‘Tis the season for Holiday Joy and reinvigorated email scam attempts. Here are a few tips from IT to avoid falling into a trap and inadvertently sending scammers personal information or even compromising Bidtellect itself. Almost all attacks are thwarted by simply applying a little dose of intuition and logic. If it doesn’t make sense, you should question it before providing any information.
Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information.
Always think twice before clicking the links in emails:
The people who are sending phishing emails have to be clever email marketers to get the user to engage. They often do this by preying on your emotions. You should be generally reluctant to download any attachments or click any links, no matter how innocuous they seem or who appears to have sent them. If you are going to download an attachment or click a link in an email, be sure you know who it is from and that the email was not spoofed. If our google email account puts an email in your spam folder but it looks like it is from someone legitimate, you should definitely be suspect of spoofing. There is usually a reason Google’s Spam Logic moved it to spam. If you are unsure, please reach out to IT for assistance. We can help you check the email headers to sniff out any spoofing. The scammer/phishers goal is to find ways to wreak havoc inside the company infrastructure, including propagating malware, turning the systems into botnets, stealing private company information and most often stealing corporate banking information for the purpose of taking money.
Consider the Source:
As a standard rule, we should never email anyone within Bidtellect, both to and from, a non @bidtellect.com email account. Our Google Email accounts have security measures in place to help avoid spam and spoofing but there are ways around everything. From an IT security point of view, private emails should never be used for any business communications unless explicitly directed to do so by the receiving executive. And even then it should be communicated in person or by another trusted and secure method prior to sending an email.
Sometimes “spoofers” will send an email that looks to be from a legitimate address, but when you press reply, the email recipient is no longer the legitimate email address. Example: Email from email@example.com arrives, you hit reply and then the TO field is firstname.lastname@example.org. Google spam usually catches these as the names do not match. It seems like a silly scam, but it is easily overlooked. Usually the goal of spoofing is to gain access to banking information or trick an employee into sending payment to an illegitimate source.
So what can you do?
First, scrutinize the address it says it came from and the text of any URLs it contains to weed out email@example.com from firstname.lastname@example.org. If the source is legit, but the text is out of character, ask yourself, “Would my boss really send me this email?” Again, if something feels weird about an email that someone you know sends, especially if it has a request in it, bear in mind there’s a distinct possibility they’ve been hacked. Reach out to them separately and ask if they sent you an email.
Types of Email Phishing
Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker’s objective. Several distinct types of phishing have emerged.
These are the most common types of email scams. The sender will attempt to mimic or clone an official Company or Vendor that we do business with. An example would be an email from someone that is pretending to be a Paypal Employee asking for sensitive information and provides a link in the body of the email. The Link text may display as “paypal.com/123123” but when you highlight the link or click on it you are redirected to a fake website such as “friendpalpay.com/123456”. The fake site may even look just like a real web page and request you to fill out digital forms that send your information to not so good people.
Phishing attacks directed at specific individuals, roles, or organizations are referred to as “spear phishing”. Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success. The best defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.
These phishing attacks (usually spear phishing) are directed specifically at executive officers or other high-profile targets within a business, government, or other organization. Scammers typically target the financial departments by either pretending to be an Executive asking the Finance Team to provide information or the reverse where they pretend to be the Finance Team asking the Executive for information.
General Web Security Reminders
Verify a Site’s Security:
It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals.
Keep Your Browser Up to Date:
Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it. Chrome and most browsers automatically download and install security patches unless you have disabled it.
Be Wary of Popups:
Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.
Never Give Out Personal Information:
As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.
Reputable organizations will never use email to request that you reply with your password, full Social Security number, or confidential personal or business information. Be suspicious of any email message that asks you to enter or verify personal or business information, through a website or by replying to the message itself. Never reply to or click the links in such a message. If you think the message may be legitimate, go directly to the company’s website (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.
Remember: the best security against fishy phishing or scam attempts is always
1. common sense and
2. your intuition.
When in doubt, just double check!