When your organization reaches a certain size it’s inevitable that you or your colleagues will be targeted in an intricately designed phishing or whaling scam. If you take a few minutes to train yourself employees it could potentially save your company thousands to hundreds of thousands of dollars, and even save your business from catastrophic financial loss.
First, let’s talk a bout how a phishing scam works. Phishing is an attempt to deceive a user by pretending to be an authoritative entity, such as Apple, Microsoft or Google. The victim will generally not know the difference between the legitimate website and the scammers landing page, which would lead to the eventual exposure of secure login credentials.
The plan of attack is simple, they target low-level employees with an email of sorts pretending to be Google or Microsoft. But now you ask, how do they know what email system my organization is using? It’s publicly available through an MX Lookup which would show the relaying mail server for your domain name. The perpetrator will send out the email to a low level user, informing them that their credentials may have expired, or there is a document to be downloaded. The link will direct the victim to the malicious website designed to look authoritative and simply collect their username and password. The victim will receive a bogus error message after they have exposed their credentials and simply decide it’s not worth their time to try again because “things still seem to work”.
Now that they have your password, they will login to your email and collect valuable information used in their next plan of attack. Which will involve finding high-profile employees, such as CEOs, Finance Executives, and generally anyone else they deem resourceful for luring in some of your cold hard earned cash. They will also take note of some of your general internal workflows. Such as how and when vendors, bills and other expenses are paid. How requests for payments are made, and about how much your average transaction amount is to remain under the radar.
Once they have this information, they will send out a targeted email from the compromised account, or by spoofing an authoritative account requesting payment be made via wire transfer to their bank account for services you generally pay for, in an amount you are generally used to paying.
This has now turned into a whaling scheme, an attempt to lure in a company executive or financial director for the transfer of funds. The person falling victim to the attack will not find out they have been scammed usually until it’s too late, when your cash is long gone.
Now let’s talk about what you can do to prevent these types of attacks before they even start.
How to Prevent these types of Attacks
Verify the Sender’s email address
This is very important. When you receive an email hover over the sender’s email address to make sure that the email you are receiving has a recognizable email address. You may see emails from “email@example.com”, or from “firstname.lastname@example.org”. These are obviously not legitimate, but you wouldn’t have noticed that had you not looked at the actual email address. Sometimes the display name of the user masks the email address, so make sure you are looking at the email address.
Verify the URL or Domain
Another thing to train yourself on is identifying how domains, subdomains, and top level domains work. Let’s start with a valid example of portal.office.com which is the authoritative URL for Microsoft Office 365. You can check the link in an email simply by hovering over it with your mouse.
The top level domain in this example is the .com
The domain name is microsoft
and finally, the sub domain is portal
These three names together will construct the complete domain name for the URL: portal.microsoft.com
If you do not recognize the senders email address or the domain in the email. DO NOT CLICK on any link or attachment in the email.
Great, now you have learned how to prevent these types of malicious attacks, but having to do this for almost every single transactional email and you could see yourself potentially spending many hours per month. Multiply that by the number of employees you have, and you can see the amount of productivity lost. Also couple those two factors with the general human nature of forgetting to do things or not being technically savvy and you will still find yourself exposed.
I know what you’re thinking, your company runs in an old fashioned method. You would never allow wire transfers to go out without printed and signed form by an executive and verified by an accountant. But, how much is your biggest client worth to your company? You could lose them if one of your compromised email accounts is used to target them. Let’s not forget about the potential liability and legal fees you may face in that type of situation.
Now let’s talk about how to eliminate this once and for all. Why should you have to deal with all of these steps and potential mishaps?
You can always rely on your IT guy to provide the best way to combat this type of exposure, right? Wrong.
Your IT personnel will simply not have the experience when it comes to preventing these types of attacks. A Jack of All trades, master of none is not the criteria you should be looking for.
Managed IT Services Provider
Instead, you should look into getting a Managed Solutions Provider, with a team of IT Personnel specializing in the many fields of IT. It is generally cheaper than having a part-time IT Person and with the added benefit of solving problems before they occur. We have a diligently crafted, tested and tuned Shield 5 Protection to mitigate these types of cyber attacks.
Contact us today to find out how you can save money, be more productive, and avoid any tech related issues before they occur.