Cybercriminals are always evolving their methods of getting unauthorized access to your private information and with the rapid, on-a-dime increase of the remote workforce, 2020 has been an exceptional year for cybercrime. According to phishing.org, phishing is a type of cybercrime in which a hacker contacts the target by email, phone, or SMS message (text message) and they pose as a recognized institution, business, or other organization. The purpose of phishing is to persuade people to provide private or sensitive data, like personal information, credit card and banking information, and login information (usernames, passwords, passphrases, etc.).
In this article, we will go over some of the most common phishing phenomena reported in 2020. Security awareness is the most effective way to defend against cybercrime; start your year off armed with knowledge.
COVID-19 related emails
Cybercriminals have jumped on hacking opportunities that COVID-19 has created. Here are just some of the COVID-19-related phishing scams to look out for in 2021:
- Fake Zoom-related domains: cybercriminals have created incredibly realistic-looking fake login pages for trusted video conferencing software, primarily Zoom, to trick users into providing login information (which is why it’s important to have different passwords for each account that you have), and also trapping users into downloading malware and/or ransomware.
- Emails from unknown senders asking recipients to download malicious attachments under the guise of offering health tips for preventing the spread of COVID-19.
- Fake CDC alerts: these emails may falsely offer updates on recent cases of COVID-19 in your area or other such promises enticing the recipient to click on a malicious link or download a malicious attachment.
- Fake workplace policy update emails: again, the purpose of these emails is to get you to click on a malicious link or download a malicious attachment while impersonating someone else, in this case, the recipient’s employer.
According to a recent Kroll report, ransomware was the most observed threat in 2020. Furthermore, CyberEdge Group has reported that in 2020, 62.4% of organizations were affected by ransomware in some way. This is up from the 2019 figure of 56.1%
Ransomware is a form of “malware” (literally “MALicious softWARE”) that locks a victim’s files. The cybercriminal demands payment to unlock the files. (This is why regular, secure automated file backup can be so important and valuable to an organization.) The ransoms can range from a few hundred dollars to thousands, payable online to an anonymous recipient in bitcoin. Phishing attacks are the most common form that ransomware makes it onto a computer or device.
File-sharing Phishing Scams
Much of the office workforce has become accustomed to receiving shared-file notifications from colleagues and clients on various platforms including SharePoint, OneDrive, DropBox, and Google Docs, to name a few. One way that hackers exploit our familiarity with file-sharing is by directing the URL in the shared file message to a phishing page that may look like a Microsoft 365 or Dropbox login page. From there, they can collect user login information, which can open up, potentially, an entire organization’s hierarchy of stored digital files. Another sneaky way that hackers have used the file-sharing guise to attack individuals and organizations is by sharing a legitimate file from a legitimate file-sharing service and burying a malicious link in the attachment, where many anti-phishing scanners cannot detect them.
Where to Report Phishing
If you think you have been phished, you can file a complaint at no charge to the Federal Communications Commission (FCC) on their website. You can also contact local law enforcement to report scams.
How to Protect Your Company from Phishing
Security Awareness Training is the best, most effective way to protect yourself and your organization from smishing, phishing, and other types of cybercrime. When employees know to simply delete suspicious messages and resist the temptation to respond, they will be protecting themselves better and more effectively than any other preventive action that they can take.
General rules of thumb for protecting yourself and your organization include:
- Avoid responding to request for personal information
- Always check the complete email address and/or link to see if it’s obviously a disguise
- Spelling and grammar mistakes can sometimes be a tip-off
- Generic greetings can be a tip-off (like “dear sir or madam”)
- Avoid responding to anything that insists on acting immediately
- Do not forward suspicious emails. If you want to show others as a warning, use screenshots instead.
Looking for additional Security Awareness Training?
At AccountabilIT, we work with our clients to ensure that their networks are locked down and their staff is thoroughly trained on the latest in Security Awareness. We will take care of the training so that you are free to do what you do best: run your organization.
Our comprehensive Security Awareness Training includes baseline risk assessment and complete training on the mechanisms of spam, phishing, spear-phishing, malware, and social engineering. Included in the program are multiple refresher training and post-training phishing simulations with custom landing pages. Staffers who open the automated phishing emails are automatically enrolled in additional training until they no longer fail the simulations.
Our approach to delivering the best possible IT service and Security Awareness Training is centered on you. For a free consultation please contact us today.
We know what it’s like to run a business and we know your time is valuable. We can:
- learn about your business
- give you some ideas on what improvements you can make right away
- provide free advice on your approach to IT security and other IT solutions
And if you’d like, we can show you where and how we can help. call (866) 407-1284.