Spam and Phishing Attempts: How it can affect you

Despite massive advancements in technology in the last few years, there is only so much a computer can do to account for and prevent human error. When computers became too difficult to crack for most scammers, they simply chose the easier path: the person operating the machine. While the methods vary greatly, one of the most common is known as “phishing.” Phishing describes a scam tactic where someone pretends to be a member of a reputable company and then uses that trust to reveal personal information, sometimes even convincing individuals to perform wire transfers or give up financial information.

We all were reminded of this fact recently when a Texas school district was successfully phished out of $2.3 million dollars. Bank account information was phished, compromised, altered, and then used to perform 3 separate transactions. The hackers performed these transactions during the month of November, which is an especially busy and chaotic month for school districts in America. The planning which went into the attack prevented anyone from recognizing the fraud until the third transaction was completed.

This isn’t the first time a phishing attack resulted in millions of dollars in losses. In 2019 alone BEC (Business Email Compromise) attacks accounted for over $12 billion in losses, with an average cost per breach of $3.86 million. Spam accounts for 45% of all emails sent, with more than 14 billion sent out every day. The amount of attacks has gone up every year for the last 5 years, and 2020 seems to be on a similar track.

Even if your business does not make up one of the 76% of business which reported being a victim of a phishing attack in 2019, you and your fellow employees likely have at some point received training on company time about how to detect and avoid phishing attacks. Active prevention of phishing attacks takes time, which detracts from the amount of time an employee has in a work day to complete their duties. A study by the Radicati Research Group Inc. found that spam and phishing costs businesses 20.5 billion annually in decreased productivity as well as in technical expenses. Due to the continuous growth of spam, some researchers estimate that the total cost of spam for businesses could exponentially grow to as much as $257 billion per year before 2025.

There are four major types of phishing that you should be on the lookout for: Malware Phishing, Credential Harvesting, Extortion and Spearphishing. Odds are that you have experience with at least on of these four types.

Malware Phishing

Malware Phishing makes up about half of all phishing attacks. A phisher uses an email to install malware on their victim’s device. Many of these emails are not caught by conventional spam filters, as the email contains a link or an attachment with a link which will trigger a download of malware. Some of these emails simply contain an attachment which is malware in itself, but a majority of these are caught and removed before they ever reach an inbox nowadays. Always be careful of what links and attachments you open, and verify the sender before you do so.

Credential Harvesting

Credential Harvesting accounts for approximately 40% of all phishing attacks. A phisher will typically impersonate a reputable brand with a claim that the user needs to update personal or financial information with an indicator to a link within the email. The link in the email may even lead to an exact copy of the legitimate brand’s website, but if a victim is successfully lured into entering their information on a page like this they will usually find themselves at the mercy of whoever now has their personal info.

Login redirects are also very common, with a prompt to sign in to a user account through a link on the page. Many of these attacks will also have an attachment which also contain links to fake login screens. The best way to determine a phishing email from a real email by a trusted company is whether or not the email establishes a sense of urgency. Lots of phishing emails will attempt to use scare tactics to convince you to click on a link or open an attachment without thinking it through or looking for red flags first, in the hopes that in your panic you will not see the imminent danger.

Extortion

Extortion is the modern day, digital form of blackmail. Most of these attacks are after money, commonly through an anonymous transaction such as Bitcoin. If you have been compromised in the past, or even if you simply have a large internet presence, your information could be on a large list which blackmailers will use to generate and send emails en masse, typically with extremely vague information. Some people may be familiar with this type of attack if they have seemingly been sent an email from their own address. If you do not employ a two-factor authentication software for your email, scammers can modify certain parts of their email data to make it seem as though it is sent from anyone they want. They may cite personal information, or old passwords that have been previously compromised and changed since.

Many of these attacks will attempt to blackmail a victim by claiming that they have discovered personal secrets or embarrassing private information and threaten to release it to close family members, friends, and employers. The best way to see through these emails is to realize how little legitimate information they actually list. This realization will put the dots together and help form the understanding that the majority of the threats are actually the scammer laying bait, guessing, and hoping that someone will eventually take it.

Spearphishing

Spearphishing is extremely uncommon, but even one success could result in better profit than any of the other methods. These attacks target high level employees who have access to financial or otherwise sensitive information. Establishing trust to convince the target to comply with whatever tasks are given to them is the typical goal. These types of attacks do not contain any links or attachments, and typically impersonate a senior employee (C-level, VP, HR, Accounting). Due to these traits, most anti-phishing software will not detect these attempts and they oftentimes will go straight into the victim’s inbox. The best way to prevent this method before it even begins is to purchase two-step authentication software for your company’s email. This software will prevent scammers from easily impersonating an employee, and will make the telltale signs of a phishing attempt much more obvious even if the email gets through.

Even if you are not a high-profile member of a company, three out of these four methods can still be used on you. If you have concerns about the growing security breaches caused by use of free email services, such as Gmail, then our team at Orange County Computer can recommend a variety of solutions. Also, if you have concerns about how spam and phishing attempts may or can compromise the personal data on your machine, you should also consider our Cloud Solutions, which can safely store all of your data on a remotely accessible virtual machine privately hosted and protected by state-of-the-art firewalls and security. If you are interested in us helping you with a more secure Internet presence, contact Orange County Computer, Inc. today at 949-669-6619.

Credit to Avanan for the Global Phishing Report used here.