What the Top Subject Lines for Phishing Emails Say About These Threats

What the Top Subject Lines for Phishing Emails Say About These Threats

Phishing emails have been around for quite some time, and for their entire existence they have gotten the better of even the most seasoned employees. What exactly contributes to their success? What kinds of subject lines go into creating a phishing email that users find to be convincing enough to actually want to click on and follow through on? Let’s take a look at a recent study that might glean some insights into this.

Tip of the Week: Identifying a Phishing Message Before You’re Hooked

While these potential threats are frustrating to look out for, that is exactly what needs to be done to prevent their success. Here are five tips to help you spot a phishing attack before it is too late. Extreme Urgency When somebody is trying to phish you, they often rely on you panicking and not fully thinking through the message. That’s why, whenever you receive an email labelled “urgent” and written in an intimidating tone, you need to take a few breaths and consider it a little more. There is no questioning that email is an extremely valuable communication tool, but at the same time, would it really be how you sent someone an urgent, time-sensitive message over something like a phone call? Even if it does come in via a phone call, any message you receive should be carefully considered before you act. Attachments Email gives business users so much utility, but that also lumps in those who make cybercrime their business as well. Email makes it much easier for a cybercriminal to send along a malware payload, hidden inside an attachment. Therefore, you should never click into an email attachment that you didn’t anticipate receiving, and even think twice about the ones you did expect. Many organizations—like financial institutions and the like—are favorite ruses of cybercriminals, despite the fact that these organizations will either use a dedicated solution to reach out to you or call you directly before sending along an attachment. Unless you know with confidence what an attachment contains, it is best not to click on it at all. Spelling and Grammar Errors Let me ask you a question: if you were to receive any kind of written correspondence from a business, whether it was an email, a letter, what have you, would you take that business seriously if it was riddled with mistakes and misspellings? Unlikely. Businesses are generally very aware of this, and usually put forth the effort to ensure that the materials and messages they send out are carefully edited before they distribute them for this very reason. Would you trust this blog if every other sentence featured a misspelled word or misused punctuation mark? In a phishing message, however, the individual writing it is actively banking that their reader won’t be paying too close attention, making such errors less important. While this isn’t a hard and fast rule, it is a good way to keep your business safe. Requests for Personal Information In a similar vein, does it make sense that a business that presumably already has your sensitive information would reach out and ask for it again via email? No, it doesn’t, and that’s why legitimate businesses tend not to do this. While this is also a generalization and there will be exceptions, a scammer will generally be the only party to request sensitive and personal information over email. A legitimate business will have a different tool they use to collect this data if they need it, as they need to abide by the compliance and security requirements that are likely imposed on them by some regulatory body. Suspicious Links Finally, we need to discuss links, particularly those that come included in a surprise email. Links are remarkably easy to manipulate, so while you may think you’re visiting another business’ website […]

Lessons to Learn from Attacks on COVID-19 Research

Cozy Bear The National Cyber Security Centre, located in the UK, recently shared that a group has been attacking organizations involved with COVID-19 vaccine research. These claims have been verified by authorities in the United States and Canada. Known as “APT29,” as well as “Cozy Bear” and “the Dukes”, the attackers level spear phishing attacks and make use of assorted exploits to gain access to their target’s systems. After this access has been obtained, malware known as WellMail or WellMess is released into the environment. Many experts are of the opinion that this is not the first time that APT29 has been active, either. The group is suspected of attacks against various organizations in healthcare, energy, and government, and is believed to be responsible for the 2016 hack of the Democratic National Committee. In response to this, the CSC has been trying to work with software vendors to ensure that vulnerabilities are patched. If these patches aren’t applied, cybercriminals can find the means to exploit these vulnerabilities and cause problems. A Spear Phishing Refresher We’re no strangers to discussions about phishing, simply because it is one of today’s most prevalent threats to network security. Many phishing attacks are sent randomly to a large group of targets, but spear phishing is a different animal. Instead of trying to exploit a lot of people for little payout from each, spear phishing requires careful planning and execution of a highly targeted attack against one person. This person is often seen as the weakest link in an organization’s security by hackers. With any luck, you won’t need to contend with phishing attacks from a major hacking group. That being said, it’s important that you and your team can identify a potential phishing attack and react appropriately. Here are a few basics to keep in mind: Always check the details. Many phishing attacks will display some subtle issue, either in the email address it comes from or some other detail. Make sure you pay attention for some of these warning signs. Proofread the message. Businesses want to put their best foot forward, so their correspondence is generally carefully edited before it’s sent out. If you receive a message with questionable spelling and grammar, exercise caution. Reach out. If you’re unsure of whether a message is legitimate or not, reach out to the sender through another means to confirm it if you can. For your business to avoid threats, being able to identify potential phishing attacks is only going to become more important. Find out how to train your team to spot them by reaching out to us. Call SRS Networks at (831) 758-3636 to learn more.

Are You and Your Team Prepared to Deal with Phishing?

Why Phishing Attacks are So Dangerous There are various factors that contribute to the risks associated with phishing attacks. One of the biggest contributors: the very low barrier to entry that a phishing scam requires of the person conducting it. Picture a hacker for a moment. What do you see? If you’re anything like the average user, you mind jumps to the imagery that pop culture has cultivated. A dark room, awash in a pale blue-white glow from an array of monitors, with someone hunched over a keyboard, fingers elegantly typing with the confidence of a concert pianist. While this picture has long been accepted by audiences as the way that a hacker looks, it is a fabrication. A lot of real-life hacking has pivoted to rely on psychology more than computer sciences and programming. Instead of manipulating code, a hacker focuses on manipulating the user. Why pick a lock if you can fool someone into handing over their keys? Unfortunately, phishing attacks are as effective as they are simple. Most users just don’t know what to look for to tell a legitimate email or website from a fraudulent one. Most aren’t even anticipating that they’ll be targeted at all. As a result, the scenario plays out like this: a hacker sends out an email that looks as though it is from a popular bank. To the untrained eye, it seems to be legitimate, and it may have even fooled the filters the user has set up to organize their emails. This is precisely how phishing attacks work—by getting the user to believe that the email is legitimate and having them play right into the attacker’s hands as a result. Whether the phishing email links to a malicious website or carries a malicious attachment, they are not to be taken lightly. How to Spot a Phishing Attempt While we aren’t trying to inspire paranoia, any email you receive could be a phishing email, which means you need to consider each one you receive. Make sure you follow the next few steps to prevent yourself from being taken advantage of. Check the tone. Is the email you’ve received trying to elicit an extreme emotion from you? Is it blatantly urgent, asking information about an account of yours without any reason to, or simply making a truly unbelievable offer? Attackers will often shape their phishing messages to instigate an emotional response. Stay rational. Check any links before clicking. It is startling how much trust people will put in a link. Hackers have numerous ways to hide the actual destination of a link, many of which indicate that the link is faked… although you need to know what to look for. Let’s consider PayPal for a moment. A legitimate PayPal link would direct to paypal-dot-com. However, if you were to add something—anything—between “paypal” and “dot-com”, the link would obviously go somewhere else. There are various other rules to keep in mind, too. For instance, the “dot-com” in the domain should be the last dot-anything and should be immediately followed by a forward slash (/). Here’s a brief list of safe examples, and some unsafe and suspicious examples: paypal.com – Safe paypal.com/activatecard – Safe business.paypal.com – Safe business.paypal.com/retail – Safe paypal.com.activatecard.net – Suspicious! (See the dot immediately after PayPal’s domain name?) paypal.com.activatecard.net/secure – Suspicious! […]

Yeah, There’s a Reason Some Scams are So Obvious

Advance-Fee Fraud and Its Origins Believe it or not, those emails have their roots in the 18th and 19th centuries, where scammers wrote letters to their targets begging for some small financial assistance in exchange for a significant reward. Rather than a Nigerian prince seeking escape from political turmoil, one such attempt featured a wealthy Spanish prisoner that needed to be smuggled out of Spain and required some investment to bribe the guards. These scams continued over the years, appearing in French investigator Vidocq’s memoirs and reports of other transnational scams exist from 1922. Today, these advance-fee scams are most recognizable in the form of the Nigerian Prince scam, as referenced above… and thanks to the Internet, they are far more prevalent, as there aren’t even postal costs to prevent scammers from using them on a widespread basis. Why These Scams are Notoriously Obvious One would think that, as a scam that has become the go-to example of a scam, cybercriminals would have abandoned it long ago—or at least worked to make them more convincing. So, why are these scams still around, and still so transparent? In 2012, a researcher for Microsoft named Cormac Herley asked the same question and conducted a project to find the answer. His conclusion was brilliantly simple: these scams allowed hackers to weed through potential victims to find the ones most susceptible to their efforts. Cyberattacks aren’t free for cybercriminals to carry out. So, just as anyone who invests in something would want, they want to see the greatest return for that investment. In a cybercriminal’s terms, this translates to the highest number of successfully scammed people who comply with their demands. Just like in any business, a cybercriminal will want to minimize the number of false positives (in this case, targets that never send over any money). Looking at it from an economic perspective, the higher the number of false positives the cybercriminal invests in, the lower the net payout for them. After compiling statistics and going through the numbers, it became apparent to Herley that cybercriminals use the now-infamous word “Nigeria” in their scams to eliminate these false positives more effectively. Essentially, by using that word early on in their interaction with a potential victim, cybercriminals were able to shrink their target pool to only the most gullible or naïve people they had found. By cutting out the false positives early in the game, scammers could minimize their investment without sacrificing any payoff. All the grammatical errors, misspelled words, and far-fetched tales just serve to eliminate the people who ultimately wouldn’t be fooled anyway. For more detail, you can find documentation of Herley’s process here. How to Keep Your Business Safe Of course, not all scams operate this way, so it is still important for you and your team to know what to keep an eye out for. The Federal Bureau of Investigation provides the following list of rules to follow to avoid scams:  If something sounds too good to be true, it is safe to assume it is. If you receive correspondence from someone asking for money or information, go through the proper steps to confirm the message’s legitimacy through other means, like a phone call. Have a professional go over any agreement you’re about to enter so that you can fully […]

Don’t Let Your Network Be Infected Thanks to Coronavirus

How are Cybercriminals Using Coronavirus? “You can sit in a room and create anything you want on a laptop. That’s why the real con men are gone.”– Frank Abagnale Reformed con man and FBI consultant Frank Abagnale is right, as the cybercrimes shaped around the coronavirus have proven. Due to the deep anxiety and trepidation that the media coverage of COVID-19 has encouraged, cybercriminals have been handed an opportunity to take advantage of the panicked populace through phishing attempts… an opportunity they have embraced since the end of January. These themed attacks have been directed toward a variety of targets. For example: Healthcare providers have been targeted by phishing attacks that deliver keylogging malware, meant to look like emails from local hospitals or the World Health Organization. “Informational” emails referencing coronavirus have enabled hackers to introduce ransomware to the populace. Members of the supply chain have seen coronavirus emails that install information-extracting malware through malicious Microsoft Word documents. Of course, this kind of activity has been going on for far longer than the Internet has been around… it’s just that the Internet makes these attacks much more efficient and effective. How this Complicates Things Unfortunately, the latest application of these attacks have proven effective. Much of this is likely due to the fact that they are leveraging a very visible and nerve-wracking event, which helps to boost the interest of a target. This same tactic is the reason that so many phishing attacks are launched right around tax time, and why fraudulent messages were shared via SMS claiming that the recipients needed to register for the draft… for a fee. Whatever the approach, the tactics have remained the same: scare the recipient enough that they don’t consider that the message may be fraudulent, and give them a perceived “out” if they turn over their information. Adding to the complexity, the situation with COVID-19 is just different enough from other events that cybercriminals typically take advantage of, for it to be uniquely dangerous. For instance, many of the other disasters that a cybercriminal will use to their advantage are over in a relatively short time frame. In comparison, COVID-19 has already spent weeks dominating the headlines, with no way to tell how many more weeks (or months) are yet to come. In addition to this, coronavirus is largely unprecedented, unlike the foundation of many other phishing attacks (such as major sporting events and the like). This means that there is no real resource that is known to be trusted for people to turn to. For weather events, the National Weather Service and FEMA fill that role… no such resource is as commonly trusted for coronavirus. What Can Be Done In most cases, resisting these efforts will require a combination of basic cybersecurity measures and–perhaps more critically–user awareness and education. While your protections will ideally block the majority of phishing attacks and malicious messages, you need to be sure that your employees are aware of how such attacks should be handled: Train effectively – Rather than taking up half of one day on a dull and repetitive training seminar, split your training efforts into shorter pieces, focusing on assorted aspects of the threat at hand. Give your team the knowledge they need to recognize phishing attacks and understand the importance of mitigating […]

Your End Users Are Your Last Line of Defense against Cybercriminals

Over the last three or four years, we’ve seen some of the world’s biggest data breaches. Yahoo, Marriott-Starwood, and Equifax were the highest profile attacks, with a combined 3.5 billion accounts hijacked for those events on their own. To put that in perspective, you could take any two human beings on the planet, and there would be a pretty good chance that one of them was a victim of a data breach over the last three years. Security breaches like this have increased by over 67% since 2014, and the trend is still climbing. What’s at Stake? We’re Basically All Hacked Now? It’s actually almost a good thing that these massively high-profile data breaches are happening. Hear me out: It brings this type of crime to the public eye – Most Americans know about the Equifax breach. Awareness is a huge step in the right direction. There is so much data in these breaches that it is practically impossible for cybercriminals to use it all – If 500 million credit card numbers are stolen, the chances of one in particular being used goes down substantially. We’re not looking at data breaches in a positive light, but I firmly believe that the last few years has been the lesson the world needed, and it is a lesson a lot of organizations are taking very seriously. Policies and laws are hitting the books, and compliance regulations are being mandated within certain industries. Organizations of all sizes are taking data security seriously.  What Does This Mean for Smaller Businesses? Of course, when we talk about data breaches, we always reference the big ones like Yahoo, Target, Sony, eBay, etc. Or we talk about the municipal attacks, where large cities like Albany, NY and Baltimore, MD were targeted, along with smaller towns like Wilmer, TX and Lake City, FL being held at ransom. We don’t hear about the 40-person company that goes under because of a cyberattack, because it affects fewer people. The problem is that small businesses are a major target. In fact, according to a survey by Verizon, 43% of breach victims were small businesses. Smaller businesses are easier targets because they usually don’t pay as close attention to their security. It’s Time to Take Cybersecurity Seriously There are things you can do. If you want to start getting serious about your organization’s cybersecurity, there is no time like the present. Call our knowledgeable IT professionals at SRS Networks today at (831) 758-3636 to get started taking the steps you need to keep your company’s data and infrastructure secure.

Phishing is a Major Threat

You are the only thing that can truly protect you from a phishing attack. Without participation, it simply is a phishing attempt. Hackers are always looking for clever ways to fool their potential victims, so can you trust your employees to recognize the telltale signs of a phishing attempt? Habitual Efforts to Foil Phishers Learning to do things the correct way is a lot easier than breaking a habit. Here are a few habits you can train your staff to do to recognize and avoid phishing attempts:  Check Links BEFORE Opening Them Getting in the habit of clicking links without checking the URL is an all-too-common mistake amongst staff. If you receive a link and want to know where it will take you, all you have to do is hover over it. If you aren’t able to see the link, or the entire link, you can also right click it and copy the address it will take you to. From there you can paste it into a notepad and further examine it.  While a trained eye can detect a phishing attempt, some phishers cleverly disguise their links. Learn How to Spot Fraudulent Links If your eye is untrained, and you aren’t able to identify the legitimacy of these two links, SRS Networks is here to help. amazon.com/deals/offers amazon.com.deal/offers Which of those two links would you confidently click on? Hopefully you said the first one. The tell-tale sign that a URL is coming from a fraudulent website is there will be a “dot” after the domain. The domain (example.com, example.net) is typically read as example dot com. So, if you see a link that says example dot com dot something, the link is more than likely a phishing attempt. If you aren’t entirely sure, your best bet is to avoid the link entirely.  Another method phishers will often use is slight alterations in domain names. Our minds are trained to read words even when the “in between” characters are incorrect, or characters are in the wrong order. As long as the first letter and last letter are correct, typically we can make out the words without issue. Don’t believe me? Quickly skim through this list: amazon.com google.com ebay.com payal.com reddit.com visa.com Did you notice the incorrect link right away? If not, take a closer look. This simple practice is used by phishers with great results.  Emotions Lead to Phishing Vulnerability Becoming a victim of a phishing attempt is easier than you might think. Once emotions are involved, instincts often kick in and result in an easy hookset. Let’s take a look at a few scenarios. “Congratulations! You have won a free iPad!” If you are lucky enough to win an item for absolutely no reason, chances are you are unlucky enough to fall victim to a phishing attempt too. Avoid these links at all costs. “You have been issued with a driver’s violation:Type: SpeedingAmount due: $143 This fee will be forwarded by mail to your address. However, you can screen it now by pressing here: DMV Notification” This one is more difficult to recognize, and frustration can easily get in the way of habitual email awareness. It is important to train your staff to recognize all different types of attempts. Examples are the easiest way for your staff to understand just […]

Would One of These Social Media Scams Bamboozle You?

Here, we’ll review the various scams that frequently appear on social media to help you better identify problematic content on your feeds. Many of these may not seem to apply to your business’ social media presence at first glance, but it is important to remember that your personal social media and your professional representation on social media are closely linked. As a result, a breach of your personal account could easily put your business’ representation at risk as well. Gossip Scams “See PHOTOS of the celebrity that secretly lives in your area!” “You’d never believe who DWAYNE JOHNSON spends his free time with!” “You’ll be SHOCKED to learn which beloved ‘90s sitcom cast formed a blood cult!” You’ve likely seen ads pop up on your Facebook (or have had some of your connections share stories on their Newsfeeds) making claims similar to these. People like to live vicariously through the celebrities they admire, but these scams more often than not fool them into downloading malware after visiting a page. Fortunately, avoiding these scams is fairly simple – all you have to do is take in gossipy headlines with a grain of salt and avoid downloading programs from anywhere but the actual source. Nigerian Scam/Stuck Abroad Scam “Hello Dearest Friend, I am Prince Akinola. During the recent uprising in my country, my father was murdered in his sleep. To protect his riches, I seek a trustworthy Person to help me transfer 3 million US dollars into an account for a time. Helping me, you will be able to keep 35% of it to use as you see Fit. Please reply to me immediately with your name and phone number so I can leave this country and transfer the money to you.” These scams are perhaps some of the most famous, originally appearing in Nigeria but quickly spreading the world over. Basically, instead of netting a large percentage of a fortune, the victim usually is scammed out of their banking credentials or are asked to pay “processing fees” before their “payment can be delivered.” “I’m so glad I got the chance to send this message. I’m overseas in Europe and my wallet was stolen! I need $1,300 to get home. Could you wire over the money for me?” In the more personal version of the Nigerian scam, a cybercriminal will hack into someone’s account and start spreading a facetious sob story among their friends and relatives, hoping that someone will wire money in an attempt to help. While we would all want to do anything, we could for a friend, it is important to verify their story with them via some other means of communication. Lottery Scams/Who Viewed Your Profile Scam/IQ Scam “Congratulations! A gift card worth $1500 is reserved for you!” Wouldn’t it be nice, right? Quite a few of the scams that appear on social media come up in the form of pop-up messages, offering a generic prize in exchange for some personal information. Some will ask for a mobile number so they can charge data fees from you, while others will ask for your banking credentials to steal from you that way. While winning anything like what these scams offer would be undeniably awesome, you can’t win a contest that you didn’t enter. “Want to know who’s been looking […]