“Phishing” sounds like a pretty silly or, at least, misspelled word to most people. “Ransomware” is also pretty mysterious. Most people tend to be pretty dismissive about these issues, until they are victimized by it themselves.
Dark Reading reports that 91% of cyberattacks start with phishing emails, and when you combine that with the observation from IBM’s X-Force researchers that more than half of all emails are spam, it is highly likely that you have or will soon be a victim of a phishing attack. These are emails that appear to be authentic, sent from someone you know and trust, and usually containing either a link or an attachment that you are asked to open. When you do, the trouble begins.
Attacks like the recent WannaCry and Petya began as phishing emails. Clicking the link or attachment connected victims to a world of malware hurt. Viruses, Trojans, and more are loaded onto your device which compromise data, credentials, and more. Often, your data is encrypted and/or stolen. You then receive a ransom demand which may range from a reasonable few hundred dollars that companies are often more than willing to cough up, to hundreds of thousands. Recently, many attackers have made more modest demands realizing they are more likely to actually get paid.
Dark Reading adds that “the top reasons people are duped by phishing emails are curiosity (13.7%), fear (13.4%), and urgency (13.2%), followed by reward/recognition, social, entertainment, and opportunity.”
How to Begin Protecting Against Phishing
“Phishing” attacks focus on the most vulnerable segment of your network, the users. It is all to easy for an attacker to fool someone into believing the email they are reading is rea1. They may use a domain name where one of the characters is substituted. For example, did you notice that the last word “real” in the last sentence ended with a numeral one (1) instead of a lower case L? The domain name may be moved to the server name in a URL so www.localbank.com may become www.localbank.dep0sit.com which combined in a zero substituted for the letter O to provide even more confusion.
You need to teach your users how to spot these deceptions in their emails. They must be on the lookout for the many ways in which cybercriminals work to fool them. The best place to start is to foster a healthy skepticism about emails. If it feels wrong, it probably is.
IT Professionals Must be Prepared at Several Levels
As an IT professional you must be prepared to coach your users and keep them updated on the most recent tactics in use by phishing attackers.
Once someone has fallen into the trap, however, they will depend upon your knowledge of how to combat malware to help them recover. With attackers lowering their ransom demands you may find users just paying and going past you, and some may get burnt for doing so by not getting their data back.
At the foundation of your anti-phishing, anti-ransomware strategy is education. You must provide ongoing education to your user communities, and you must constantly keep your own training updated to include the most recent malware varieties that you’ll be called upon to combat.
Turn to New Horizons Computer Learning Centers to keep you constantly updated on the current state of cyberattacks. To learn more, call