In Albert’s Corner this month, real-life stories about new and improved ways to fool you into clicking where you shouldn’t.
A few months ago we talked about improvements – if that’s the right word – in the techniques being used for email phishing attempts. That post covered things like nasty links in an email that appears to be part of an existing thread, and so on.
Guess what? We weren’t kidding, and if you have trouble believing such a thing, take a look at these actual stories that have come to us since:
[Our company] actually gets Phishing email all the time spoofed to look like … someone high up and the emails always go “TO” an employee in the Accounting Dept. … The email will most likely say something like….”Hi [name] I am not in the office today and traveling. I am currently sitting in a meeting and need for you to do something for me ASAP! Please draft an IMMEDIATE wire transfer to (then there is usually a place to wire the money and it’s usually between $2,000-$5,000). They even know that [another employee] does not get in the office until 11:00 AM or so they will even say [she] is fully aware of this much needed transfer as it is a refund for one of our biggest clients.”
It’s crazy they know exactly who all the players are and they seem to know when they are out or traveling and also know [second employee] doesn’t get in until 11:00 AM.
We had the FBI in here last year investigating the emails they traced them to of course the Ukraine but said they could not really do anything because [our] employees never sent any money.
I was expecting a package from UPS yesterday from Amazon. I got an email saying the driver tried to make a delivery yesterday from Amazon just shortly before the time my package actually showed up for real that they had left a notification. There was a link to a UPS InfoNotice Viewer program which was of course must be malware. It’s scary that the email was tailored to match the date of delivery and where it was shipped from. The tracking number didn’t match up though.
That’s right … the bad guys now can know the players in your company and even where your packages are coming from. How do you defend yourself against that?
Remember first that no bank, credit card company or other financial institution will ever contact you to request personal information, nor will they ask you to click on a link for those purposes. If you have any doubt, initiate the contact yourself … don’t reply to the email or click any links.
Read everything carefully … there are often small clues in the wording and syntax that English is not the original language of the sender.
And don’t click on any links until you’ve looked carefully at where they point.
Finally, have a multilayered security solution in place. No system is perfect, but give yourself the best chance at heading off phishing attempts before they get to your employees. Contact us with any questions.
Albert Blaize is Vice President of Sales and Marketing for TRG Networking. Contact him at firstname.lastname@example.org.