You've got Mail!
While the world continues to battle with the Corona pandemic, there is another pandemic unfolding in digital space. Businesses and people are seeing an unprecedented onslaught of cyberattacks. As organisations try to maintain the business continuity and keep their operational engines chugging by having their workforce working from home, the protection of data has become increasingly challenging. Millions of users are getting on-line to access applications and data from un-protected home networks. Sensitive data is getting spread significantly expanding the attack surface available to hackers to exploit. In the past few months, the number of phishing attacks, malware attacks & spam messages has increased manifold. What is worse, health care organisations and agencies working to fight the Covid-19 pandemic are also being the targets.
Last month, Google reported it was detecting about 18 million pandemic-themed malware or phishing messages per day and some 240 million Covid-linked spam messages.
Examples of some of these have been phishing emails soliciting donations, offers of free meals or government subsidies, or providing updates on Covid-19 pandemic. These emails are crafted to look as though they are coming from trusted sources (Government agencies, WHO, NGOs, etc). They entice users to click on the attachments or the links in the email, leading to spoofed pages of trusted sources and tricking them into providing user names and passwords or downloading malware designed to skim and exfiltrate information from user devices. Some of these can take the form of ransomware attacks which if activated can encrypt systems and devices, putting users and organisations at risk.
As per Symantec Internet Security Threat Report - ISTR 2019 and Verizon Data Breach Investigation Report - DBIR 2019, 65% of attacker groups use Phishing as primary infection vector & 92% of malware was delivered via email.
These attacks can prove to be extremely costly to organizations and individuals alike. While, scope & methods of data protection are complex, industry/ organisation specific and typically driven by InfoSec teams, what can we as individuals/employees do to keep ourselves and our organisations safe??
Well, as we can see, phishing emails are harbingers of most of the cyber attacks/ exposures. We can steer clear of the majority of these exploits by being vigilant and following certain guidelines. So, here are some which we can use to become the first line of defense against phishing attacks.
- If it’s too good to be true, delete it. However tempting they might be, do not fall for emails giving you lucrative offers, announcing the sudden discovery of the vaccinations, good fortunes, and newly found treasures.
- Avoid emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information — right now. Instead, delete the message.
- Think before you click. You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. When in doubt, go directly to the source rather than clicking a potentially dangerous link.
- Never give out personal information. A coronavirus-themed email or any other email that seeks personal information like your login details or other personal information is a phishing scam. Legitimate government agencies won’t ask for that information. Never respond to the email with your personal data.
- Beware of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window
- Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email. Delete it. Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam or customer” signal an email is not legitimate.
- Check Your Online Accounts Regularly If you don’t visit an online account for a while, someone could be having a field day with it so check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.
Some system-level protections you can take;
- Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.
- Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.
- Use up to date Antivirus Software – There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time.
- Use Firewalls – High-quality firewalls act as buffers between you, your computer, and outside intruders. One can use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.
Finally, stay informed about new phishing techniques & scams to ensure you do not inadvertently fall prey to one. Keep your eyes open for news about new phishing scams.
Bottom Line: Stay alert & stay safe!
Sources/credits: ISTR 2019, DBIR 2019, phishing.org, Google cyber report, cartoonstock.com