Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none of those communications are harmful, directing employees to share security information or download damaging files?
What spam and phishing are–and why they are dangerous
A threat actor can deliver something via email that can then be downloaded and installed on the recipient’s computer, or convince unwary employees to take an action that could be detrimental to themselves or their company. These unwanted emails are called spam and the action of trying to engage people to perform dangerous activities is called phishing.
Often the nefarious entities sending this spam are looking for financial gain, but in the case of the defense industrial base (DIB), they could want to gain access to information in your possession that could benefit the entity that they may be working for.
There are different avenues they take, but it’s all about using email to get you to trust them and then take action. Here are a couple of examples.
- An email received from a Gmail account stating that it is from the CEO and he has been locked out of his account. The communication would then direct the reader to call a number or download software.
- A communication could mimic a partner company, perhaps misrepresenting themselves as Microsoft, and directing the recipient to download a software update to protect themselves from a threat.
Since life these days is chaotic and we are all engaged more hours than we are on the clock, we might not be sitting in front of our computers, but instead be rushing off on an important errand when we glance at our phones and notice an email, purportedly from our boss. Any one of us could take the action requested by the spammer, and not realize until much later the error in judgment.
Protecting your business from these threats
The solution is to limit the ability of these threat actors to send email to your employees by having the right spam tool with the right settings in place. In some cases, a company might have a good tool in place, but it might not be optimally deployed.
In a nutshell, companies should configure everything with ‘anti’ in the name (anti-malware, anti-phishing, anti-spam), and set up features with ‘safe’ in the name (safe links, safe attachments). These actions help ensure that attachments are scanned before they are delivered to your endpoint. Realistically speaking, you want to support digital interactions as you are mitigating risk through the proper setup of these types of tools.
Microsoft 365 Defender helps stop attacks
This solution, which is part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. It offers two options.
- Plan 1 – This option provides configuration protection capabilities, such as establishing safe attachments and safe links. It also performs anti-phishing and real-time detections.
- Plan 2 – This option takes those basic anti-spam capabilities and layers on additional capabilities like automation investigation or remediation, and education capabilities. Since the education piece is critical, our experts recommend Plan 2. With the evolving security landscape, this solution has dynamic features which can accommodate the threats of today and meet future challenges.
As a Microsoft partner, we are skilled in implementing and optimizing Microsoft 365 Defender to help you safeguard your organization. Reach out to us to get a quote. We can provision licenses, implement the tool, and push out solid security policies in your Office 365 environment. If you already have the licenses, we can also maximize the entitlements that these licenses have. Contact us to get started.
You may have heard of phishing, which is the practice of sending fraudulent texts or emails that appear to come from a legitimate source, with the intention of encouraging the recipient to provide personal information.
Businesses have been struggling to protect their networks from phishing, and with attacks up 65% in the past year, it seems the fight is far from over. To make matters worse, a more sophisticated and destructive offshoot of phishing has recently emerged — spear phishing.
What is Spear Phishing?
Phishing messages are usually generic, sent to a large number of people in order to cast a wide net in the hopes that somebody will bite. Spear phishing, as the name implies, is much more precise and is targeted at a specific victim.
The spear phisher gathers personal information about the target, such as an employer, hometown, or friends, in order to craft messages that seem more credible. No red flags are raised, and the recipient happily does as the phisher requests, sharing highly sensitive data and information about themselves in the process.
What Spear Phishing Means for Your Business
Spear phishing presents a major problem for businesses. Phishers are increasingly seeing businesses like yours as lucrative targets, with a staggering 95% of all attacks on business and enterprise networks thought to be the result of successful spear phishing. How does this happen?
The Weak Link in Your Network Security
Spear fishers usually gain access to your sensitive data and business networks via your employees. For example, they might gather information on your employee and use it to craft an email to them appearing to come from your IT team, asking them to click on a link and re-submit their credentials to access one of your network systems.
The link leads to a dummy site that’s barely distinguishable from yours. When your employee logs in, the phisher records their credentials and uses them to access your real system. There, they can steal data, spy on your business, or bring your system crashing down, and you likely won’t even know it’s happened until the damage has been done.
4 Steps to Keep Your Business Safe from a Spear Phishing Attempt
Despite your best efforts to secure your business, you’re only as strong as your employees. Adequately protecting yourself from spear-phishing, then, relies on comprehensive training and awareness. Here are four steps you can take to keep your business safe…
Step 1 – Educate Your Employees
Knowledge is power, so train your employees on how to spot spear phishing and what to do about it. And because threats like spear-phishing evolve rapidly, ensure that your training and awareness programs are refreshed and updated at least annually to stay ahead of phishers.
Step 2 – Practice Good Password Hygiene
Passwords are at the very core of your network security and as such, they deserve the utmost attention. For each of your systems, require that users create long, complex passwords and change them on a regular basis. Don’t just ask users to do this and trust that they’ll comply; make it a mandatory requirement for using the system. And of course, the sharing of company passwords should be discouraged in the very strongest terms, even between other employees.
Step 3 – Implement Multi-Factor Authorization
Multi-factor authorization, or MFA, adds an extra layer of security to your systems. After the user enters their password, they’re typically required to pass through a further verification stage by entering another password/code, answering a question, submitting biometric information, or responding to an email or text. If somebody does obtain the user’s password, MFA means they’ll usually be thwarted at this second stage.
Step 4 – Take Good Practices Home
In order to be effective, good security practices must go beyond the office. Spear phishers will usually target a victim outside of work too, so your employees must be encouraged to apply the same awareness, caution, and protection to their personal and home networks.
That means practicing good password hygiene on any devices or online systems they use outside of work, from banking to social media to online grocery shopping and everything in between. Where available, they should be encouraged to set up multi-factor authorization, too.
Personal phones, computers, and other devices should be password-protected, encrypted, and secured with up-to-date antivirus and malware programs. This is especially true if they use these devices for business-related activity, in which case you should embed usage rules into company policy.
Your employees should be encouraged to take all reasonable measures to protect company data that’s taken outside of the workplace, whether on a business trip or to a home office. Physical documents and devices should be stored securely when not in use, such as in a locked briefcase or filing cabinet.
Finally, employees should think carefully about the work information they share with their personal network. Your employee might think they’re bringing their old high school buddy up to speed on all the exciting projects they’ve been working on, but there could be a phisher on the other end of the email conversation, gathering data about your business.
Don’t Fight Phishing Attacks Alone
With 76% of businesses falling victim to a phishing attack last year, it seems phishers are winning the fight for your sensitive data. That doesn’t have to be the case. Protect your business now with expert training and managed security services from CyberSheath. now to find out how we can help.
According to a recent report conducted by PhishMe, 93 percent of all phishing attacks contained encryption ransomware, up 56 percent from December of 2015. This heightened growth can be attributed to the ease of sending ransomware via phishing emails that contain job applicant, billing, shipping, and invoice-related messages with seemingly harmless attachments.
Ransomware is a category of malware that prevents or limits users from accessing their system. Users are provided with the option to pay a “ransom” via online payment methods in order to grant access to their systems or to recover their data. Ransomware can target home computers, endpoints in an enterprise network, or servers used by government organizations or private healthcare companies. Although they promise the safe return of your data, there is no guarantee that paying up will restore your access. There are two main types of ransomware, lockscreen and encryption. The lockscreen ransomware simply displays a full-screen message that locks your system and prevents you from navigating away or accessing your files. The encryption ransomware encrypts your existing files and then demands money to restore them. A system infected with ransomware will typically alert users of infection within hours, differing from other common cyber-attacks that remain undetectable for months. Small to medium-sized organizations are particularly appealing prey for ransomware criminals as these companies tend to pay up quickly to avoid the hassle of alternative methods of recovering data. Additionally, cyber culprits blackmail organizations by threatening to delete files at consistent intervals so that the victims pay the ransom faster.
How do you prevent your organization from becoming a ransomware victim? The most encouraged approach is to have a reliable and secure backup system in place. Do not always trust in the cloud for backup security, newer versions of ransomware have been able to access data shared there as well. In addition to having up to date anti-virus solutions installed on all systems, ensuring that all users within your organization have completed the latest security and awareness training is key especially now that phishing has become the main source of ransomware attacks. Educate your employees to avoid opening emails and attachments from unknown addresses and avoid clicking on suspicious links. If your organization needs direction in performing any of the above tasks, please contact any member of the CyberSheath staff, we are here to help you protect your valuable assets, big or small!
Recently, Verizon released its 2016 Data Breach Report, which has served to assist the security community in managing risk and avoiding security incidents since 2008. In the report, one can find data on almost all aspects of the current cybersecurity risk landscape. With that being said, I was most intrigued by the findings related to phishing attacks, a form of social engineering that seeks to exploit an organization’s greatest risk – humans.
The motivation behind phishing attacks is no different than any other information security incident. Generally, attackers will be looking to trick the target user into divulging credentials on a pharming website. These sites look and feel like they are genuine websites for banks, enterprise applications, etc. Another common tactic in phishing attacks is having the targeted user click an attached file containing some sort of malware, thus granting the attacker access to the machine and by association, whatever network it connects to. These attacks are troubling because they allow an attacker to simply avoid many of the technical controls an organization may have in place.
The Data Breach Report has included metrics on phishing cases for years, this year the report stated that 30% of users open phishing emails. While this may not be harmful in itself, 13% of users will go on to click on the malicious attachment or navigate to the phony website where credentials are collected. These numbers are somewhat higher than last year, which reported a 23% open rate and an 11% click-through on the attachments. Another important thing to note is how quickly this all happens, the report states that it often takes less than five minutes to see a targeted user click on the attachment or link.
Social Engineering attacks, phishing specifically, are on the rise because the attacks are much easier to execute than technical attacks targeting an organization’s vulnerable assets. It enables an attacker to compromise a network with much less effort than would normally be required, and often times in much less time.
The good news is that phishing attacks can be defeated in multiple ways. First, two-factor authentication would nearly eliminate all the risk associated with credential-stealing activities. Even if an attacker did acquire the main credentials for an employee, they would still lack the secondary credentials that are required. Second, and probably the most direct way to decrease human risk, is through a mature security awareness program. While awareness and training programs have been given more attention as of late, several organizations still do not take them seriously. Without training your employees on simple, human targeted attacks like phishing, they cannot be expected to protect your critical assets and data when they become the targets.
Curious how your organization stacks up? CyberSheath can help, contact us today.
On February 4th, Anthem Inc., the nation’s second-largest health insurer, disclosed that hackers had broken into its servers and stolen data from over 80 million customer records. The information stolen from the insurance enterprise includes names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.
Bloomberg reports that U.S. federal investigator is pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks. A spokesman for the FBI said the agency is “aware of the Anthem intrusion and is investigating the matter” and praised the insurer for its “initial response in promptly notifying the FBI after observing suspicious network activity.”
Anthem, Inc. published an FAQ page in an attempt to provide answers to the countless questions and concerns of customers impacted. In one FAQ post, Anthem stated that they would mail notices to customers affected in order to provide clarity over how their data is being protected and any next steps that customers would need to take. It took only minutes for phishers and phone fraudster to capitalizing on the public’s fear over the massive data breach by unleashing a flood of targeted phishing attacks and cold calls to impacted customers with the intent of stealing even more financial and personal data from consumers.
As shown below, phishing emails were outfitted to appear as legitimate as possible:
Anthem Phising Email
Anthem, Inc. has since updated their FAQ to address the flood of phishing and phone fraud attacks:
Anthem, Inc. further clarified that all notifications will be sent to affected consumers through regular snail mail in the coming weeks. If you’re a current or former Anthem member, we strongly encourage you to be aware of these types of scams and expect them to escalate in the coming weeks.