Your IT Support Experts - Homepage

We partner with many types of businesses in the area, and strive to eliminate IT issues before they cause expensive downtime, so you can continue to drive your business forward. Our dedicated staff loves seeing our clients succeed. Your success is our success, and as you grow, we grow.

Home

About Us

IT Services

Understanding IT

News

Blog

Contact Us

Support

(703) 359-9211

Free Consultation

Interested in seeing what we can do for your business? Contact us to see how we can help you! Sign Up Today

Macro Systems Blog

Macro Systems has been serving the Metro Washington, DC area since 1997, providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses.

You and Your Employees Must Recognize the Numerous Types of Phishing Scams

You and Your Employees Must Recognize the Numerous Types of Phishing Scams

Phishing scams have one of the most descriptive names in all of computing, mostly because of how similar phishing is with fishing. When someone goes fishing or phishing, bait is dangled in the hopes of getting a bite, and different types of bait can be used, depending on the catch one is trying to make.

Just as one can fish with live bait, lures, or flies, there are alternative methods a cybercriminal can utilize in their phishing attack. Thus, in order to truly protect your organization against phishing attempts, you need to ensure that you and your employees can identify all of the different phishing methods they may be faced with. These practices are good to take home with you too, as personal email accounts are also targets of phishing.

Deactivation Threats
Too often, an organization will appear to send someone a notice that their account is going to be deactivated, and they have to follow a provided link to log back in - right now - in order to preserve their account. This "friendly" email will also suggest that they update their credit card information...

These types of scams are easy to recognize if the service that is being deactivated isn’t one that is actually used. On the other hand, some organizations have accounts with a substantial number of companies, so it can be difficult to keep track without the proper systems in place. These scams are only more convincing if there is actually an account with the service that is apparently reaching out. Even worse, it isn’t uncommon for these scams to come with warnings against scams or claims of security, or one that actually links to the legitimate company website.

To protect your organization against these scams, it never hurts to try the URL test. Hover your mouse over any links without clicking, and check to see if the URL matches what you would type into your browser. An even safer course of action is to reach out to the company directly via another method, such as sending a fresh email to their support or giving them a call instead to confirm that the email was sent from them.

Nigerian Scams
These 'popular' scams probably first pop into your mind when you hear the phrase “email scam.” You know: out of the blue, someone contacts you with a request that you assist them in moving a large sum of money, with a considerable portion of it going to you for your troubles. These scams are known as such because the first wave of them originated in Nigeria, pertaining to a Nigerian prince. However, instead of riches as their reward, victims of these scams have their own finances stolen, and are even sometimes arrested if they are lured to Nigeria itself, as has happened in the past (after all, they are conspiring to remove Nigerian monies from the country).

These scams, like many others, can be foiled by the old adage, “If it’s too good to be true, it probably is.” Nonetheless, many people from all walks of life and levels of presumed intelligence have been fooled by these scams.

Government Threats
Luckily, most of Orwell’s 1984 can still be considered fiction, but these scams rely on the opinion that Big Brother is very real, and very much out to get us, especially if one is engaged in behavior that isn’t considered acceptable in public context, or is just plain illegal. These types of phishing scams are the ones which claim that the FBI is about to kick down a user’s door for illegally downloading content or watching adult materials. The only way the guilty user can save themselves is to pay immediately using the provided link. Sometimes, that's the only thing the computer can do at this point, because the scam included some ransomware that’s locked the computer up. That’s something you should never do, because it only encourages the hacker to continue their actions, and there’s no guarantee that the hacker will live up to their end of the deal.

These scams can take a few different shapes. Some scammers like to phish users by creating a fake alert that malware has taken over the computer, so someone needs to remote in and fix it. This way, if a scammer is trying to gain access to your device, they just need to wait for you to give it to them. Don’t.

If your computer has been infected with ransomware as a side effect of this scam, you’re going to have to wipe your computer and start fresh from a comprehensive backup solution (which is something that your business definitely needs to have). This is irritating, but it is a much better alternative than paying a huge sum that will most likely not result in getting your access back. Otherwise, all you need to do is ignore the email, after reporting it to IT, of course. The Federal Bureau of Investigation (or whoever is allegedly about to storm your location) has more important things to do than hunt you down, unless there’s a different reason they may want to.

Wire Transfer Scams
Proving that something as simple as phishing can turn even the biggest companies into victims, one only has to look to Google and Facebook for an example. A combined $100 million was taken from the companies when a scammer named Evaldas Rimasauskas posed as hardware supplier Quanta Computer. Essentially, by examining the accounting department’s records, Rimasauskas was able to fraudulently submit invoices and collect his bounty from the Internet giants over a period of two years.

Once again, the most effective way to stop these kinds of scams is to simply have the controls in place to prevent them from being effective. Make sure that any money transfers are fully vetted, verified, and authenticated before sending them, and ideally, the computers used to send them should be isolated from the Internet and your network unless actively in use.

Work Mules
The Internet has made the job-hunting process a easier for many people. Sadly, it also makes it a lot easier for scammers to launder the money they have stolen by leveraging these job-seekers as unwitting co-conspirators. By hiring people on these job sites, a scammer will deposit their ill-gotten funds into their accounts, with orders to transfer that money to another account or to convert it into a cryptocurrency. Many will include these tasks as a part of a greater list of responsibilities to make the “job” seem more legitimate. Some will pay a salary, and others will just have the “employee” keep a portion of the deposited money.

While it may sound like a dream job, this kind of work is more of a legal nightmare for those involved, seeing as it is a crime. Anyone who unwittingly participates in these scams needs to cut ties with the scammers and retain some legal counsel, as they could very well face money laundering charges.

SMS Phishing
Thanks to cellular devices, phishing has been able to go mobile in a few big ways: phishing via SMS, or ‘smishing’, and phishing via spammy social engineering voice calls, or “vishing”. Smishing just takes the typical phishing email and transplants it to a text message. Vishing prompts you to input sensitive information through a recorded message. For example, a standard vishing attempt might appear to come from your credit card company and ask you to input your card number to confirm whether or not you’ve been breached. If you hand over your number, the answer is automatically “yes”.

Despite these efforts being relatively very basic, they are often a success for the scammer merely because of the delivery method. Surprisingly, people still don’t anticipate that a scam can come in via text. However, if a message is received that seems suspect, your defense against a potential scam of this kind is just as basic as the scam’s efforts: ignore it and delete it.

SWATting
These phishing scams are very, very dangerous; the wrong move could eventually lead to the loss of life with terrifying ease. Imagine you’re at home, far from your work technology (not counting the mobile device in your pocket), just relaxing at the end of a long day... and a fully-equipped specialized squad of law enforcement officers suddenly bursts through your door, weapons at the ready.

This is the effect of a SWATting attack, in which a cybercriminal spoofs a phone number to call in a serious threat, prompting a massive response from law enforcement. Let’s face it, it’s hard to be productive with sirens blasting outside the office and officers shouting commands into bullhorns outside, let alone when the investigation makes its way inside the office. While you’re distracted, the cybercriminal works on whatever goal they have with the confidence that you’ll be looking the other way for quite some time. Some high-profile cybersecurity experts and reporters have been targeted by these attacks so often, their police departments call them back to confirm that yes, there is an actual emergency before deploying the big guns.

With any luck, this attack will only ever be rolled out against you sparingly, if at all. However, it may not hurt to inform your local law enforcement about these threats before one strikes, especially if you have reason to believe that you may be a particularly good target.

Phone Forwarding
This type of phishing has been around for years. Essentially, instead of your phone ringing when a customer tries to call, the call is forwarded to a phone in the possession of a scammer. This is because the scammer has already reached out to the phone company on your behalf and requested that any incoming calls to your number are rerouted to a phone they control. Alternatively, they may have convinced you or one of your employees to dial a sequence of numbers after reaching out to you.

If yours is the type of business to accept credit card payments, the caller may be only too willing to hand over their card details to the scammer. After all, they’re just trying to place an order. As far as they know, they called you, and are talking to you. This scam can also be used to stick you with their telephone charges. Protecting your organization can be somewhat simple, as long as you’re being mindful. Don’t press buttons based on the request of an incoming call, and make sure you have a reasonably good working relationship with your telephone provider.

SEO Poisoning and Look-Alike Websites
Finally, there are lots of phishing scams that lurk online, waiting for you to click on the wrong link. Scammers are embracing the use of Search Engine Optimization, commonly referred to as SEO.

SEO practices are how some websites are able to rank higher than others when you turn to a search engine for answers. By making certain choices and meeting certain criteria, these websites meet the standards of the search engines well enough that the search engine decides to rank them more highly in the list. For instance, as this was being written, a quick Google search for “seo” returned about 411 million results in less than a second. Based on the factors that Google takes into account, those 411 million results were also sorted by anticipated relevance and the quality of their SEO preparedness.

Alas, this tool can be utilized to a scammer’s advantage as well. A scammer might send you a simple little virus, just a program that brings up a warning for error code 357. There’s no such thing as error code 357, but you may not know that. So, you turn to a search engine (like Google) and look up error code 357. A well-prepared scammer will have created a well-optimized page detailing error code 357 and offering a download to fix it. This download, unfortunately, contains a nasty payload that you just welcomed into your system.

Alternatively, many scammers will just replicate websites in great detail, and using SEO tactics, make it easy for someone doing a quick Google search to click on the wrong one. From there, anywhere the victim can “log in” is an opportunity for their credentials to be stolen.

Fighting Back Against Phishing
Phishing is obviously a little more complicated than many people realize. Fortunately, the pros that work at Macro Systems aren’t those people. If you want our assistance and expertise in setting up solutions that can help keep phishing scams and other threats out, give us a call at 703-359-9211.

How Outsourcing At Least a Little Can Help Your Bu...
Simple Tricks and Shortcuts for Windows 10
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Guest
Thursday, November 21, 2024

Captcha Image

Customer Login


Contact Us

Learn more about what Macro Systems can do for your business.

(703) 359-9211

Macro Systems
3867 Plaza Drive
Fairfax, Virginia 22030