Eight In 10 Businesses Were Targeted With Phishing In The Last Year. Was Yours?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Despite all the buzz about high-tech threats like ransomware and malware, good old phishing has held on to its title as the number one trick in a cyber criminal’s toolkit.

Phishing is when someone tries to trick you into giving them your personal information, like your password or credit card number. They do this by sending you emails or text messages that look like they’re from a real company.

According to the latest annual cyber breaches survey, 79% of businesses were targeted with a phishing attempt in the past year. And if your employees aren’t trained in cyber security awareness, 1 in 3 of them are likely to fall for a phishing attack. Scary!

You might be thinking, “Sure, it’s bad, but it can’t be that bad, right?” Well, let’s break down the consequences of a successful phishing attack.

[Read more…]

Learn How To Spot Fake LinkedIn Sales Bots

LinkedIn has become an invaluable platform for professionals. People use it to connect, network, and explore business opportunities. But with its growing popularity have come some red flags. There has been an increase in the presence of fake LinkedIn sales bots.

These bots impersonate real users and attempt to scam unsuspecting individuals. This is one of the many scams on LinkedIn. According to the FBI, fraud on LinkedIn poses a “significant threat” to platform users.

Lets delve into the world of fake LinkedIn sales bots. We’ll explore their tactics and provide you with valuable tips. You’ll learn how to spot and protect yourself from these scams. By staying informed and vigilant, you can foster a safer LinkedIn experience.

Identifying fake LinkedIn connections

Social media scams often play on emotions. Who doesn’t want to be thought of as special or interesting? Scammers will reach out to connect. That connection request alone can make someone feel wanted. People often accept before researching the person’s profile.

Put a business proposition on top of that, and it’s easy to fool people. People that are looking for a job or business opportunity may have their guard down. There is also an inherent trust people give other business professionals. Many often trust LinkedIn connections more than Facebook requests.

How can you tell the real requests from the fake ones? Here are some tips on spotting the scammers and bots.

Incomplete profiles and generic photos

Fake LinkedIn sales bots often have incomplete profiles. They’ll have very limited or generic information. They may lack a comprehensive work history or educational background. Additionally, these bots tend to use generic profile pictures. Such as stock photos or images of models.

If a profile looks too perfect or lacks specific details, it could be a red flag. Genuine LinkedIn users usually provide comprehensive information.

Impersonal and generic messages

One of the key characteristics of fake sales bots is their messaging approach. It’s often impersonal and generic. These bots often send mass messages that lack personalization. They may be no specific references to your profile or industry. They often use generic templates or scripts to engage with potential targets.

Excessive promotional content

Fake LinkedIn sales bots are notorious for bombarding users. You’ll often get DMs with excessive promotional content and making unrealistic claims. These bots often promote products or services aggressively. Usually without offering much information or value.

Inconsistent or poor grammar and spelling

When communicating on LinkedIn, pay attention to the grammar and spelling of messages. You may dismiss an error from an international-sounding connection, but it could be a bot.

Fake LinkedIn sales bots often display inconsistent or poor grammar and spelling mistakes. These errors can serve as a clear sign that the sender is not genuine. Legitimate LinkedIn users typically take pride in their communication skills.

Unusual connection requests and unfamiliar profiles

Fake LinkedIn sales bots often send connection requests to individuals indiscriminately. They may target users with little regard for relevance or shared professional interests.

Be cautious when accepting connection requests from unfamiliar profiles. Especially if the connection seems unrelated to your industry or expertise.

Business Email Compromise (BEC) And Phishing Are Dangerous For Small Businesses

Business email compromise (BEC) and phishing are two of the most common and damaging cyber threats facing businesses today. BEC involves the fraudulent use of email to impersonate a legitimate business or individual in order to gain access to sensitive information or financial resources.

Phishing, on the other hand, is a type of cybercrime that involves the use of fraudulent emails or websites to trick individuals into revealing sensitive information, such as login credentials or financial information.

BEC attacks often target employees with access to sensitive financial information or those who have the authority to make wire transfers or other financial transactions.

The attackers use sophisticated social engineering tactics to trick the employee into revealing login credentials or other sensitive information, or to convince them to make a financial transaction on behalf of the company. In some cases, the attackers may even impersonate a high-level executive or vendor in order to gain the trust and cooperation of the employee.

One of the most common tactics used in BEC attacks is the “man-in-the-middle” attack, where the attacker intercepts legitimate emails and alters them to redirect payments or other financial transactions to their own account.

Other tactics include the use of fake invoices, purchase orders, or other financial documents to trick employees into making payments to the attacker.

Phishing attacks, on the other hand, generally aim to trick individuals into revealing sensitive information or clicking on malicious links. These attacks often take the form of fake emails purporting to be from legitimate organizations, such as banks or government agencies, and may contain links to fake login pages or download malicious software onto the victim’s computer.

To protect against BEC and phishing attacks, it’s important for businesses to implement strong security measures and to educate their employees on how to spot and avoid these threats. Some best practices for protecting against BEC and phishing attacks include:

  • Implementing strong email security measures, such as spam filters and email authentication protocols, to help identify and block fraudulent emails.
  • Training employees on how to spot and avoid phishing and BEC attacks, including teaching them to be wary of unsolicited emails and to verify the authenticity of any emails requesting sensitive information or financial transactions.
  • Establishing strong passwords and using two-factor authentication to protect login credentials and other sensitive information.
  • Setting up monitoring systems to detect and alert on unusual or suspicious activity, such as unexpected wire transfers or login attempts.
  • Regularly updating software and security protocols to ensure that the latest security measures are in place.

In addition to these measures, it’s important for businesses to have a plan in place for responding to a BEC or phishing attack. This should include:

  • Establishing a clear chain of command for reporting and responding to suspicious activity.
  • Designating a team to investigate and respond to potential attacks.
  • Having a process in place for assessing and mitigating the damage caused by an attack.
  • Reviewing and updating security protocols on an ongoing basis to ensure that they are effective in protecting against these threats.

Overall, BEC and phishing attacks are a serious threat to businesses of all sizes. By implementing strong security measures and educating employees on how to identify and avoid these threats, businesses can protect themselves and their customers from these damaging cyber attacks.

2022: The Year Of Malware, Hacks And Phishing

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Much of our time this year has been spent working with our clients, making sure they’re ready to fend off newly emerging cyber threats or malware strains.

So to look back at the year, we thought we’d round up what many experts agree has been the nastiest malware of 2022.

At the top of the list is Emotet. Chances are you haven’t heard of it by that name, but it’s a trojan that’s spread by spam email. It usually looks like a genuine email with familiar branding, but it tries to persuade the recipient to click a malicious link (using language like ‘your invoice’ or ‘payment details.’

It may also look like it’s from a parcel company. This malware goes through your contact list and sends itself to family, friends, colleagues, and clients. Then it looks less like spam, because it’s come from your email account.

In second position is LockBit. This is ransomware that’s designed to block access to your files and systems when cyber criminals encrypt them.

They ask you to pay a ransom for the decryption key (which they often still don’t hand over, even when you’ve paid). If you don’t have a solid backup strategy, it is highly likely you’ll experience data loss.

This is a targeted attack that spreads itself once it’s infiltrated one device on a network. In fact, it can ‘live’ for weeks inside a network before the attack is launched.

In third place is Conti, another form of ransomware, and in fourth position is Qbot, a trojan designed to steal banking information and passwords.

It may all sound scary, but there’s plenty you can do to give your business greater protection from these threats:

  • Keep your entire network and all devices updated
  • Don’t download suspicious attachments or click links unless you’re certain they’re genuine
  • Practice strong password hygiene, including multi-factor authentication, password managers, biometrics, and passkeys where available
  • Give your people access to only the systems and files they need. Remove ex-employees from your network immediately
  • Create and regularly check back-ups
  • Educate your people regularly

We can help with all of this – just get in touch!

The Rising Threat of BEC Attacks: Don’t Let Your Business Fall Victim

Business email compromise (BEC) attacks are becoming widespread and present a significant risk to businesses of all sizes.

These attacks involve hackers posing as trusted individuals or organizations via email to request sensitive information or financial transfers.

BEC attacks often target high-level employees, such as executives or financial managers, and can be highly sophisticated.

Attackers may go to great lengths to make their emails appear authentic, including using genuine email addresses and logos. In some cases, they may even gain access to an employee’s email account to send BEC emails to other employees or partners.

In BEC attacks, a common technique is the “man-in-the-middle” approach, where the attacker poses as a trusted third party, such as a supplier or vendor, and requests payment or sensitive information.

These attacks can be challenging to detect because the attacker may use genuine email addresses and logos to seem legitimate.

The attacker manipulates the victim into thinking they are communicating with a trusted party, which can lead to them divulging sensitive information or making financial transfers to the attacker.

To safeguard your business from BEC attacks, it is essential to implement strong email security measures and educate your employees on the signs of such an attack.
Two-factor authentication and monitoring for unusual activity can help protect your business.

Employees should also be aware of red flags, such as requests for sensitive information or financial transfers from unknown individuals or organizations, or requests to transfer money to unfamiliar bank accounts.

If you receive a suspicious email, do not click on any links or download any attachments.

Instead, verify the request through a separate, secure channel, such as a phone call to the sender using a number you know to be valid.

Business email compromise attacks are a rapidly growing threat to businesses of all sizes.

By taking proactive steps to secure your email communications and staying vigilant, you can help protect your business from costly and damaging BEC attacks.

The SLAM Method Can Improve Phishing Detection

Why has phishing remained such a large threat for so long? Because it continues to work. Scammers evolve their methods as technology progresses, employing AI-based tactics to make targeted phishing more efficient.

If phishing didn’t continue returning benefits, then scammers would move on to another type of attack. But that hasn’t been the case. People continue to get tricked.

In May of 2021, phishing attacks increased by 281%. Then in June, they spiked another 284% higher.

Studies show that as soon as 6 months after a person has been trained on phishing identification, their detection skills can begin waning as they forget things.

Give employees a “hook” they can use for memory retention by introducing the SLAM method of phishing identification.

What is the SLAM Method for Phishing Identification?

One of the mnemonic devices known to help people remember information they are taught is the use of an acronym. SLAM is an acronym for four key areas of an email message that should be checked before trusting it. These are:

S = Sender
L = Links
A = Attachments
M = Message text

By giving people the term “SLAM” to remember, it’s quicker for them to do a check on any suspicious or unexpected email without missing something important.

All they need to do is run down the cues in the acronym.

S = Check the Sender

It’s important to check the sender of an email thoroughly. Often scammers will either spoof an email address or use a look-alike address that people easily mistake for the real thing.

You can double-click on the sender’s name to ensure the email address is legitimate.

L = Hover Over Links Without Clicking

Hyperlinks are popular to use in emails because they can often get past antivirus/anti-malware filters.

You should always hover over links without clicking on them to reveal the true URL. This often can immediately call out a fake email scam due to them pointing to a strangely named or misspelled website.

A = Never Open Unexpected or Strange File Attachments

Never open strange or unexpected file attachments, and make sure all attachments are scanned by an antivirus/anti-malware application before opening.

M = Read the Message Carefully

If you rush through a phishing email, you can easily miss some telltale signs that it’s a fake, such as spelling or grammatical errors.

Look for words or phrases not normally used by the person who’s emailing you. Words like “kindly” and “revert” are tell-tale clues the email come from someone who’s not your normal sender.

Also, be on the lookout for pressure to act quickly or unexpected banking change requests. While it happens, it is rare for a company to change banks without months of advance notice.

Get Help Combatting Phishing Attacks

Both awareness training and security software can improve your defenses against phishing attacks. Contact us today to discuss your email security needs.

Watch Out For Reply-chain Phishing Attacks

Phishing. It seems you can’t read an article on cybersecurity without it coming up. That’s because phishing is still the number one delivery vehicle for cyberattacks.

80% of surveyed security professionals say that phishing campaigns have significantly increased post-pandemic.

Phishing not only continues to work, but it’s also increasing in volume due to the move to remote teams.

Many employees are now working from home. They don’t have the same network protections they had when working at the office.

One of the newest tactics is particularly hard to detect. It is the reply-chain phishing attack.

What is a Reply-Chain Phishing Attack?

You don’t expect a phishing email tucked inside an ongoing email conversation between colleagues.

Most people are expecting phishing to come in as a new message, not a message included in an existing reply chain.

The reply-chain phishing attack is particularly insidious because it does exactly that. It inserts a convincing phishing email in the ongoing thread of an email reply chain.

How does a hacker gain access to the reply chain conversation? By hacking the email account of one of those people copied on the email chain. Often, the target isn’t even aware.

The hacker can email from an email address that the other recipients recognize and trust. The attacker also gains the benefit of reading down through the chain of replies. This enables them to craft a response that looks like it fits.

They may see that everyone has been weighing in on a new idea for a product called Superbug. So, they send a reply that says, “I’ve drafted up some thoughts on the new Superbug product, here’s a link to see them.”

The reply won’t seem like a phishing email at all. It will be convincing because:

  1. It comes from an email address of a colleague. This address has already been participating in the email conversation.
  2. It may sound natural and reference items in the discussion.
  3. It may use personalization. The email can call others by the names the hacker has seen in the reply chain.

Business Email Compromise is Increasing

Business email compromise (BEC) is so common that it now has its own acronym. Weak and unsecured passwords lead to email breaches. So do data breaches that reveal databases full of user logins.

Tips for Addressing Reply-Chain Phishing

Here are some ways that you can lessen the risk of reply-chain phishing in your organization:

• Use a business password manager
• Put multi-factor controls on email accounts
• Teach employees to be aware

Phishers Lure Targets In With COVID-19 Schemes

Mark Funchion is a network technician at Tech Experts.

You may have noticed that we talk about phishing a lot. Unfortunately, phishing is an issue that will never go away and the tactics change constantly. That constant change makes it difficult, if not impossible, to eliminate as a threat.

Fortunately, there are red flags that end users can keep an eye out for.

If you get an email that answers a common demand, treat it with a high level of skepticism.

For example, a few years ago when the Nintendo Wii was hard to find and a lot of people wanted them, a lot of “Click here to buy a Wii now!” emails went out. I think you can guess how many people actually got a Wii through those schemes.

Well, it’s not Christmas, but the ongoing hot topic in the world is COVID-19 and its vaccine.

As we strive to return to normalcy, there are people who want the vaccine who do not qualify yet, are on a waiting list, or want to get it in a quick and easy way.

Attackers know this. In fact, they count on it. Phishers rely on human nature, and that is what makes it hard for the end user: you have to go against your basic human emotions.

All emails should be evaluated as if they are a phishing email. Look for the standard warning signs such as an offer that’s too good to be true, misspelled words, or if the wording of the message is a little off. Some are very obvious. Some are more subtle.

The attackers may also appear as though they are from a reputable company like a national pharmacy chain, a local doctor, or a large hospital system.

However, the typical format legitimate providers follow is that they’ll send you information on the vaccine and remind you to contact your health care professional to schedule an appointment.

Another example of the phishers’ methods is that they’ll send a link asking you to verify your information to determine eligibility (or even a link to buy the vaccine from a supplier).

Again, red flags. Take a moment to ask yourself why – when the vaccine distribution is so controlled – would a random person have a surplus of product?

These are all pretty basic ideas, but it is easy to get lax in proceeding with caution. It’s even more of a challenge to stay alert when the attacks are using current events to their advantage.

The days of free money from a “Nigerian Prince” are mostly over, but almost everything we do right now is influenced by COVID.

If and when you get the message asking you to “click here to verify your vaccine eligibility,” don’t do it. Next month, when you are hit with messages for updates on your taxes or missing money, don’t click on those either. Later this year at Christmas, don’t click on the link for the discounted, hot item everyone wants. And in 2022… rinse and repeat.

Phishing will always find a way to be relevant, and you can never let your guard down.

Would You Know If You Were Being Smished?

Ooof… you’d hope so, right? Sounds uncomfortable.

But push away whatever image that word has put in your head, and turn your attention to your mobile phone.

Smishing is the text message version of phishing.

What’s phishing again? It’s where criminals send you an email, pretending to be someone else (like your bank), to try to get sensitive information from you.

Yes, these cyber criminals really are resourceful. And the more ways there are to try and infiltrate your data, the more they’ll use different platforms.

Just like with phishing, smishing attempts are not always as easy to spot as you might think.

Most of them pretend to be sent from a recognized business – like your network provider, for example – rather than just a random number. Some look like they’ve come from someone you know personally.

They’ll ask you to click a link to take an action like checking your monthly bill, updating your account information, or maybe to pay a bill. It’s usually the kind of message you would expect to see from that business.

But if you click that link… you’ve potentially given them access to your device. And that means they may have access to your data, passwords, and any other information stored on your phone.

Terrifying.

Protecting yourself is really similar to the way you’d deal with a phishing attempt on your email:

• Never click on any links unless you’re certain the sender is who they say they are

• If you’re unsure, contact the company (or person) on their usual number to check

• And if an offer seems too good to be true, it usually is (sorry, you didn’t really win that competition you never even entered)

Consider this our number one most important golden rule: Never click a link if you’re not expecting it. Wait to verify it with the sender first.

The Eleven Types Of Phishing Attacks You Need To Know To Stay Safe

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Like Darwin’s finches, phishing has evolved from a single technique into many specialized tactics, each adapted to specific targets and technology. First described in 1987, phishing is now carried out via text, phone, advertising and, of course, email.

Boiled down, all of these tactics exist for the same purpose – to steal confidential information from an unsuspecting target in order to extract something of value.

Knowing about the hugely diverse set of today’s phishing tactics can help you be more prepared for the inevitable instance when you become the target.

Standard phishing – casting a wide net
At its most basic, standard phishing is the attempt to steal confidential information by pretending to be an authorized person or organization. It is not a targeted attack and can be conducted en mas. [Read more…]