March saw an alarming statistic aside from the number of new virus cases. The number of phishing emails increased four-fold prompting government warnings from both the US and the UK. Additionally, Google has tracked the number of active phishing websites and determined that it has increased by 350% since January. There are now more than 500,000 phishing sites — and many include fake COVID-19 websites.
What’s the most popular subject line to lure your clicks? “COVID-19 payment.” If your employees saw that message, how easily would they fall prey to malicious web pages, email attachments and links? If they only click on one, they may open the door to malware that can steal data such as email credentials and passwords. Those very same passwords that might leave your business vulnerable.
Why is it called “Phishing?”
“Phishing” is a sophisticated tactic used by hackers to gain access to personal information by “fishing” in a “sea of internet users.” And they’re getting a lot better at disguising their bait. We typically see this in the form of emails that appear to be sent from legitimate sources (like the CDC or the World Health Organization), but we can also receive phishing attempts in the form of text messages, pop-ups, and social media games from companies you may interact with. The most successful disguised emails tend to be from senders such as “Apple Support” or cellular providers, financial institutions, and even your beloved Netflix, and they indicate a request or problem with your account. Text messages will do the same, and both want you to click a link that will try to collect personal information for nefarious use.
So how do you educate your teams to be vigilant? We have tips:
- The number one thing to do when receiving an email stating any type of issue with your account is to check the actual address from which the email originated — NOT just look at the display name, which can literally be anything. For example:
When you see this in your list of emails, all you will see is firstname.lastname@example.org which leads you to believe it is from a legitimate source. Because email is a growing beast, you quickly open it because Amazon is very important to you right now. The message may even have a legitimate link to the actual Amazon website in the message. CAUTION: the email address that is the real source of the email is obviously NOT an Amazon email. The goal is to get you to click the document, which has malicious code inside of it. You can verify the email sender on mobile devices as well by clicking on the name of the sender and it will show you the real from address. And don’t even think your mobile device can’t be infected with malware, because it can.
2. Another top trick that hackers use is to send links to legitimate-looking websites to prompt you to enter personal information or register with a username and password (that they hope you also use somewhere else.) Bank websites are often copied and re-published with a slightly different URL and malicious content inside. If you question a website or are unsure of the validity of it, try using tineye.com, which allows you to drag an image from a webpage onto the tineye.com tab or page and it will identify the originating URL…handy!
Sadly, Facebook is one of the favored tools of gaining information about people because its core activities are to connect people. Old classmates, friends, family, co-workers…even random people who share a similar interest, such as a music group. With apps that allow you to specify family members, anyone could potentially find a person’s mother and then determine her maiden name. Schools (and therefore their mascots) are often visible, along with birthplace, current location, and employer.
Another new twist is the malicious code embedded in harmless-looking Covid-19 maps that exploit the natural human desire to stay informed about threats surrounding this novel disease.
3. A newer, and increasingly common technique is the use of “fun facts” lists to complete and share with friends on Facebook. These “fun facts” want you to list things that might also be answers to security questions. They seem innocuous (“30 things I bet you don’t know about me!”), but these lists can be tracked and used against you. The same goes for the trend of posting senior pictures during COVID-19 quarantines, encouraging people to post their senior pictures to support the senior classes who are at home. The “super discount” sunglasses and other products are also usually phishing ads.
4. Changes in privacy policies on Facebook allow people to hide certain information, or at least restrict it to only allow their friends to view it, but the quizzes people share and apps people use usually require access to your profile, meaning they can view all the information they want—and likely that of all your friends, too.
5. Ever get a friend request from someone you thought you were already friends with? Don’t automatically assume they’ve left Facebook and are rejoining. Profiles can be cloned and used against you and your friends. ALWAYS verify when you have a sense of déjà vu.
What can you do?
Understanding how interaction works on different types of social media is important too. Checking links, web page URLs, and avoiding sharing and posting personal information are other ways to protect yourself. Finally, Facebook and other apps allow you to use two-factor authentication (2FA) in order to log in to their services, meaning if someone has your password or attempts to spoof your account, they will not have the second piece/factor of the process and will fail. Two-factor authentication has long been used for company VPN connections, or to access secure information, but is now available to the masses via mobile devices, 2FA apps that work in conjunction with application sites, and even login codes via email.