6 Ways to Combat Social Phishing Attacks
Phishing is the number one method of attack delivery for everything from ransomware to credential theft. We are very aware of it coming by email, but other types of phishing have been growing rapidly.
In recent years, phishing over social media has skyrocketed by 500%. There has also been a 100% increase in fraudulent social media accounts.
Phishing over social media often tricks the victims because people tend to let their guard down when on social platforms like Facebook, Instagram, Twitter, and LinkedIn. They’re socializing and not looking for phishing scams.
However, phishing scammers are out there looking for you and will reach out via friend requests and direct messages. Learn several ways you can secure your social media use to avoid these types of covert attacks.
Make Your Profile Private on Social Platforms
Phishing scammers love public profiles on social media because not only can they gather intel on you to strike up a conversation, but they can also clone your profile and put up a fake page for phishing your connections.
Criminals do this in order to try to connect with those on your friends or connections list to send social phishing links that those targets will be more likely to click because they believe it’s from someone they know.
You can limit your risk by going into your profile and making it private to your connections only. This means that only someone that you’ve connected with can see your posts and images, not the general public.
For sites like LinkedIn where many people network for business, you might still want to keep your profile public, but you can follow the other tips below to reduce your risk.
Hide Your Contacts/Friends List
You can keep social phishing scammers from trying to use your social media profile to get to your connections by hiding your friends or connections list. Platforms like LinkedIn and Facebook both give you this privacy option.
Just be aware that this does not keep scammers from seeing you as a friend or connection on someone else’s profile unless they too have hidden their friends list.
Be Wary of Links Sent via Direct Message & in Posts
Links are the preferred way to deliver phishing attacks, especially over social media. Links in social posts are often shortened, making it difficult for someone to know where they are being directed until they get there. This makes it even more dangerous to click links you see on a social media platform.
A scammer might chat you up on LinkedIn to inquire about your business offerings and give you a link that they say is to their website. Unless you know the source to be legitimate, do not click links sent via direct message or in social media posts. They could be leading to a phishing site that does a drive-by download of malware onto your device.
Even if one of your connections shares a link, be sure to research where it is coming from. People often share posts in their own feeds because they like a meme or picture on the post, but they never take the time to check whether the source can be trusted.
Don’t Participate in Social Media Surveys or Quizzes
While it may be fun to know what Marvel superhero or Disney princess you are, stay away from quizzes on social media. They’re often designed as a ploy to gather data on you. Data that could be used for targeted phishing attacks or identity theft.
The Cambridge Analytica scandal that impacted the personal data of millions of Facebook users did not happen all that long ago. It was found that the company was using surveys and quizzes to collect information on users without their consent.
While this case was high-profile, they’re by no means the only ones that play loose and fast with user data and take advantage of social media to gather as much as they can.
It’s best to avoid any types of surveys or quizzes on any social media platform because once your personal data is out there, there is no getting it back.
Avoid Purchasing Directly from Ads on Facebook or Instagram
Many companies advertise on social media legitimately, but unfortunately, many scammers use the platforms as well for credit card fraud and identity theft.
If you see something that catches your eye in a Facebook or Instagram ad, go to the advertiser’s website directly to check it out, do not click through the social ad.
Research Before You Accept a Friend Request
It can be exciting to get a connection request on a social media platform. It could mean a new business connection or connecting with someone from your Alma mater. But this is another way that phishing scammers will look to take advantage of you. They’ll try to connect to you which can be a first step before reaching out direct via DM.
Do not connect with friend requests without first checking out the person on the site and online using a search engine. If you see that their timeline only has pictures of themself and no posts, that’s a big red flag that you should decline the request.
Can Your Devices Handle a Phishing Link or File?
It’s important to safeguard your devices with things like DNS filtering, managed antivirus, email filtering, and more. This will help protect you if you happen to click on a phishing link.
Find out how we can help!
This Article has been Republished with Permission from The Technology Press.
Alarming Phishing Attack Trends to Beware of in 2022
In 2020, 75% of companies around the world experienced a phishing attack. Phishing remains one of the biggest dangers to your business’s health and wellbeing because it’s the main delivery method for all types of cyberattacks.
One phishing email can be responsible for a company succumbing to ransomware and having to face costly downtime. It can also lead a user to unknowingly hand over the credentials to a company email account that the hacker then uses to send targeted attacks to customers.
Phishing takes advantage of human error, and some phishing emails use sophisticated tactics to fool the recipient into divulging information or infecting a network with malware.
Mobile phishing threats skyrocketed by 161% in 2021.
Your best safeguards against the continuous onslaught of phishing include:
- Email filtering
- DNS filtering
- Next-gen antivirus/anti-malware
- Ongoing employee cybersecurity awareness training
To properly train your employees and ensure your IT security is being upgraded to meet the newest threats you need to know what new phishing dangers are headed your way.
Here are some of the latest phishing trends that you need to watch out for in 2022.
Phishing Is Increasingly Being Sent via Text Message
Fewer people are suspicious of text messages than they are of unexpected email messages. Most phishing training is usually focused on the email form of phishing because it’s always been the most prevalent.
But cybercrime entities are now taking advantage of the easy availability of mobile phone numbers and using text messaging to deploy phishing attacks. This type of phishing (called “smishing”) is growing in volume.
People are receiving more text messages now than they did in the past, due in large part to retailers and service businesses pushing their text updates for sales and delivery notices.
This makes it even easier for phishing via SMS to fake being a shipment notice and get a user to click on a shortened URL.
Business Email Compromise Is on the Rise
Ransomware has been a growing threat over the last few years largely because it’s been a big money-maker for the criminal groups that launch cyberattacks. A new up-and-coming form of attack is beginning to be quite lucrative and thus is also growing.
Business email compromise (BEC) is on the rise and being exploited by attackers to make money off things like gift card scams and fake wire transfer requests.
What makes BEC so dangerous (and lucrative) is that when a criminal gains access to a business email account, they can send very convincing phishing messages to employees, customers, and vendors of that company. The recipients will immediately trust the familiar email address, making these emails potent weapons for cybercriminals.
Small Businesses Are Being Targeted More Frequently With Spear Phishing
There is no such thing as being too small to be attacked by a hacker. Small businesses are targeted frequently in cyberattacks because they tend to have less IT security than larger companies.
43% of all data breaches target small and mid-sized companies, and 40% of small businesses that become victims of an attack experience at least eight hours of downtime as a result.
Spear phishing is a more dangerous form of phishing because it’s targeted and not generic. It’s the type deployed in an attack using BEC.
It used to be that spear-phishing was used for larger companies because it takes more time to set up a targeted and tailored attack. However, as large criminal groups and state-sponsored hackers make their attacks more efficient, they’re able to more easily target anyone.
A result is small businesses receiving more tailored phishing attacks that are harder for their users to identify as a scam.
The Use of Initial Access Brokers to Make Attacks More Effective
We just discussed the fact that large criminal groups are continually optimizing their attacks to make them more effective. They treat cyberattacks like a business and work to make them more profitable all the time.
One way they are doing this is by using outside specialists called Initial Access Brokers. This is a specific type of hacker that only focuses on getting the initial breach into a network or company account.
The increasing use of these experts in their field makes phishing attacks even more dangerous and difficult for users to detect.
Business Impersonation Is Being Used More Often
As users have gotten savvier about being careful of emails from unknown senders, phishing attackers have increasingly used business impersonation. This is where a phishing email will come in looking like a legitimate email from a company that the user may know or even do business with.
Amazon is a common target of business impersonation, but it also happens with smaller companies as well. For example, there have been instances where website hosting companies have had client lists breached and those companies sent emails impersonating the hosting company and asking the users to log in to an account to fix an urgent problem.
More business impersonation being used in phishing attacks mean users have to be suspicious of all emails, not just those from unknown senders.
Is Your Company Adequately Protected from Phishing Attacks?
It’s important to use a multi-layered strategy when it comes to defending against one of the biggest dangers to your business’s wellbeing. Get started with a cybersecurity audit to review your current security posture and identify ways to improve.
This Article has been Republished with Permission from The Technology Press.
Top 5 Cybersecurity Mistakes That Leave Your Data at Risk
The global damage of cybercrime has risen to an average of $11 million USD per minute, which is a cost of $190,000 each second.
60% of small and mid-sized companies that have a data breach end up closing their doors within six months because they can’t afford the costs. The costs of falling victim to a cyberattack can include loss of business, downtime/productivity losses, reparation costs for customers that have had data stolen, and more.
You may think that this means investing more in cybersecurity, and it is true that you need to have appropriate IT security safeguards in place (anti-malware, firewall, etc.). However, many of the most damaging breaches are due to common cybersecurity mistakes that companies and their employees make.
The 2021 Sophos Threat Report, which looked at thousands of global data breaches, found that what it termed “everyday threats” were some of the most dangerous. The report stated, “A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”
Is your company making a dangerous cybersecurity mistake that is leaving you at high risk for a data breach, cloud account takeover, or ransomware infection?
Here are several of the most common missteps when it comes to basic IT security best practices.
Not Implementing Muti-Factor Authentication (MFA)
Credential theft has become the top cause of data breaches around the world, according to IBM Security. With most company processes and data now being cloud-based, login credentials hold the key to multiple types of attacks on company networks.
Not protecting your user logins with multi-factor authentication is a common mistake and one that leaves companies at a much higher risk of falling victim to a breach.
MFA reduces fraudulent sign-in attempts by a staggering 99.9%.
Ignoring the Use of Shadow IT
Shadow IT is the use of cloud applications by employees for business data that haven’t been approved and may not even be known about by a company.
Shadow IT use leaves companies at risk for several reasons:
- Data may be used in a non-secure application
- Data isn’t included in company backup strategies
- If the employee leaves, the data could be lost
- The app being used might not meet company compliance requirements
Employees often begin using apps on their own because they’re trying to fill a gap in their workflow and are unaware of the risks involved with using an app that hasn’t been vetted by their company’s IT team.
It’s important to have cloud use policies in place that spell out for employees the applications that can and cannot be used for work.
Thinking You’re Fine With Only an Antivirus Application
No matter how small your business is, a simple antivirus application is not enough to keep you protected. In fact, many of today’s threats don’t use a malicious file at all.
Phishing emails will contain commands sent to legitimate PC systems that aren’t flagged as a virus or malware. Phishing also overwhelmingly uses links these days rather than file attachments to send users to malicious sites. Those links won’t get caught by simple antivirus solutions.
You need to have a multi-layered strategy in place that includes things like:
- Next-gen anti-malware (uses AI and machine learning)
- Next-gen firewall
- Email filtering
- DNS filtering
- Automated application and cloud security policies
- Cloud access monitoring
Not Having Device Management In Place
A majority of companies around the world have had employees working remotely from home since the pandemic, and they’re planning to keep it that way. However, device management for those remote employee devices as well as smartphones used for business hasn’t always been put in place.
If you’re not managing security or data access for all the endpoints (company and employee-owned) in your business, you’re at a higher risk of a data breach.
If you don’t have one already, it’s time to put a device management application in place, like Intune in Microsoft 365.
Not Providing Adequate Training to Employees
An astonishing 95% of cybersecurity breaches are caused by human error. Too many companies don’t take the time to continually train their employees, and thus users haven’t developed the skills needed for a culture of good cybersecurity.
Employee IT security awareness training should be done throughout the year, not just annually or during an onboarding process. The more you keep IT security front and center, the better equipped your team will be to identify phishing attacks and follow proper data handling procedures.
Some ways to infuse cybersecurity training into your company culture include:
- Short training videos
- IT security posters
- Webinars
- Team training sessions
- Cybersecurity tips in company newsletters
When Did You Last Have a Cybersecurity Checkup?
Don’t stay in the dark about your IT security vulnerabilities. Schedule a cybersecurity audit to uncover vulnerabilities so they can be fortified to reduce your risk.
This Article has been Republished with Permission from The Technology Press.
Top Things to Replace in Your Old School Office
You may be in the “if ain’t broke why fix it” camp. Yet even if some of your outdated office tools and technology aren’t actually broken, they could be crying out for an update (if only you spoke filing cabinet, you’d know!). Here are the top things we see that businesses could upgrade to improve productivity and add security.
First, let’s start with those traditional landline phones. Sure, they’ve done their job well for decades, but switching to Voice over Internet Protocol (VoIP) has many advantages. Don’t overlook the benefits of:
- streamlining voice and data services to save on bills and long distance;
- employees using VoIP communications wherever they have access to an internet connection;
- accessing features such as call waiting, screening, recording, auto attendant, and voicemail transcription;
- gaining greater flexibility to scale up and down as needed so you don’t need to pay for phone lines you don’t need;
- integrating calls with customer relationship management software for better data insights.
Saving, Sharing, and Revising Documents
Next up, those filing cabinets. For one, they may be an eyesore, plus, they’re taking up valuable real estate in your space. Today, many printers allow you to scan many pages at once and easily scan documents into content management software.
Moving to online document management also opens you up to many productivity gains. The software often supports optical character recognition (OCR), which makes scanned content searchable. Plus, the documents are available online, where and when employees need them. This is helpful in remote or hybrid work setups, but it also helps ensure you have a backup of critical documents if disaster strikes.
If you’re still filing documents in cabinets, you may have paper-based processes, too. Forms and folders get passed around for different people to sign off at various stages. This makes it easy for workflow to bottleneck or, worse, for documentation to get lost in the physical shuffle from place to place.
In a step up from this, a business might at least move documents around via email attachments. Everyone gets a chance to see the document and make comments. Then, some poor soul takes all responses and correlates them for the next round of revisions.
Replace these old-school approaches with online business tools built to enable collaboration. Microsoft 365, for example, allows people to work on documents at the same time. There are no more worries about version control, and everyone can track the file’s progress.
Enabling Remote/Hybrid Work
Cloud-based collaboration software not only helps with document exchange. Microsoft 365 also allows users to communicate efficiently via the Teams channels. They can also start video meetings, share screens, and co-work on files and PowerPoints. Plus, integrating Outlook contacts and calendars helps efficiency and scheduling.
All this helps support employees working remotely or coming into the office only some of the time. With online documents and databases, everyone can get work done without coming on-site. Plus, VoIP business calls forward directly to phones or laptops for seamless communication.
Put Away the Post-its, Too
One last thing we’d love to see people replace in their offices? Those Post-its with handwritten passwords stuck to the bottom of computer monitors or oh-so-stealthily under the paperclip organizer in their top desk drawers.
We all have many passwords, and we understand the impulse to write them down, but a safer strategy is to use a password manager. A password manager stores, generates, and manages passwords in an encrypted database. A password management solution – such as Keeper, LastPass, or LogMeOnce – is more cyber secure than that sticky notes.
Of course, every work environment is unique, and you might have some other outdated office technology we haven’t mentioned here. Need help bringing your business tools up to date? Our IT experts are here to help. We can review business practices and suggest the best solutions for your needs. Contact us today at 561-295-8100.
Everyone Plays a Role in Cybersecurity
Hollywood would have us believe that cyberattacks are elaborately planned and use expensive, sophisticated tools developed by James Bond’s tech guru, Q. Yet in real life, most hacks are nothing like that. The cybercriminals often simply fool a human to gain access.
Phishing remains a primary way to attack. A scammer sends an email that looks legitimate, and an unsuspecting victim clicks on a malicious link. They might download malware or end up on a webpage that looks credible but is set up to gather their personal data.
Social engineering targets the human desire to help. A hacker might drop an infected thumb drive in the office parking lot of the target business – they need only one well-intentioned person to pick it up and plug it into the office system – or they call, saying they represent a contractor and urgently need important credentials.
Your cybersecurity is only as strong as its weakest link. In many cases, your employees are that weakest link. They are busy working hard, so they don’t stop to question things, or they can be too trusting. A supply-chain attack compromises your vendor. The hackers change the details on the vendor’s invoice so that the money ends up in their bank account. Your people don’t notice, because they usually trust the vendor.
Educate Employees about Their Cybersecurity Role
Every business needs to educate employees about the part they play in cybersecurity. They need to care, but they may feel that it’s not their concern. They’ll expect IT or someone else at work to handle malware and prevent cyberattacks, but each individual has a role.
It can help to put the potential threat in personal terms. Help them to understand that they are not only protecting work data on the network, and it’s not just client personal details: it’s their names, addresses, and tax numbers, too. Plus, it’s how much they get paid, healthcare records, resumes, and more, which is exactly the kind of information hackers exploit in identity theft. That one hack can have a huge ripple effect.
There’s also the argument that if your business suffers a breach or downtime, everyone could be out of the job. Particularly bad data breaches or hacks can destroy a business. Of course, the individual didn’t mean to do anything wrong, but their ill-advised action costs your company, which can mean downtime, lost productivity, damaged brand reputation, compliance issues, and more. Recovery is difficult.
Cybersecurity Is an Ongoing Concern
It’s also important that you don’t treat cybersecurity training as a one-off. Running through a list of “do nots” in employee onboarding and then moving on is not going to work. Build cybersecurity literacy into your workplace culture.
Remind employees about strong passwords and thinking twice before sharing any sensitive data. Require them to use protected networks for remote access and to encrypt files.
Your business can also show the importance of employees taking responsibility by:
- discussing cybersecurity in hiring processes;
- outlining policies and procedures in the handbook;
- reminding employees to regularly update and upgrade technology;
- monitoring applications downloaded onto work devices;
- having a clear policy for people bringing in their own devices;
- adding multi-factor authentication to remote access.
Ransomware threats are on the rise globally, cybercrime gangs are targeting any weakness, regardless of business size or industry. Enlist your employees in the ongoing fight against hackers.
Need help training employees or installing cybersecurity protections? We can help. Contact our IT experts to discuss policies and procedures your business can use. We know how to keep you free from threats and get your people engaged in the battle, too. Call us at 561-295-8100 today.
Oil Pipeline Ransomware Attack – Lessons Learned
Your business may not be supplying oil to the United States, and you may not even be in the critical infrastructure business, but don’t think that means ransomware can’t happen to you, too. This article shares lessons learned from a headline-grabbing event, and they’re applicable to businesses of all sizes in all industries.
First, what happened? The May 2021 ransomware attack crippled a 5500-mile gasoline pipeline. The Colonial Pipeline serves up nearly half of the gasoline used by the East Coast of the United States. The attack, thought to be the largest ever on US oil infrastructure, encrypted almost 100 gigabytes of data. Russian hacker group DarkSide took the systems hostage, demanding an undisclosed ransom. The pipeline was offline for days, and the disruption plagued the country for weeks.
The lesson learned? Businesses cannot underestimate the importance of being proactive about preventing cybercriminal attacks. The Colonial Pipeline attack originated in Russia and attacked the US, but the motive was financial. The majority of cyberattacks come down to money. That means your business could be at risk, too.
Lesson #1: Educate employees
Avoid falling victim to a devastating ransomware attack by educating employees about cybersecurity. Train your employees to recognize phishing emails and other scams, teach them about the importance of strong passwords, help them understand potential dangers of using unsecured wireless networks or unencrypted devices, and prevent their downloading unsanctioned apps onto work computers.
Lesson #2: Use firewalls and email filtering
Configure firewalls to protect your network and block access from malicious IP addresses. Geo-fencing can reduce traffic from foreign actors in known cybercrime hubs.
Additionally, set up advanced spam filters. These help identify and stop phishing emails before they even get to your employees.
Lesson #3: Limit access
You’re thinking you’re doing that already with firewalls and filtering, but this refers to limiting access for the people who work for you. Configure credentials so that employees can access only what’s needed to do their job. Limiting administrative access makes it more difficult for bad actors to do damage.
Also, limit permissions to reduce access. One employee may need to read certain files but have no need to edit them. Configure the file and directory access accordingly.
Lesson #4: Monitor and patch
Even if you’re not online at all hours of the day, you should be monitoring IT 24/7. Set up alerts to identify any suspicious activity. You want to know as soon as possible if there is a vulnerability so your business can limit its exposure.
Also, patch: don’t ignore update notifications from your software providers or operating system manufacturers. Every piece of technology in your office could be an entry point for a bad actor. Cybercriminals are always finding new modes of attack and vulnerabilities. You have to be vigilant and keep your systems updated to cut your risk.
Lesson #5: Have a backup plan
If cybercriminals take your system hostage, you don’t want to have to pay a ransom. It’s costly, and you can’t guarantee you’ll get a functional system back. You will still suffer downtime and damaged reputation from the attack.
Having several system backups, tested regularly for accuracy, helps protect you from catastrophe. We recommend a 3-2-1 approach. That’s three separate copies of the backup on two different storage types, and at least one of them should be off-site.
Customize your backup plan around the specific needs of your business. One company might be fine backing up daily, whereas another may suffer if it loses even a few hours of data.
Cybersecurity doesn’t have to be complicated
Ransomware attacks are expensive and time-consuming. Partner with a managed service provider to keep an eye on your systems. Our IT experts can configure protection, track activity, and provide backup solutions. Take preventative action to protect your business against ransomware and other cyberattacks. Work with professionals to install a layered IT security strategy today. Call us today at 561-295-8100 or book a discovery call now!