Does the Ransom Cause All the Financial Impacts of Ransomware?

Does the Ransom Cause All the Financial Impacts of Ransomware?

Let’s say, hypothetically speaking, your business was infected with ransomware, and—despite our advice not to—you decided to pay the ransom. Once the money’s handed over, that’s the biggest cost that you might be subjected to, right? Not so fast. Ransomware has many more impacts than that, each of which come with their own costs as well. Let’s dive into some of the other factors that also contribute to the cost of ransomware.

Phishing Continues to be a Serious Security Issue

Phishing Continues to be a Serious Security Issue

If there was a specific form of cyberattack that was responsible for a quarter of all data breaches, how seriously would you take it? Hopefully, pretty seriously, as this form of cyberattack exists. Phishing attacks, the infamous means of hacking an end user, remains a considerable threat to this day. Reflecting on this, it seems prudent to review what phishing is and, crucially, how to avoid it.

What the Top Subject Lines for Phishing Emails Say About These Threats

What the Top Subject Lines for Phishing Emails Say About These Threats

Phishing emails have been around for quite some time, and for their entire existence they have gotten the better of even the most seasoned employees. What exactly contributes to their success? What kinds of subject lines go into creating a phishing email that users find to be convincing enough to actually want to click on and follow through on? Let’s take a look at a recent study that might glean some insights into this.

Tip of the Week: Identifying a Phishing Message Before You’re Hooked

While these potential threats are frustrating to look out for, that is exactly what needs to be done to prevent their success. Here are five tips to help you spot a phishing attack before it is too late. Extreme Urgency When somebody is trying to phish you, they often rely on you panicking and not fully thinking through the message. That’s why, whenever you receive an email labelled “urgent” and written in an intimidating tone, you need to take a few breaths and consider it a little more. There is no questioning that email is an extremely valuable communication tool, but at the same time, would it really be how you sent someone an urgent, time-sensitive message over something like a phone call? Even if it does come in via a phone call, any message you receive should be carefully considered before you act. Attachments Email gives business users so much utility, but that also lumps in those who make cybercrime their business as well. Email makes it much easier for a cybercriminal to send along a malware payload, hidden inside an attachment. Therefore, you should never click into an email attachment that you didn’t anticipate receiving, and even think twice about the ones you did expect. Many organizations—like financial institutions and the like—are favorite ruses of cybercriminals, despite the fact that these organizations will either use a dedicated solution to reach out to you or call you directly before sending along an attachment. Unless you know with confidence what an attachment contains, it is best not to click on it at all. Spelling and Grammar Errors Let me ask you a question: if you were to receive any kind of written correspondence from a business, whether it was an email, a letter, what have you, would you take that business seriously if it was riddled with mistakes and misspellings? Unlikely. Businesses are generally very aware of this, and usually put forth the effort to ensure that the materials and messages they send out are carefully edited before they distribute them for this very reason. Would you trust this blog if every other sentence featured a misspelled word or misused punctuation mark? In a phishing message, however, the individual writing it is actively banking that their reader won’t be paying too close attention, making such errors less important. While this isn’t a hard and fast rule, it is a good way to keep your business safe. Requests for Personal Information In a similar vein, does it make sense that a business that presumably already has your sensitive information would reach out and ask for it again via email? No, it doesn’t, and that’s why legitimate businesses tend not to do this. While this is also a generalization and there will be exceptions, a scammer will generally be the only party to request sensitive and personal information over email. A legitimate business will have a different tool they use to collect this data if they need it, as they need to abide by the compliance and security requirements that are likely imposed on them by some regulatory body. Suspicious Links Finally, we need to discuss links, particularly those that come included in a surprise email. Links are remarkably easy to manipulate, so while you may think you’re visiting another business’ website […]

Lessons to Learn from Attacks on COVID-19 Research

Cozy Bear The National Cyber Security Centre, located in the UK, recently shared that a group has been attacking organizations involved with COVID-19 vaccine research. These claims have been verified by authorities in the United States and Canada. Known as “APT29,” as well as “Cozy Bear” and “the Dukes”, the attackers level spear phishing attacks and make use of assorted exploits to gain access to their target’s systems. After this access has been obtained, malware known as WellMail or WellMess is released into the environment. Many experts are of the opinion that this is not the first time that APT29 has been active, either. The group is suspected of attacks against various organizations in healthcare, energy, and government, and is believed to be responsible for the 2016 hack of the Democratic National Committee. In response to this, the CSC has been trying to work with software vendors to ensure that vulnerabilities are patched. If these patches aren’t applied, cybercriminals can find the means to exploit these vulnerabilities and cause problems. A Spear Phishing Refresher We’re no strangers to discussions about phishing, simply because it is one of today’s most prevalent threats to network security. Many phishing attacks are sent randomly to a large group of targets, but spear phishing is a different animal. Instead of trying to exploit a lot of people for little payout from each, spear phishing requires careful planning and execution of a highly targeted attack against one person. This person is often seen as the weakest link in an organization’s security by hackers. With any luck, you won’t need to contend with phishing attacks from a major hacking group. That being said, it’s important that you and your team can identify a potential phishing attack and react appropriately. Here are a few basics to keep in mind: Always check the details. Many phishing attacks will display some subtle issue, either in the email address it comes from or some other detail. Make sure you pay attention for some of these warning signs. Proofread the message. Businesses want to put their best foot forward, so their correspondence is generally carefully edited before it’s sent out. If you receive a message with questionable spelling and grammar, exercise caution. Reach out. If you’re unsure of whether a message is legitimate or not, reach out to the sender through another means to confirm it if you can. For your business to avoid threats, being able to identify potential phishing attacks is only going to become more important. Find out how to train your team to spot them by reaching out to us. Call SRS Networks at (831) 758-3636 to learn more.

Are You and Your Team Prepared to Deal with Phishing?

Why Phishing Attacks are So Dangerous There are various factors that contribute to the risks associated with phishing attacks. One of the biggest contributors: the very low barrier to entry that a phishing scam requires of the person conducting it. Picture a hacker for a moment. What do you see? If you’re anything like the average user, you mind jumps to the imagery that pop culture has cultivated. A dark room, awash in a pale blue-white glow from an array of monitors, with someone hunched over a keyboard, fingers elegantly typing with the confidence of a concert pianist. While this picture has long been accepted by audiences as the way that a hacker looks, it is a fabrication. A lot of real-life hacking has pivoted to rely on psychology more than computer sciences and programming. Instead of manipulating code, a hacker focuses on manipulating the user. Why pick a lock if you can fool someone into handing over their keys? Unfortunately, phishing attacks are as effective as they are simple. Most users just don’t know what to look for to tell a legitimate email or website from a fraudulent one. Most aren’t even anticipating that they’ll be targeted at all. As a result, the scenario plays out like this: a hacker sends out an email that looks as though it is from a popular bank. To the untrained eye, it seems to be legitimate, and it may have even fooled the filters the user has set up to organize their emails. This is precisely how phishing attacks work—by getting the user to believe that the email is legitimate and having them play right into the attacker’s hands as a result. Whether the phishing email links to a malicious website or carries a malicious attachment, they are not to be taken lightly. How to Spot a Phishing Attempt While we aren’t trying to inspire paranoia, any email you receive could be a phishing email, which means you need to consider each one you receive. Make sure you follow the next few steps to prevent yourself from being taken advantage of. Check the tone. Is the email you’ve received trying to elicit an extreme emotion from you? Is it blatantly urgent, asking information about an account of yours without any reason to, or simply making a truly unbelievable offer? Attackers will often shape their phishing messages to instigate an emotional response. Stay rational. Check any links before clicking. It is startling how much trust people will put in a link. Hackers have numerous ways to hide the actual destination of a link, many of which indicate that the link is faked… although you need to know what to look for. Let’s consider PayPal for a moment. A legitimate PayPal link would direct to paypal-dot-com. However, if you were to add something—anything—between “paypal” and “dot-com”, the link would obviously go somewhere else. There are various other rules to keep in mind, too. For instance, the “dot-com” in the domain should be the last dot-anything and should be immediately followed by a forward slash (/). Here’s a brief list of safe examples, and some unsafe and suspicious examples: paypal.com – Safe paypal.com/activatecard – Safe business.paypal.com – Safe business.paypal.com/retail – Safe paypal.com.activatecard.net – Suspicious! (See the dot immediately after PayPal’s domain name?) paypal.com.activatecard.net/secure – Suspicious! […]