31 Aug It’s Time For a Phishing Refresher

Phishing messages and social engineering campaigns remain a dominant force in the cybersecurity world. Time and time again, we discuss their dangers, how a precisely created message can bypass extensive defense mechanisms and steal administrator credentials. How, with just a little clever messaging, malicious actors can deploy malware and ransomware, steal valuable information, and even sell collected logistics to hacker teams on darkweb markets.

Thus, it’s important to prepare ourselves for phishing and social engineering. Arguably, cybersecurity defense is a slowly losing battle, as threat actors are continuously adjusting their operations, tactics, and arsenal on a daily basis. They’re not constrained by budgets or staff limitations, and don’t worry about government oversight or regulations (barring federal charges for cybercrime). With reduced budgets, less cybersecurity experts available, and a growing reliance on automated solutions versus human-driven defense, the fight for a secure net is, arguably, a losing one.

However, while disassembling hacking networks and removing malware are unrealistic goals in the short term, understanding one of the most effective attack strategies is practical. Given the success rate of phishing, it’s worth reviewing, refreshing, and understanding how phishing emails, messages, and SMS attacks work.

What do hackers want?

To better protect yourself, business, organization, and/or network from phishing, it’s good to know what hackers want. When you can get a feel for a message’s motive, you can better identify whether it’s a phishing scam or not.

Some key things to remember: hackers are out to gain something, primarily account credentials. The goal is to gain access to something valuable, be it email, administrator control, passwords, or something that grants them leverage. They are, ultimately, after data, and all data is valuable. Data can be stolen or ransomed. It can be packaged into packaged suites for sale on darkweb markets, expanding the problem.

By knowing what they target, you can better look out for warning signs involving phishing schemes.

Phishing is social deception

The danger of phishing is the ability to deceive, dupe, and otherwise trick a recipient. The techniques used for this attempted deception vary. They can rely on trusted sources, like coworkers or friends, to send “urgent messages.” They might create “official” messages from well-known brands with doctored graphics and media.

The purpose is to create a sense of unverified trust with the user. If you receive a message from what appears to be a recognizable brand, trusted friend, or even coworker, you are likelier to engage with the email. Therein is where the malicious actor(s) plant the second trap: an urgent call to action.

The idea is to trick the recipient into engaging with the phishing email by clicking on a link, typically to expose password credentials or personal information. In other cases, the email might ask for an “emergency donation” or something related to finances (a ‘family member’ that has their contact information compromised claims an emergency has happened and needs money, as an example).

In other instances, the message may claim to have special offers for the recipient, such as government refunds, coupons, or other offers. And finally, a common phishing tactic is claiming a recipient is behind on a payment, has a delinquent account, an account they have has been “compromised,” inciting need for immediate action to resolve.

It’s worth noting that phishing scams are not limited to just email. Malicious actors also employ smishing (SMS text scams) and even vishing (voice mail phishing scams). However, they all follow a similar pattern, hoping to prey on emotional triggers (fear, anxiety, anger) to promote a careless response. More so, with image and message doctoring, one can be deceived if they’re not paying careful attention to a dangerous message.

Identifying these red flags can tip you off if you’re looking at a phishing message. And remember, a business will never ask for your password, credentials, or resolution via link in a message.

Protecting your information

You should have a better idea of what phishing scams look like and what they’re after. Practice extra caution when you are not sure a message is trustworthy. If you run a small business, convey this information to your staff, as hackers also exploit BEC attacks (business email compromise). But, even with good training, you should make use of tools and resources to protect your information. Even the most trained security staff are prone to human error and mistakes.

So, we need to think about recovery options and backup scenarios. There’s a few ways you can manage this, and your needs will depend on the data volume in question.

As a quick list, you can backup data and information in the following ways:

* Investing in external media like high-storage SSDs, flash drives, and memory

* Utilizing third-party data recovery services and/or storage vendors

* Managing copies of passwords, logins, and admin data with permissions only granted to appropriate parties

* Updating and upgrading all relevant software/hardware to prevent unexpected data loss and protect information

Investing in healthy cybersecurity practices, culture, and knowledge will also reduce risk of data loss and better protect you from being a victim of a phishing attack.

However, phishing is a continuously changing schema, and hackers modify their approach every day. For additional support and help, consider reaching out to Bytagig for additional information.