You Got Spam: How Not to Fall for a Phishing Attack

Phishing is on the rise again and now more than ever it's critical to defend yourself against intrusions that can compromise your business. Just this year the Hollywood Presbyterian Medical Center was targeted by ransomware injected into their system through a phishing attack. In the end, they ended up shelling out a whopping $17,000 to re-appropriate all of their clients' medical documents.

Even the police are targeted by these attacks and are forced to pay the ransoms. The police department of Swansea, Massachusetts was targeted back in 2015 and ended up paying $750 to criminals. In March 2016 alone, Kaspersky Labs detected 22,890,950 phishing attacks. And that’s just one organization – the number of global attacks is much higher. One thing is certain: phishing attacks are a real threat.

Number of detections on computers with Kaspersky products installed. Source

This fourfold increase in phishing attacks in the past year makes it necessary to better understand phishing attacks and how to avoid them.

What is a phishing attack?

According to the United States Computer Emergency Readiness Team, "Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization." Phishing attacks, in general, seek to exploit trust by masquerading as a trustworthy organization or someone you know. Take this example:

Indicators of Phishing

• Salutations: Salutations in emails should refer to you by name. You should be wary of any email that doesn’t address you directly with “Hello Kristian,” or the like.
• Language: If an email’s wording is vague and nondescript, it likely isn’t legitimate. Most phishing attacks aren't just targeted at you̶  these emails are sent to thousands of people at once. Because of this, the language has to be loose to accommodate a wide audience. 
• Spelling: Many phishing attacks contain errors and spelling mistakes. If you notice words like “attatched” in place of “attached,” an alarm bell should go off. Phishing attacks are often perpetrated by bots or by companies that employ staff who are more concerned with getting as many emails out as possible than with second-checking their wording. Legitimate professionals and businesses take pains to make certain their spelling and grammar are impeccable.
• Attachments: Malware is often disguised in attachments to harvest sensitive information from you. For example, if you receive a resume in a .zip file and it’s called Resume.exe, don’t open it. Do not download anything from an email unless you can determine its source is legitimate.
• Links: URL links in emails are another indicator of a potential phishing attack. Make sure to read through the URL by hovering over it. If you can’t determine if it’s safe, don’t click on it. If you notice weird uses of characters in links like “Amaz0n” instead of “Amazon,” don’t click on the link. Phishing attacks try to manipulate URLs to make them appear legitimate.
• Credentials: If you do get directed to a website through an email and it’s a login page, back out. This is very important. Phishing attacks often coerce people into entering their credentials for online banking or social media accounts on fake login pages. In addition, many attacks will seek personal information like Social Security Numbers, credit card numbers, phone numbers, addresses, birth dates, etc. If you get a link to your bank or any other service, don’t click on it. Instead, contact your bank directly either by navigating to their website or calling them.

How you can protect yourself

In reality, you can never fully protect yourself from receiving phishing emails. There are some best practices that will decrease your risk, however. Keep in mind that these attacks are constantly evolving and new phishing techniques may reduce the effectiveness of some of these best practices.

• Always Install Updates: Always keep your operating system and programs up to date. The most up-to-date software is always the most secure. If you are on an old operating system or are using old software, think about upgrading these systems or using cloud services. For example, if you haven’t yet upgraded to Windows 10, you can learn about doing so here.
• Use Spam Filters: Use an email platform that incorporates a built-in spam filter to process out malicious emails and spam. For example, Microsoft Exchange Online  incorporates a business-class spam filter that removes most conspicuous content.
• Antivirus: Enabling Windows Defender or purchasing an antivirus solution like Microsoft Intune, Symantec, etc. can help your computer detect and prevent phishing attacks and malware. It is recommended that antivirus is enabled and scheduled to run regularly on all computers.
• Setup Multi-Factor Authentication: Adding an extra layer of protection against unwanted logins will help prevent your accounts from being inappropriately accessed. Multi-factor authentication links your accounts to your mobile device and will send you a notification when an account is being accessed. This way only you can approve logins. If you need to setup Multi-factor-authentication for Office 365, learn how to here.
• Separate Work and Personal Email accounts: This might be inconvenient for some people, but it adds another level of security that helps prevent work accounts from being compromised. For example, having a personal Outlook email account and a work Microsoft Exchange Online account can help prevent attacks by automatically detecting and quarantining malware.
• Move to Spam folder: If you can’t determine if an email is malicious, simply move it to your spam folder. Adding an email to the spam folder stops any executable from running, disables attachments, and keeps your computer secure. It’s always better to be safe than sorry.
• Create Shortcuts for Services: Always create shortcuts in your browser to your banks, social media, email, etc. Having an easy way to log into your services will allow you to avoid needing to click links in emails. For example, if you’re asked to reset your password for Facebook, log in through your shortcut instead of clicking an email link. This way you control your access, not someone else.

What to do if you fall for a phishing attack

If you think you have become the victim of a phishing attack, follow these steps in order to mitigate the damage and ensure nothing is compromised further.

• Update Antivirus: If you have an antivirus, make sure it’s updated so you can catch any malware you may have received. Antivirus relies on a set of definitions to decide what is malicious; without running updates new definitions can’t be added, potentially endangering your PC.
• Run Antivirus: Scan your computer with your antivirus software. If you don’t think you have antivirus or your antivirus is out-of-date, you can use Windows Defender, which is installed on most Windows PCs. For information on enabling Windows Defender click here.
• Reset Passwords: Reset passwords for any critical services, including online banking, business accounts, company accounts, etc. If some of your information was leaked, you’ll need to reset these passwords to ensure that those accounts are protected. This way you won’t get hacked in the future.
• Sign out of all devices: Many services now offer an option to sign out of devices you are currently logged in with. You can leverage this feature to log anyone out except yourself.
• Close bank accounts and reissue cards: If you think a credit card or bank account has been compromised, have new cards reissued or close the accounts. It’s a real hassle, but the risk is too high to leave unresolved. 

Following these steps will help protect you online and prevent phishing attacks from compromising your sensitive information. For more information, check out these resources:

• Department of Homeland Security
• CNET
• Kaspersky