Watch Out for Phishing!

Once a scammer has you on the hook through a phishing scheme, they can reel in all your personal information and steal your identity!

One phish, two phish, red phish, blue phish.

Black phish, blue phish, old phish, new phish.

This one wants to steal your cash, this one makes your hard drive crash.

Say! These phish are not a bash.

Yes, some are red and some are blue. Some are old and some are new. Some are sad and some are glad but they’re all very, very bad.

Phishing is a serious problem. It’s a type of fraud scheme that attempts to gain information from you or an institution you work for via online contact, usually email.

“70 to 90 percent of all malicious data breaches are due to social engineering and phishing,” warned computer security expert Roger Grimes (@rogeragrimes). “No other cause comes close. Patching is 20 to 40 percent, everything else adds up to about one percent of the overall cybersecurity incident risk. Fighting phishing is the most important thing any organization can do. It must be done using a combination of technical controls, policies, and training. None of them by themselves will work, but defense-in-depth plans should try to implement all three to the best of their ability to achieve the best, fastest reduction in risk.”

Whether or not you have employees, it’s smart to familiarize yourself with how you can be targeted by phishers and how to handle it.


The email approach.

As was previously mentioned, phishing tends to happen through email. You may get an email soliciting information under dubious premises.

“Common phishing attempts come by way of an email,” advised Adnan Raja, Vice President of Marketing for Atlantic.Net (@AtlanticNet). “A scammer will email you from what appears to be a trusted email address, when in fact it is fake.

“The best rule of thumb is to avoid clicking on links from random emails. If you receive an email from a website you normally visit, rather than clicking the potentially dangerous link, just go directly to the site from your browser. Or, if you need to click the link, you can hover over it first to make sure that it’s sending you where it claims.

“Another red flag is if the email doesn’t contain your name at the beginning. It might say ‘Dear Customer’ or ‘Hello.’ If it’s authentic, it will almost always contain your name. Lastly, phishing emails will often try to get you to divulge sensitive information by filling out a form.

“Try to avoid sending any kind of personal or financial information over the Internet. Again, if you’re in doubt, simply go to the main website of the company in question. Or pick up the phone and give them a call.”

Nothing to spear but spear itself.

In addition to regular phishing attempts, you should be aware of more targeted phishing maneuvers. Especially if your job involves access to sensitive or valuable information.

“Spear-phishing is a cybercrime that involves targeting specific individuals with access to important data which can include high-ranking individuals at an organization such as the CEO, C-level suite, and more,” explained Victor Congionti, CIO & Co-Founder Proven Data ProvenData.com (@Proven_Data).

“The spear-phishing attack is constructed to target this individual by creating fraudulent communication via a phishing attempt. The phishing message is often emulated to look like a document/request that the person of interest would regularly see (email from a lawyer, top executive requesting information, etc).

“As more company officials use social media and other personal online networking sites such as LinkedIn, this gives the hacker a better scope of opportunity to build a spear-phishing campaign, and make more informed decisions on who to next prey upon.

“The key difference between spear-phishing and regular phishing is the personnel which the cybercriminal chooses to target. They are more likely to steal credentials and data from a high-ranking business official or CEO, who often have access to very private information about the company. The cybercriminal can then hold this data via ransomware or sell on the black market in which a cyber crime can take place.

“One of the best techniques to mitigate spear-phishing is to regularly have phishing tests via a security training service which can help potential victims identify the strategies & techniques used in phishing emails to steal credentials and data.”

If you think you’ve been hooked.

Are you worried you’ve fallen victim to phishing? Don’t panic and don’t be too embarrassed to admit what may have happened. It could happen to anyone. Rather than blaming yourself, it’s more important to contain any possible damage.

“If you’ve been a victim of phishing, take immediate action as soon as you realize the problem,” urged Stacey M. Clements of Milepost 42. “Change your account login credentials, and scan your system for malware. Also, report the phishing attack to the company that was impersonated. You may also want to notify your bank and credit card companies, and be sure to closely monitor your statements for unusual activity.

“Finally, consider reporting the phishing attempt to the Anti-Phishing Working Group (APWG), an international coalition working to coordinate responses to cybercrime. You can forward the suspicious email to reportphishing@apwg.org; if your email client allows, forward the email as an attachment, as this will provide more details to help APWG tracking and analysis.”

From there to here, from here to there, phishing can be everywhere. But take this advice, do not despair, and overcome the phishing scare! To learn more about protecting your money and your identity from fraudsters, check out these related posts and articles from OppLoans:

Do you have a  personal finance question you’d like us to answer? Let us know! You can find us on Facebook and Twitter.

Visit OppLoans on YouTube | Facebook | Twitter | LinkedIN | Instagram


Contributors

Stacy Clements is the owner of Milepost 42, a partner for small business owners who want to focus on their business, not the “techie stuff” needed to keep it running and secure. Before starting her business, Stacy spent 23 years in the United States Air Force, working in communications, cyber operations, and project management. Dubbed “a fixer, a problem solver, and a pit bull”, she now focuses on fixing WordPress sites, solving technical problems for small business owners, and relentlessly promoting cybersecurity practices.
Victor Congionti is the CIO & Co-Founder of ProvenData.com (@Proven_Data).
Roger Grimes (@rogeragrimes), Data-Driven Defense Evangelist for KnowBe4, Inc., is a 30-year computer security consultant, instructor, holder of dozens of computer certifications, and author of 10 books and over 1,000 magazine articles on computer security. He has spoken at many of the world’s biggest computer security conferences, been in Newsweek™ magazine, appeared on television, been interviewed for NPR’s All Things Considered™, and been a guest on dozens of radio shows and podcasts. He has worked at some of the world’s largest computer security companies, including Foundstone, McAfee, and Microsoft. He has consulted for hundreds of companies, from the largest to the smallest, around the world. He specializes in host and network security, identity management, anti-malware, hackers, honeypots, Public Key Infrastructure, cloud security, cryptography, policy, and technical writing. His certifications have included CPA, CISSP, CISA, CISM, CEH, MSCE: Security, Security+, and yada-yada others, and he has been an instructor for many of them. His writings and presentations are often known for their real-world, contrarian views. He has been the weekly security columnist for InfoWorld and CSO magazines since 2005.
Adnan Raja is the Vice President of Marketing for Atlantic.Net (@AtlanticNet), a web hosting solution who offers HIPAA-Compliant, Dedicated, Managed, and Cloud hosting services.

The information contained herein is provided for free and is to be used for educational and informational purposes only. We are not a credit repair organization as defined under federal or state law and we do not provide "credit repair" services or advice or assistance regarding "rebuilding" or "improving" your credit. Articles provided in connection with this blog are general in nature, provided for informational purposes only and are not a substitute for individualized professional advice. We make no representation that we will improve or attempt to improve your credit record, history, or rating through the use of the resources provided through the OppLoans blog.