platform even though it appears to be from a familiar source. Always be wary of this scenario so that you can avoid falling for online scams.

Preventing Phishing Attacks Is Essential

So this is an obligation that simply can’t be ignored.

Fortunately, the above information will ensure that you will be able to efficiently prevent phishing attacks and protect your company’s sensitive information.

Want to learn more about what Be Structured has to offer? Feel free to reach out to us today and see how we can help.

About Chad Lauterbach

CEO at Be Structured Technology Group, Inc. a Los Angeles based provider of Managed IT Services for small business. I desire to help small businesses better utilize technology by assisting in high level planning to make sure that new systems will benefit them both operationally and financially. I am careful to implement and support systems using industry best practices.