By now, most of us are well aware of the threat posed by hackers and scammers. But that doesn’t stop them from attempting new and more sophisticated ways to attack businesses and individuals. Just in July of this year, Twitter was breached and hackers took over user accounts—including Elon Musk, Barack Obama, Bill Gates and other celebrities. They posted fake tweets offering $2,000 in exchange for sending $1,000 in Bitcoin to an unknown account. Around 300 people sent over $100,000 in Bitcoin.
The mastermind was a 17-year-old from Florida. The method of attack was a phishing scam targeting Twitter employees. Yes, even a tech company, with savvy employees, is vulnerable to phishing.
In response to the attack, Twitter stated, “The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.”
Attacks Ramp Up During the COVID-19 Pandemic
Phishing scams are typically launched via text, email or phone. It’s often an urgent, fear-based message. A new device has logged into your Gmail account. There was a large purchase on your Amazon account. Billing information for your Netflix account can’t be validated. These messages may ask you to go to a spoofed website then enter your password, credit card numbers and other personal information.
Nobody wants to get ripped off, much less lose access to Netflix! So without a thought, you immediately click through to the website and enter whatever information you’re asked for without thinking twice. And if you use the same password across multiple websites, the damage is massive. Scammers can use this data to unlock your entire internet universe, including bank accounts, credit cards, and even gain access to your company’s network and data. Just like the Twitter scammers (see above).
While these types of attacks have been around for a while, the pandemic has made matters even worse.
People are more dependent on the internet to make purchases, from groceries to clothing to household supplies. Contactless online ordering from restaurants is more common. We’re signing up for more accounts and apps, many of us using the same password. Phishing attacks have also used the pandemic to snare new targets. One scam is a text that appears to come from the Department of Health and Human Services, asking you to register for COVID-19 testing due to possible exposure.
Fighting Phishing Attacks and Protecting Your Business
Scammers are never going to stop, so it’s up to individuals and businesses to never let their guard down and continually educate themselves on recognizing a scam. At NFINIT, we can put your people to the test and provide training if needed.
Meanwhile, there are a few tips we can pass along that can help you prevent issues, especially with common email phishing scams:
- If an email sends you to a website and requires you to re-enter a password or confirm billing information, roll over the link and take a good look at the URL. If it’s not familiar, don’t click on it. Reach out to the company to confirm that they sent the message or report the scam.
- When in doubt, use your own bookmarks or manually enter the website URL asked about in the email. This ensures you are going to the correct site – even if you change your password there as a precautionary step, you are not being caught by a phishing attempt that had a nefarious link.
- Take a look at the email address of the sender, not just the display name. If it’s Netflix or PayPal or Amazon, it will use their domain name (e.g. email@example.com).
- Ask employees to use a password manager which generates complex and unique passwords for websites and keeps them in an encrypted database, locked behind a master password or PIN. If one password is stolen, you are no longer susceptible to it being used to gain access to other sites or your business.
Phishing scammers often send their emails under the name of a company executive, baiting employees to open it.
Most importantly, ask employees to speak up if they suspect that an email is a phishing scam. They should forward it to your IT department (NFINIT can help there, too) so that it can be dealt with properly and reported. Awareness is your first line of defense. If that’s not working, we’re here to help.
Can you spot scam emails?
You can test yourself with the Sophos Spot the Phish Quiz, then see how your score stacks up against others. NFINIT is a Sophos Gold Partner and often includes Sophos Phish Threat in NFINIT network security solutions.
Denis Savage, VP of Operations at NFINIT, is responsible for operational support across the company’s entire IT space and leads cloud, disaster recovery, and network practices.