Every year is the same: the silly season comes, and with it so do the cybercriminals and phishing attacks. Last year was no exception, with Cyber Monday, Black Friday, Christmas and Boxing Day remaining on top of the list for hacking and phishing threats. Actually, our 2018 Phishing and Fraud Report showed that fraud incidents during the months of October, November and December jump over 50% from the annual average.
But don’t think that because this is the end of the summer break, phishing attacks and digital fraud will slow down. Both consumers and professionals shouldn’t let their guard down because cybercriminals will remain just as active in the first quarter of 2019.
Just in the past few weeks, we saw Australian businesses targeted by cyber criminals in a new phishing scam which impersonates the government’s AusTender website, luring in unsuspecting SME owners who believe they are applying for lucrative government contracts. Victorian government employees have also been warned about a phone-based social engineering campaign targeting the state’s public sector, in preparation of a phishing campaign designed to collect employee credentials.
Phishing tactics continue to become more sophisticated and aggressive, for example through the use of impersonation tactics, and playing on people’s emotions to con them out of their money. Banking on social engineering, phishers will continue to deploy the most efficient tactics—be it via social media or emails—to reach their targets.
So how can individuals and businesses prevent falling victims to phishing attacks in 2019?
1. Learn how to spot dodgy deals, URLs, websites and pop-up windows
If a deal or business offer sounds too good to be true, it probably is. It may be hard to keep track of subscription lists, but it would be wise to keep a lookout for suspicious promotions. More often than not, these scams are peppered with language errors, extreme discounts and dubious links. They are often accompanied by shortened URLs from services like bit.ly, which can turn out to be malicious. If unsure, always open a new browser tab and search for the content or website that’s referenced.
Fake phishing websites can be extremely well crafted and look surprisingly legitimate. Always check that the URL in the address bar matches the site you believe you are accessing before logging in or supplying any other personal information. Bad actors can also use domain masking techniques to hide malicious sites by making them appear to be legitimate. To avoid accessing a masked domain, manually typing in the correct URL or using bookmarks will help ensure you haven’t been tricked into accessing a masked domain site. Another check is to look at the site’s certificate details, as certificate warnings are displayed in the browser when the security certificate of the website requested is invalid, not current, or has not been issued by a trusted certificate authority. Rather than ignore the warning, if you think the site is legitimate, it’s best to search for the site in a separate browser window, manually type in the correct address or leverage pre-saved bookmarks.
It's also vital to note that phishing attacks don’t only occur over emails. SMS phishing, or smishing, is the practice of sending malicious messages to mobile phones and are an increasingly popular mechanism for alluring users to click on malicious links. Apply the same level of suspicion with SMS messages – if they are coming from unsolicited sources, contain links, and are making a tempting offer, then chances are, it’s not a legitimate message. If it’s purporting to be an offer from a particular company, like eBay, then go to the website manually and check to see if there really is such a promotion/offer currently running. Interacting with websites in this way is much safe than clicking on links.
2. Make sure you stay updated
Besides staying abreast of the latest malware attacks, individuals and businesses need to ensure that all their devices’ software is automatically updated. This includes patches for the operating system, patches for all installed software (e.g.: office suit, adobe suit, internet browsers, etc.) and antivirus software; both software patches and virus signature updates.
One of the more common phishing tactics is a fake purchase invoice, which involves an email from a bogus retailer that asks clients to click on the link to “track your purchase” or “verify your address”, but instead cause users to download malicious software. If you do click on a link that you believe is legitimate and you are prompted to download and/or install an application, then cancel the action immediately. Such emails are usually well disguised and are often mistaken as a legitimate email, so if in doubt check these with your IT department or local friendly neighborhood cyber security friend! If neither are available, remember that many scams and phishing campaigns can be researched online – google is your friend, as well as sites like www.phishing.org.
3. Understanding what information is out there about you
This is probably one of the most difficult to achieve, as the amount of data being collected and stored about individuals is exponentially growing. Phishers are also getting more sophisticated, with attacks getting more personal and targeted.
Spear Phishing attacks are a more targeted type of phishing attack that contains sensitive and personal information to try and fool people into thinking it’s a legitimate email. Unfortunately, most consumers have no idea about the amount of personal data about them that’s out there, and which private and public organisations have access to it. Similarly, many organisations do not know exactly how much data about their customers and employees they have in their possession or how highly prized this data is to bad actors. Breach after breach also shows us that these organisations either do not take their mandate to protect this data sufficiently seriously or are simply ill prepared to do so.
Auditing what information about you, your business, your employees and customers is out there is vital.
While security solutions, policies, and processes such as multi-factor authentication and proper web filtering are important, in the era of mobility and hyper-connectivity a strong organisational security culture and personal education is also an important key to protection.
Bad actors will always find new ways to lure people and businesses into giving away money or valuable personal information. Keeping good digital hygiene is important, in particular for businesses that are owning more and more personal and sensitive data. There is no silver bullet but following the above tips and remembering that phishing actors are active all year long can help avoid attacks with potentially disastrous consequences.
By David Arthur, Security Solutions Architect at F5 Networks