Cybercriminals are casting a wider net of phishing scams that look like legitimate emails in your corporate in-box but aim to obtain sensitive information.
The number of email fraud attacks against companies increased 476 percent from 2017's fourth quarter to 2018's fourth quarter, according to Proofpoint.
That’s why putting in proper safeguards and educating employees on avoiding these scams is critical.
Email is the leading attack agent "because it targets people rather than systems, and we are the weakest link,” said Kevin Epstein, vice president of threat operations for Proofpoint, a California cybersecurity company. Specifically, attackers make use of our sense of “curiosity, urgency and the desire to help,” he said.
In general, the more urgent the email appears, the more people need to take a step back and look at it with a critical eye, he said, noting email fraud could appear in different ways.
Messages can be embedded with malicious software that steals your credentials as you type them or that when downloaded puts other software on your computer and runs it. Use of these methods has jumped more than 230 percent, year over year, said Epstein.
No matter how legitimate the source appears, it’s important to think before downloading an attachment within an email or clicking on a link to provide more information, said Jason Aptekar, CEO of The Mithril Cloud consultants in Westbury. “Their ultimate goal is to get you to click a link and either give them information or install something on your computer to infiltrate it,” he said.
Having multiple layers of defense, including up-to-date anti-virus and anti-malware software, certainly helps. But there will always be a gap between what you’d like to put in place and what you can afford, he said.
That’s why you need to educate your front line.
Make sure to have and to communicate a tech security policy that covers the responsibilities of people interacting with your business systems and information, said Aptekar.
If you’re not expecting a communication or document from someone, first reach out to the person to verify, especially if it’s asking you to take an action that involves money or an information exchange, he said. If an email has been compromised, then any direct reply will be received by the "bad actor." "It is not safe to respond to a suspicious email for a variety of reasons," Aptekar said. "Use an alternate means of communication to confirm, such as phone or text."
Training can be helpful, said Peter Vescovo, a partner at Island Tech Services in Ronkokoma, which offers a platform for video training about current phishing threats that users can view from their desktops. Participants are tested afterwards.
At random intervals, typically over three to seven weeks, ITS will send simulated phishing emails to a target group to test them. Employees who fail are placed onto a “clicked list” and must prove they’ve learned how to avoid phishing scams in the future in order to leave the list, says Vescovo.
He’s seen an increase in phishing emails in the last few months to both his company and clients, which he believes is due to attackers needing a larger audience to distribute these emails to because people are being more cautious.
While criminals are getting more savvy, as a general rule look closely at the email itself. Phishing emails often come from email addresses that are similar to the actual company’s, but may be misspelled slightly, says Candid Wueest, a senior threat researcher at Symantec in California, which provides cybersecurity software and services.
Also be cautious about clicking on a URL in email or social media, he says. Always hover over any links within an email to ensure it’s the real website, or better yet open up a browser and go to the website in question by typing it into the URL bar, said Wueest. And, he added, "never open an email attachment unless you expect it and trust the sender.”