TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Phishing

Would You Know If You Were Being Smished?

Ooof… you’d hope so, right? Sounds uncomfortable.

But push away whatever image that word has put in your head, and turn your attention to your mobile phone.

Smishing is the text message version of phishing.

What’s phishing again? It’s where criminals send you an email, pretending to be someone else (like your bank), to try to get sensitive information from you.

Yes, these cyber criminals really are resourceful. And the more ways there are to try and infiltrate your data, the more they’ll use different platforms.

Just like with phishing, smishing attempts are not always as easy to spot as you might think.

Most of them pretend to be sent from a recognized business – like your network provider, for example – rather than just a random number. Some look like they’ve come from someone you know personally.

They’ll ask you to click a link to take an action like checking your monthly bill, updating your account information, or maybe to pay a bill. It’s usually the kind of message you would expect to see from that business.

But if you click that link… you’ve potentially given them access to your device. And that means they may have access to your data, passwords, and any other information stored on your phone.

Terrifying.

Protecting yourself is really similar to the way you’d deal with a phishing attempt on your email:

• Never click on any links unless you’re certain the sender is who they say they are

• If you’re unsure, contact the company (or person) on their usual number to check

• And if an offer seems too good to be true, it usually is (sorry, you didn’t really win that competition you never even entered)

Consider this our number one most important golden rule: Never click a link if you’re not expecting it. Wait to verify it with the sender first.

The Eleven Types Of Phishing Attacks You Need To Know To Stay Safe

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Like Darwin’s finches, phishing has evolved from a single technique into many specialized tactics, each adapted to specific targets and technology. First described in 1987, phishing is now carried out via text, phone, advertising and, of course, email.

Boiled down, all of these tactics exist for the same purpose – to steal confidential information from an unsuspecting target in order to extract something of value.

Knowing about the hugely diverse set of today’s phishing tactics can help you be more prepared for the inevitable instance when you become the target.

Standard phishing – casting a wide net
At its most basic, standard phishing is the attempt to steal confidential information by pretending to be an authorized person or organization. It is not a targeted attack and can be conducted en mas. [Read more…] about The Eleven Types Of Phishing Attacks You Need To Know To Stay Safe

Buyer Beware: New Phishing Scams Appearing On Craigslist

Craigslist email scams come in many shapes and forms, but in general, a Craigslist email scammer is known to do at least one of the following things:

● Ask for your real email address for any reason at all.
● Insist on communicating by email only (using either your Craigslist email or your real email).
● Send you fake purchase protection emails that appear to be from Craigslist itself.

Asking for your real email address
Scammers might ask you for your real email address for any of the following reasons:

The scammer claims they want to send payment via PayPal. Scammers posing as buyers might try to talk you into accepting online payments, such as those via PayPal.

Once you give your PayPal email address to the scammer, however, they can easily send you a fake PayPal confirmation email to make you think that they paid when they really didn’t.

The scammer claims they use a third-party to securely handle the payment. Similar to the PayPal scenario above, a scammer (posing as either a buyer or a seller) might ask for your real address so that they can send a fake email that appears to come from an official third party.

These types of emails typically are cleverly designed to look like they offer a guarantee on your transaction, certify the seller, or inform you that the payment will be securely handled by the third party.

The scammer intends to send you multiple scam and spam messages. A scammer who asks for your real email address might be creating a list of victims they’re targeting to hack their personal information.

They could be planning to send you phishing scams, money or lottery scams, survey scams or even social network scams.

Insisting on communicating entirely by email
Scammers might insist on talking exclusively by email for any of the following reasons:

The scammer can’t speak to you by phone or meet up in person. Many Craigslist scammers operate overseas and don’t speak English as their first language, which is why they prefer to do everything via email. If they’re posing as a seller, they almost definitely don’t have the item you’re trying to buy and are just trying to get your money.

The scammer is following a script and has an elaborate personal story to share. Scammers use scripts so that they can scam multiple people. If they’re posing as a buyer, they might refer to “the item” instead of saying what the item actually is.

Since English is typically not most scammers’ first language and they operate around the world, it’s very common for them to misspell words or use improper grammar. And finally, to back up why they can’t meet up or need payment immediately, they’ll describe in detail all the problems they’re currently facing/have faced in order to get you to sympathize with them.

The scammer is looking to pressure you to make a payment, or wants to send a cashier’s check. Using their elaborate story, the scammer who’s posing as a seller might ask you to make a deposit via a third party such as PayPal, Western Union, MoneyGram, an escrow service, or something else.

They might even convince you to make multiple payments over a period of time, looking to extract as much money from you as possible before you realize you’re not getting what you’re paying for.

On the other hand, the scammer who’s posing as a buyer might offer to send a cashier’s check, which will likely be discovered as fraudulent days or weeks later.

Beware of anyone who tells you they’re in the military. This is a strong sign of a scam.

Sending fake purchase protection emails
Scammers have been known to send protection plan emails that appear to be from Craigslist. Of course, Craigslist doesn’t back any transactions that occur through its site, so any emails you receive claiming to verify or protect your purchases via Craigslist are completely fake.

The most important thing you can do to avoid getting involved in a Craigslist email scam is to never give away your real email address to anyone you’re speaking to from Craigslist.

Email Checklist: Is It A Phishing Attack?

More than half of phishing attack emails contain malicious links. Furthermore, approximately one-third of all phishing attack emails manage to bypass default security methods.

So how do you determine if an email you’ve received is a phishing attack?

Sure, sometimes it’s obvious. But as cybercriminals continue to evolve and become more sophisticated, their phishing attack emails are becoming more convincing than ever before.

Here’s a complete checklist to go through when you receive a suspicious email:

An Overly Generic Greeting
More often than not, phishing emails are sent out to a massive list rather than one individual.

This means they’ll often contain generic greetings, such as “dear customer” or “dear member” whereas a legitimate source, such as your bank or a government organization, would probably address you by name.

A Request to Update or Verify Information
If the email contains some sort of request to update or verify your information, it’s likely a phishing email. No legitimate source will ask you to update or verify sensitive information over the internet. Chances are, they will call you or wait until you’re in the store/at the bank to go over this request with you.

A Lack of a Domain Address
Aside from looking at the name and company information, don’t forget to double check their domain address.

Hover your mouse over the “from” address to see if there is a legitimate domain or not. For instance, they may have !IRA.com instead of IRA.com. However, this isn’t always foolproof and it’s important to check for other signs too.

Grammar and/or Spelling Errors
Large organizations tend to spell check their email content carefully – meaning it’s not very common to find grammar and/or spelling errors throughout emails from your bank, government entities and other legitimate sources. Pay close attention to the grammar and/or spelling in the email.

A Sense of Urgency
If something is urgent, a legitimate source will typically call you or send you a piece of direct mail.

Cybercriminals tend to create a sense of urgency, such as “if you don’t respond, your account will be canceled” or “if you don’t pay the attached invoice, you
will be charged interest and it will go to collections.”

An Unsolicited Attachment
As a general rule, if the email contains an unsolicited attachment from an unknown sender or an unsolicited attachment that seems out of place from a sender you do know, don’t open it.

Typically, legitimate sources don’t randomly send emails with attachments. Instead, they will direct you to download something directly from their website.

Suspicious Links
Before you click on a link, hover over it to see where the link is actually going to take you. Often, cybercriminals will make it appear as though the link is going to a legitimate place, but once you’ve hovered over it, you’ll find that it’s taking you to somewhere else entirely. Always hover over any links before clicking them.

How To Protect Your Business From Phishing And Spearphishing

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

One of the best ways to protect your business against these types of attacks is by educating your employees on the methods these criminals exploit to gain access to your employees and your sensitive information. But beyond that, there are some methods you can use in conjunction with education to help protect your business.

Pre-delivery
Using filters can help prevent malicious emails from reaching your employees’ inbox and is effective for preventing indiscriminate attacks but not targeted ones.

More useful, however, are solutions that not only filter emails before reaching the inbox but incorporating virus scanners, real-time intent analysis, reputation checks, URL checkers, and other assessments before any email reaching your employee. We have an offering that can help you prevent an attack before it even starts. [Read more…] about How To Protect Your Business From Phishing And Spearphishing

How To Protect Your Business From SHTML Phishing

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.
Data security is vital to any business. Learn how SHTML phishing works and how to minimize the risk of your data falling into the hands of attackers.

Email phishing has been in the playbook of hackers since, well, email. What’s alarming is the scope in which criminals can conduct these attacks, the amount of data potentially at risk, and how vulnerable many businesses are to phishing attempts.

Here’s what you need to know to spot the hook and protect your data from being reeled in.

How Does Email Phishing Work?
A phishing email typically contains an attachment in the form of a server-parsed HTML (SHTML) file.

When opened, these shady files redirect the user to a malicious website often disguised as a legitimate product or service provider. [Read more…] about How To Protect Your Business From SHTML Phishing

Top Concern For Small Businesses? Cybersecurity

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

While some might assume that fear of an economic recession would be at the top of the list of key issues small business owners concern themselves with, a recent survey found that another issue is of much greater concern: Cybersecurity.

This is no surprise.

For the past several years, cybercrimes and data breaches among companies large and small, governments, and even individual citizens have risen drastically.

While it’s true that many business owners still assume a data breach at their own company is highly unlikely, with the ultimate price tag of such attacks ramping up to the millions of dollars (and recovery being hardly successful), it makes sense that companies are taking notice.
[Read more…] about Top Concern For Small Businesses? Cybersecurity

How To Save Your Business From Phishing Scams

Workplaces today are filled with computers and machines, but just as these workstations optimize efficiency and profit, they also increase the possibility of attacks designed to steal, destroy, or corrupt your data through the use of malicious programs.

The most probable avenue for these malicious programs is through phishing scams. To understand how to stop these attacks, you must first understand what a phishing scam entails.

A phishing scam is an attempt for someone to steal sensitive information or install malware onto your PC by tricking you into clicking a link, opening an attachment, or providing personal information.

Although these attacks use tactics that trick people every day, you can stay safe by staying smart. Through time and practice, it can become easy to spot a phishing attack and keep your PC and personal information safe.

If you receive an email containing a threatening message, usually one demanding immediate action, it is probably a phishing scam. Most of these messages try to trick users into clicking a link or opening an attachment with threatening messages like, “Your account has been compromised! You are no longer protected! Click here to protect your account!”

Once you click the link, though, you are redirected to a phishing site.

Another example may be what seems to be an email from your boss’ boss demanding sensitive information to complete company documentation. Always beware when you see a threatening or demanding message.

Another indicator of a phishing scam is an unfamiliar email address or domain name. Some scammers may use domain names or email addresses similar to your normal contacts, but they will never be the same. If you notice an inconsistency, report the email.

Phishing scams can also normally be identified by the sender’s grammar skills. Here is an example from a phishing email: “Click here to cancel this request, else your öffice 365 accöunt…” Terrible grammar and unfamiliar characters as shown here are indicators of a scam.

Lastly, be wary of any request for any type of personal or sensitive information whatsoever, even if it initially seems to be from a trustworthy source.

Even if it does not show any other signs of being a phishing scam, always double and triple-check the authenticity of the request.

If you do stumble across a phishing scam, your best course of action would be to delete the email in question without opening any attachments or clicking any links.

In addition, you should report the incident to your superior or your IT service provider. If a phishing attack happened to you, it can happen to your coworkers as well.

Giving sensitive company information away to a scammer is the last way you want to start your week.

Their tactics are always changing, so the best way to fight attacks like these is through education and awareness rather than programs or filters. Remember the red flags of a phishing scam, and you will have no problem keeping your business safe and secure.

What Are The Newest Phishing Attacks?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.
Phishing is a term adapted from the word “fishing.” When we go fishing, we put a line in the water with bait on it, and we sit back and wait for the fish to come along and take the bait. Maybe the fish was hungry. Perhaps it just wasn’t paying attention. At any rate, eventually a fish will bite, and you’ll have something delicious for dinner.

How Does Phishing Work?
This is essentially how cyber phishing works. Cybercriminals create an interesting email, maybe saying that you’ve won a $100 gift certificate from Amazon. Sound too good to be true? Find out! All you have to do is click the link and take a short survey.

Once you click the link, a virus is downloaded onto your system. Sometimes it’s malware, and sometimes it’s ransomware. Malware includes Trojans, worms, spyware, and adware. These malicious programs each have different goals, but all are destructive and aimed at harming your computers. [Read more…] about What Are The Newest Phishing Attacks?

New Whaling Schemes: CEO Fraud Continues To Grow

In previous years, the first clue that your corporate email has been compromised would be a poorly-spelled and grammatically incorrect email message asking you to send thousands of dollars overseas.

While annoying, it was pretty easy to train staff members to see these as fraud and report the emails. Today’s cybercriminals are much more tech-savvy and sophisticated in their messaging, sending emails that purport to be from top executives in your organization, making a seemingly-reasonable request for you to transfer funds to them as they travel.

It’s much more likely that well-meaning financial managers will bite at this phishing scheme, making CEO and CFO fraud one of the fastest-growing ways for cybercriminals to defraud organizations of thousands of dollars at a time.

Here’s how to spot these so-called whaling schemes that target the “big fish” at an organization using social engineering and other advanced targeting mechanisms.

What Are Whaling Attacks?

Phishing emails are often a bit more basic, in that they may be targeted to any individual in the organization and ask for a limited amount of funds.

Whaling emails, on the other hand, are definitely going for the big haul, as they attempt to spoof the email address of the sender and aim pointed attacks based on information gathered from LinkedIn, corporate websites and social media.

This more sophisticated type of attack is more likely to trick people into wiring funds or passing along PII (Personally Identifiable Information) that can then be sold on the black market. Few industries are safe from this type of cyberattack, while larger and geographically dispersed organizations are more likely to become easy targets.

The Dangers of Whaling Emails

What is particularly troubling about this type of email is that they show an intimate knowledge of your organization and your operating principles. This could include everything from targeting exactly the individual who is most likely to respond to a financial request from their CEO to compromising the legitimate email accounts of your organization.

You may think that a reasonably alert finance or accounting manager would be able to see through this type of request, but the level of sophistication involved in these emails continues to grow. Scammers include insider information to make the emails look even more realistic, especially for globe-trotting CEOs who regularly need an infusion of cash from the home office.

According to Kaspersky, no one is really safe from these attacks — even the famed toy maker Mattel fell to the tactics of a fraudster to the tune of $3 million. The Snapchat human resources department also fell prey to scammers, only they were after personal information on current and past employees.

How Do You Protect Your Organization From Advanced Phishing Attacks?

The primary method of protection is ongoing education of staff at all levels of the organization. Some phishing or whaling attacks are easier to interpret than others and could include simple cues that something isn’t quite right. Here are some ways that you can potentially avoid phishing attacks:

  • Train staff to be on the lookout for fake (spoofed) email addresses or names. Show individuals how to hover over the email address and look closely to ensure that the domain name is spelled correctly.
  • Encourage individuals in a position of leadership to limit their social media presence and avoid sharing personal information online such as anniversaries, birthdays, promotions and relationships — all information that can be leveraged to add sophistication to an attack.
  • Deploy anti-phishing software that includes options such as link validation and URL screening.
  • Create internal best practices that include a secondary level of validation when large sums of money or sensitive information is requested. This can be as simple as a phone call to a company-owned phone to validate that the request is legitimate.
  • Request that your technology department or managed services provider add a flag to all emails that come from outside your corporate domain. That way, users can be trained to be wary of anything that appears to be internal to the organization, yet has that “external” flag.

There are no hard and fast rules that guarantee your organization will not be the victim of a phishing attack. However, ongoing education and strict security processes and procedures are two of the best ways to help keep your company’s finances — and personal information — safe from cyberattack.