The day after Thanksgiving, widely referred to as Black Friday, has marked the start of the Christmas shopping season since 1952. Surprisingly, it wasn’t until 2012 that the Black Friday buzz was adapted to further stoke the shopping fire by promoting Cyber Monday. Whether shoppers choose to chase the deals in person or from the privacy of their own homes, personal information is being shared in the form of email addresses, home addresses, and credit card numbers. As the stores are preparing by stocking shelves and bulking up employee headcount, cyber criminals are also preparing to capitalize on the shopping frenzy, hoping to catch consumers with their guards down.
Phishing, the act of fraudulently posing as someone else through email in an attempt to acquire valuable information (personally identifiable information, credit card numbers, logins and passwords, etc) is believed to have begun around 1995. Over the last 25+ years, its impact has swelled, and tactics have evolved. With the increase of online shopping, phishing emails can slip through an overflowing inbox, and if the proposed deal is enticing enough, one trusting click of a link can give an attacker an early Christmas gift.
The impact of phishing emails is not limited to consumers; organizations of all sizes run the risk of a phishing attack if their employees have a weak grasp on cybersecurity basics. Using work email addresses and password reuse across logins are just two ways employees may inadvertently give access to attackers.
How Businesses Can Protect Themselves:
Policy – As an organization, you must decide what is acceptable usage of business email addresses and company-issued devices. A policy is only good if it is widely known, understood, and applied. A password policy should be included as well (see below).
MFA for Business Systems – Multifactor Authentication or MFA centers around the use of two checks to successfully login, specifically using something you know (ie. your password) and something you have (ie. your phone which could receive a text code, a call, or use an authenticator app, etc). A third option, where available, is something you are (ie. fingerprint or facial recognition). Applying MFA to critical business systems at a minimum is recommended, and ideally MFA should be deployed wherever it is practicable.
Password Policy – Survey after survey reports that in general, we humans do not practice great password hygiene. Whether it means reuse across multiple logins or not creating a strong password, we’ve got work to do. As an organization, a password policy gives structure to how many characters and type (letters, numbers, caps, symbols), as well as how frequently passwords should be changed. This is often a function that can be setup by an admin for all users. Also consider steps to prevent password reuse.
Dark Web Monitoring – The dark web is a marketplace for cyber criminals. If logins and passwords, PII, bank details and more have been stolen, this is where they are being sold. Dark web monitoring can gather threat intelligence and report when an organization’s information is present.
Employee Training – An area of greatest potential for risk can also be one of your strongest defenses – your employees. If your employees are going to access your network and business information, you should provide them with regular security training. Employees should understand organizational policy and expectations, as well as receive practical training on common attacks, including phishing. There are companies that will provide regular phishing emails to your staff and report on the results. Keeping phishing indicators at the front of their minds is more effective than only addressing it annually, or worse, as a (late) reaction to a breach.
Speaking of phishing emails…
What to look for in an email - SLAM:
Sender – Consider the sender - were you expecting an email from this person? Is the domain familiar, and does it match the claims in the message? If you hover over the email address with your cursor, is the same address displayed? Look carefully for character substitutions – there are many options for subs that are visually similar. Below are a few common ones that can slip through:
v (zero v capital o)
v (capital i v lowercase l)
v (lowercase a swapped for α)
Links – Hovering over a link can help view where the sender is hoping to redirect the reader. If Apple iTunes is sending you a link to free downloads, you would expect the link to have a domain or URL that is along those lines, not a long mix of letters, numbers, and characters. When in doubt, go directly to the vendor’s website. For example, if you are asked to verify a purchase on your credit card account by clicking a link, instead go directly to your banking site and check it that way.
Attachment – Consider if it makes sense for you to be receiving an attachment. If you do not work in accounting but receive an invoice, it would be prudent to be cautious. Most basically, if you do not know the sender, do not open an attachment.
Message – If something smells phishy (punny, isn’t it?), it probably is. Some phishing emails are rough, filled with misspellings and improper grammar. Others are more polished. If the message is filled with urgency, like warnings that service will be disrupted and similar, take caution. Attackers often play on feelings to illicit a quick response before a victim has the chance to question the legitimacy.
Phishing is a relatively easy attack vector that can produce major gains…and create major damage. Stay vigilant – no Black Friday or Cyber Monday deal is worth what a cyber criminal could steal!
Sales and Marketing Coordinator, Appalachia Technologies
Ashley Louden is the Sales and Marketing Coordinator at Appalachia Technologies. She hails from a long line of editors and legend says she was born with a red pen in her hand. In addition to creating content and graphics, Ashley can be found wherever there is music playing. When asked what she likes to do in her free time, she responded, "What free time?" She enjoys hanging out with her family, whether it be at the soccer fields or around the table for a vicious game of cards.