Right – so what is Phishing? Wikipedia (yes Wikipedia isn’t exactly the high ranking academic journal but for this blog post will suffice) defines it as:
The fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site.
In the simpler terms – it is a social engineering technique designed around obtaining your private and confidential information to – ultimately – steal something from you and by something, I mean money. The FBI estimates, that in United States alone, phishing costs companies around 500 million USD a year.
Companies, public bodies and individuals all across the world fall victims to phishing scams. One of the simplest and yet most effective forms of phishing scam is a scenario where criminals use spoofed email addresses (which is fancy term to a forgery). Emails are sent from XYZ, pretending to be sent from a legitimate source. These are sent to accounts departments asking to change account details to an account into which criminal has access.
In many cases these attempts are extremely amateurish; emails are written in bad English (or just bad grammar/spelling in whatever language these are sent) and sent from emails that look like nothing legitimate. So why they are effective? Well simple – it is a numbers game – criminals engaged in these schemes – send thousands and thousands of emails – every day. Eventually someone, somewhere, who wasn’t trained properly will fall victim to it.
Self-Protection Strategies
Use the below FBI suggestions as a list of basic self-protection strategies:
- Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
- Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchical information, and out-of-office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and financial security procedures, including the implementation of a two-step verification process.
Examples:
Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
Out-of-Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this two-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
Tips to Follow
- Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
- Consider implementing two-factor authentication for corporate e-mail accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code).
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, a detection system for legitimate e-mail of abc_company.com would flag fraudulent e-mail from abc-company.com.
- Register all company domains that are slightly different than the actual company domain.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
- Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.
