Know (and Mitigate) the Threats that Put Your Business at Risk
Phishing attacks are on the rise.
In a study by Alto Research, data revealed that phishing attacks in Europe jumped by 718% since the start of COVID-19. Whilst Google detected over 2 million phishing websites created in 2020 – a 25% increase from the previous year.
And although 96% of phishing attempts are via email, cybercriminals are now plying SMS and direct phone calls to try to catch their victims, possibly your employees, unaware on more personal mediums.
A successful phishing attack could mean a number of things to your business: monetary loss, data breaches, and reputational damage, to name a few.
In this article, we’ll overview the basics of phishing, smishing, and vishing attacks. We’ll share real-world examples and actionable tips to help keep your business protected.
What is Phishing?
Phishing describes cyber-attacks which use fraud and social engineering tactics to trick victims into revealing personal or sensitive information. Phishing primarily refers to such attacks conducted over email.
Attackers, also known as ‘phishermen,’ are usually after passwords, financial data, bank details, credit card numbers, or personal data. In targeted business attacks, attackers could be after the protectable interests of your company, such as financial records, trade secrets, product formulas, and customer lists.
Phishermen usually pose as a legitimate organisation, such as a bank, government entity, or any well-known company. They may even pose as your client or supplier.
Example of Phishing – Microsoft 365 File Deletion Alerts:
An email is received with the sender’s name of ‘Microsoft 365 Support.’ The email address has a variant of the word ‘Microsoft’ (e.g., @micr0s0ft.net) in the domain, and the email features Microsoft branding.
The email warns of unauthorized file deletions taking place on the employee’s account. To fix the problem, the recipient needs to urgently login to Microsoft 365. A link to login is provided in the email. That link goes to a spoofed website that mimics the actual login portal.
The entered username and password details go directly to the attacker. They can now hack into your company Microsoft 365 account with the same level of access to company files, folders, and emails as the phished employee.
Here’s How to Stay Protected:
- Know the signs of spoofed websites.
- Always enable 2FA/MFA functionality for platforms that support it.
- Ensure your anti-virus software is up-to-date and includes web browser monitoring.
- Be wary of emails with poor grammar, spelling, and formatting.
- If an email sounds too good to be true, it probably is. Emails that claim you’ve won an international lottery or inherited from a Nigerian prince are classic phishing attempts.
- Don’t trust the phone numbers in a suspicious email. The best option is to visit the official company website by searching in Google, and take the number from there.
- Never click links and download attachments in a suspicious email.
- If in doubt, forward the email to your IT Department for verification.
What is Smishing?
Smishing is a combination of the words ‘SMS’ and ‘phishing’. It describes attacks over SMS, but also includes mobile messaging services such as WhatsApp and Facebook Messenger.
Primarily, smishing attempts to trick potential victims into clicking a link to a bogus website, providing sensitive information to the attacker, or downloading a malicious smartphone app.
A global study by Proofpoint found that 61% of surveyed organizations faced smishing in 2020.
Example of Smishing – Package Delivery Scams:
In July 2021, the SA Post Office warned of a smishing attack where people had received SMSs requesting a ‘clearance fee’ to release their supposed package. The SMS contained a link to a payment page that belonged to the attacker.
Sometimes, recipients are asked to download to an app for tracking their package. The app contains a virus that hacks the victim’s smartphone and sends credit card details to the phishermen.
Here’s How to Stay Protected:
- Avoid clicking on links and attachments sent by unknown senders. This includes PDFs, audio, and video files.
- Never provide OTPs, passwords, and personal data if requested over text.
- Do not save passwords, banking, and sensitive information on your phone. For example, don’t save an ATM PIN code in your notes app.
- Install anti-virus software on your smartphone. Free and paid options from leading security companies are available for iOS and Android.
What is Vishing?
Vishing, or ‘Voice Phishing’, are phishing attacks that take place over a phone call or voicemail message.
People can be more likely to fall for vishing attacks because it’s a human on the line, and thus easier for the attacker to build trust, create urgency, and personalise his attack. This is unlike the more impersonal nature of email, website, and SMS cyber-attacks.
Example of Vishing – Bank Impersonation:
The caller identifies himself as an employee of your bank. He is phoning to notify you of fraudulent transactions on your account.
To reverse the transactions, he requires your credit card details and an OTP. The OTP is sent to you whilst you are on the call, which you then read out to him. Cybercriminals can then use this information to make purchases or access your bank account directly.
Here’s How to Stay Protected:
- Never give remote access unless you can confirm it is a vendor with whom you are already a customer, and they absolutely require access. Always confirm with your IT Department before doing so.
- Don’t respond to prompts if you receive a robo-call. For example, an automated voice might say: “You have been chosen to receive 10 free lotto tickets! Press 1 to claim your prize, press 2 to decline.” Pressing numbers whilst on a call is one way that phishermen can identify active phone numbers in order to target later on. Simply cut the call.
- Remember that financial organisations will never ask for a password, PIN, CVV / CVC number or OTP over the phone or SMS.
- Use a caller ID app, such as TrueCaller, where malicious phone numbers can be filtered, blocked, and reported.
Assess Your Readiness with a Free Assessment on Your Cybersecurity Posture
Need to do something for your company’s phishing, smishing, and vishing protection but not sure where to start?
Whether you need guidance on developing a cybersecurity awareness program or a thorough security implementation, iSite Computers is here to help. We’ve been in the business since 2008, helping SMBs in South Africa with a fully managed IT offering and comprehensive cybersecurity solutions.