DaaS

Think Before You Click: How to Avoid Phishing

According to a recent InformationWeek article, a specific type of deceptive Internet fraud called “phishing” has been rising in both frequency and complexity in the last couple years, even as other forms of generic spam have declined. In a phishing attack, the cyber-criminal contacts the victim through email, instant messaging, or social media disguised as a trusted organization, colleague, or friend. The perpetrator will attempt to obtain the victim’s information. In the most common form of phishing, the criminal pretends to be an organization such as a bank, online payment company (PayPal, eBay), government organization (the IRS), an online email provider, or social media site. The con-man contacts the victims by email and asks them to “verify” and “confirm” their account information by re-entering their usernames and passwords, for example. If fooled, the marks will send the criminal their account information either by email or by visiting and filling out a form on a website that the criminal provides them the link to. Phishing can deceive even cautious and advanced Internet users because both the fake email and website will look extremely similar to the real company’s versions. This kind of phishing can also be done over social media and instant messaging. Some also consider the practice of tricking people into clicking malware-infected links or files to be phishing (though most classify these more generally as “social engineering” attacks, of which phishing would be a subcategory).

Phishers stole a total of $3.2 billion from U.S. Internet users in 2007, averaging $886 stolen per incident. The frequency of phishing attacks began to decline in 2008 but has climbed back up to similarly-high levels recently, according an IBM security report released last week. The popularity of social media sites can account for much of the increased activity.  Social media sites encourage phishing because: 1) simply, they contain other accounts that phishers want access to; 2) they make information public that can be used to fool victims; 3) a lot of accounts have already been hijacked, allowing phishers to pose as companies, colleagues, and friends; 4) social media sites do not have the customer support or fraud protection resources to regain control of hijacked accounts.

Phishers target businesses, too. In 2006, companies in the U.S. lost an estimated $2 billion to phishing. Unsuspecting users can pass on company-related logins and financial info to criminals either directly or by compromising accounts containing organizational data. In a practice called “spearphishing,” phishers may also target the heads of companies to get complete access to an organization’s finances. On the flip side, businesses can also be harmed when they become the phisher’s “bait,” or when the fraudster sends fake emails or other messages pretending to be from the company. According to a 2007 survey, 40% of people would lose trust in an organization if a phisher sent messages pretending to from the company, even if the company had no knowledge of and nothing to do with the fake messages.

IronOrbit packages all of its solutions with a security infrastructure that protects its clients from the vast majority of common Internet threats. Our patented Orbital Security System repairs vulnerabilities and prevents, repels, and removes problems at the physical, operational, backup and disasters recovery, and logical and system levels. By default, IronOrbit guards against internal threats like leaks, unauthorized access, and irresponsible handling of sensitive data; and external threats like malware, spyware, and other intrusion attempts. But despite these extensive security-enhancing methods, IronOrbit cannot impede users from unwittingly communicating sensitive information such as usernames, passwords, and credit card numbers to cyber-criminals. We can also not control much of what users do on social media sites, unless the company prefers that these sites be blocked for productivity and security reasons. We offer these tips to our users to both protect themselves from and minimize the damage of any potential phishing incidents:

-Be aware that the email and social media accounts of friends and colleagues can be or may have already been compromised. Consult with them in-person or over the phone before sending any sensitive information or data that they may have requested. Always be careful clicking links or opening files, no matter who sent them.

-Phishing messages by inept fraudsters should be easy to spot by their misspellings, strange wording, and lack of logos or any other visual decoration. Phishing attempts by more sophisticated criminals might be harder to suss out, but they generally contain less personal and specific information than a real message (saying “Dear user” or “Dear customer” instead of a username).

-If you aren’t sure if a message is real or fake, contact the organization directly to confirm that they need the requested information.

-If you suspect that you have become a victim of phishing, immediately change the usernames and passwords of the infected accounts and all the accounts associated with it. If your account has already been hijacked (the phisher has changed the login information so that you cannot login), contact the customer service department of the organization that manages your account.

-Lastly, businesses should warn both their employees and their customers of the dangers of clicking unknown links and sending information to unknown entities. A company should inform customers from the start when (if ever) it will ask them to verify account information.