Business organizations and schools are under cyber-attack. Just this past week, it was reported that the FBI uncovered a phishing email scam aimed at stealing funds from New Jersey state employee online payroll accounts. The emails requested employee login credentials, which the criminals could then use to redirect an employees’ direct deposits. A similar ploy was recently directed at school employees in Atlanta, and the FBI Internet Crime Complaint Center (IC3) has issued a public warning about phishing email payroll fraud.
The Telltale Sign of a Phishing Email
A simple request to confirm login data, such as in the recent New Jersey state employee scam, may seem legit at first glance. Often these emails may seem to come from the organization itself, a vendor or software provider, or another trusted source. Some of these phishing email schemes are amateurish, but others are more sophisticated and harder to detect. Here are some signs an email may not be on the up-and-up:
• Subject lines that seem “too good to be true.” They probably are.
• Subject lines that make threatening statements. Common phishing subjects are “Your account is about to close,” or “Final Warning.”
• Non-personalized, generic introductions. Look for terms like “Hello Valued User” or “Attention Client.”
• “From” addresses that may be misspelled or misconfigured. For example, the email may come from someone @ “company-corporation” or “cmopanycorporation” instead of “companycorporation.”
• Direct links. Always go directly to the source rather than clicking on an email link, or hover over the link to check the actual long-form URL, and not the shortened version displayed in the email text. You may be surprised to see where the link is pointing.
• If you’re not sure, follow your gut. A phone call or personal email confirmation to a colleague or vendor may not only confirm if an email request is on the up-and-up, but alert someone their email might be hacked.
• And in all cases, never open unexpected attachments, which could have viruses or malware attached.
The FBI also suggests, in response to the New Jersey phishing email scheme, these additional precautions:
• Employees should forward suspicious requests for personal information to the information technology or human resources department of their organization.
• Ensure that login credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
Happy NCSAM
This month (October) is the fifteenth annual National Cybersecurity Awareness Month, an annual initiative to raise awareness about the importance of cybersecurity.
There is plenty of information you can find in support of NCSAM, but one report we found particularly helpful was the Cybersecurity Awareness Toolkit for Small and Medium-Sized Business, as published by the Cyber Security Alliance, Facebook and MediaPro. This toolkit includes a great deal of information on how to identify phishing email tactics.
The toolkit also splits organizational emails into three general buckets, with warnings on why these groups may be targets:
General Population Phishing. The best way into an organization’s network is through its employees, especially when their level of alertness to cybercrimes may be uneven.
HR Manager. HR professionals must be particularly wary when it comes to phishing emails seeking personal information, as they are often the keepers of employee tax and health documents.
Executive Phishing. As privileged users, many executives have greater access to an organization’s network, making them particularly attractive phishing targets.
Whether someone is on the top rung or still climbing the company ladder, their awareness of phishing email techniques can make a big difference in the security of an organization.
Phishing, Solved
We recently wrote a two-part blog post on phishing, and the most common techniques hackers are using to steal your information (check out our phishing blog post part 1 and phishing blog post part 2). Among those techniques we described were phishing email schemes, just like those in New Jersey and Atlanta.
No matter what phishing technique is used, everyone always thinks, “It won’t happen to me,” or, “I’m too smart to fall for that.” But even the best of us can make a mistake. So, what do you do when you mess up, or someone at your business or school organization does?
Contact DYOPATH. At DYOPATH, we are experts on beefing up your online security to protect your organization from malicious schemes including employee training of best practices, proactive desktop, server and network infrastructure patch management, and the installation of backup protection. We are also experts at helping you rebound from an attack or natural disaster. With DYOPATH Security offerings you have access to a wide range of collaborative and customized protective services. Let us help you avoid being victimized. After all, falling prey to a phishing email scheme is a mistake, but doing nothing to prevent it from happening may be an even bigger one.