Have you or one of your employees received an email or phone call asking for company banking information or fake invoice information? If so, that call could have been a Social Engineering Attack known as phishing.
Phishing – A Common Social Engineering Attack
Phishing is a Social Engineering Attack cybercrime in which a person or business is contacted by email or phone from a fraudulent sender/caller. The victim will be directed to a malicious website or be asked for sensitive information. The imposter may pose as a new employee, researcher, or a charity representative. The email will look genuine and the phone call will sound legitimate.
The goal of these attacks is to lure individuals into providing confidential data such as personally identifiable information, banking, and credit card details, or passwords. Once this information is accessible it can be used to open credit cards, make purchases and withdrawals, or be approved for a mortgage. It can also lead to your identity being stolen.
How and When
Phishing comes in many forms: it can be a compromised business email, an impersonation of your executive(s), a fraudulent invoice, or even from one of your employees (internal phishing). All forms are considered a Social Engineering Attack.
Phishing often takes advantage of current events and natural disasters. The COVID-19 pandemic, for example, has provided an opportunity for phishers. The Small Business Administration (SBA) recently released this warning in response to the uptick in attacks:
Holidays, major political elections, and economic concerns always cause phishing attacks to increase.
Avoid Being a Victim
To avoid being a victim of phishing, you and your employees need to be aware of questionable email addresses and suspicious attachments. An email including a generic greeting should be regarded as dangerous. Bad grammar or spelling mistakes should set off an internal alarm since reputable organizations are usually extremely particular about their correspondence. They are also very aware of Social Engineering Attacks and are diligent in protecting their liability.
Emails from unknown senders including hyperlinks are the reason for raising another red flag. If hovering over the link does not match the text that appears while hovering, there is a good chance the website to which you are directed is spoofed. The websites may look identical, but there may be a slight spelling difference, or the destination may not be the same. For example, one may be a .com and the other could be a .net or .us or similar destination.
What to Do
If an email or call slipped through and you or your employees provided confidential information to a source you think was illicit, report the activity. If it involved banking or investment information, contact the financial institution(s). Watch your account for unusual activity. If some appears, close the account and again, contact the financial institution. Change any affected accounts’ passwords and watch for signs of identity theft. This is a criminal act, so consider making a report to the local police and filing a Federal Trade Commission (FTC) report.
Vishing – A Lesser Known Social Engineering Attack
A lesser-known social engineering crime is vishing. According to the Cybersecurity and Infrastructure Security Agency (CISA), vishing is when voice communication is used to persuade a victim to call a specific number and disclose sensitive information. Social Security recipients have been recent targets for this type of attack. The target received a recorded call informing them that there was a problem with their Social Security account and that no future payments would be made. If they called a special number to straighten out the account, the payments would resume. Many senior citizens were scared into making that call and providing personal and private information. The outcome for some of these older people was catastrophic.
Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services.
The best way to avoid being a vishing victim is to disconnect the suspicious call. Then research the organization supposedly making the call and if it appears to be genuine, call back on the customer service or support number.
Phishing is a social engineering attack, as is smishing. Smishing is when SMS, texts, or messages are compromised. Webpages, emails, or phone numbers can be linked to texts. When these texts are clicked they may automatically open the connected website or email. They may also call the linked number. Reinforce the importance of not clicking on links included in texts with your employees unless they know the sender is legitimate.
Being vigilant about social engineering is becoming more important every day. As technology increases in availability, all forms of criminal activities using this technology will only increase.
Though vishing and its relative, phishing, are troublesome crimes and sometimes hard to identify, here are some tips from the FTC to protect your identity.
Holidays, major political elections, and economic concerns always cause phishing attacks to increase. Visit Workforceitjax.com if you have questions or need additional information.