System Security

Phishing for the Weakest Link

Featured image for Phishing for the Weakest Link

Surveys show that hackers are successful 90% of the time by preying on human error, which can often be attributed to honest ignorance of their clever tactics.

You’d think it would be more complicated to figure out our passwords, our weak points, and our uniquely individual human habits, but we use technology so much today that there’s tons of data for them to look at in cracking our half-hearted efforts.

You’re more attractive than you think

Part of the problem is that everyone assumes it won’t happen to them, that the hackers would have no interest in anything to do with little old you/me/whoever. Well, it depends on what their motive is.

Sometimes they’re interested in you because of who you know. Other times, they’re actually focused on your employer, but are using you as the front door into your workplace and the information that’s held in trust there.

Easy access

The more digital the world has become, the more easily our information is to access – convenient for not just us, but also those who wish us harm. Plus, it’s emotionally much easier for cyber-criminals to abuse trust and trick us, because they never have to see us – they know us as a data set only, depersonalizing their deep betrayal.

The truth is that we’re vulnerable, digitally. Most of us don’t have the knowledge or expertise to lock our own laptops down properly – we still think that a free antivirus will do the job. Much of the malware or viruses are custom; alternately, computer owners don’t run the bug or upgrades check frequently enough, allowing anything new to slip through.

Even better than the real thing

One of the biggest problems are the website redirects that harvest credentials, passwords or data – these come in emails, in SMS messages and look almost completely legitimate. Or perhaps those links send you to a webform that asks for personal, private or even banking information.

They look as if they’ve come to you from someone within your organization, often. Or perhaps it’s from a vendor that you regularly do business with. They’ve even been known to come from the CEO (“CEO Impersonation” – really, it’s a thing).

Phishing for the weakest link

Because these are so prevalent – in 38 months between October 2013 and December 2016, over $5.3 BILLION was lost to ‘business email compromise’ phishing scams globally – we thought it would be prudent to look at the eight top ways people give hackers access to their lives and their companies.

  • Fake billing: a huge amount of money is made from billing for services a company never engaged with. By positioning it as a ‘renewal’, it often gets by administrators – who they target because they’re less frequently in the loop about billing than accounts payable.
  • Software tools: office software like Microsoft Office, as well as messaging businesses such as Slack and Whatsapp have all been targeted to great effect by hackers. They go after these platforms because they know this is where people do business.
  • Mobile devices are used prolifically by businesses who haven’t all yet established policies and best practices for them, believe it or not. For this reason – and because there is little cyber-security training in corporations – the success rate for mobile phishing scams is almost 60%. Sometimes known as SMiShing, it uses tactics similar to email phishing, concentrating on building trust with an employee, then sending them a link or file that infects their device.
  • Invoice phishing is an email that comes bearing an attachment that appears to be an invoice. However, when opened, it runs a Trojan install that targets the company’s banking.
  • Phishing for travellers: if a cyber-criminal is able to identify someone who travels a great deal as part of the job, they can be a very easy target. They simply send an email with what looks to be a link to a travel itinerary, and instead sends them to a site that harvests information or installs malware that provides a gateway to their computer.
  • File-sharing phishing: most companies have a file-sharing medium, whether Dropbox, Google Drive or a sharepoint. However, once someone has let in a hacker through malware, they are able to access these shared files and infect further computers, opening a company wide.
  • Phishing for taxes: the time of year when accountants, HR departments, and pretty much everyone else is racing to get things into the CRA by the deadline is the perfect time to take advantage. They send what looks like an email from HR, or a request from an employee. If it comes from a legitimate source such as a government organization or accountant, links will often take people to spoof websites that look realistic, but are actually veneers that trick people into entering personal, sensitive information. This information can then be resold or used for other nefarious reasons.
  • Phishing with RFPs: With payouts large enough to afford hackers time to identify, surveille and understand a new target, it’s easy to fall pretty to their tactics. A hacker who has breached your email will know when you’ve applied for more work. They’ll often send you a tender followup from a legitimate company or partner that asks you for bank details in order to process the bid. Alternately, any pdf they attach can launch a malware infection once opened.

Alexio Cares

Knowing is half the battle – indeed, in about 90% of the cases, it’s actually one hundred percent of the battle. If employees had received adequate cyber-security training, they wouldn’t have fallen prey to the tactics that brought them down.

However, employees can’t be to blame as long as the businesses they work for don’t prioritize it. And many businesses are so busy simply keeping up with customer traffic and demands that it’s difficult for them to prioritize or investigate cyber-security weaknesses and solutions for their firm.

That’s where we step in. Built by a family team based in Markham, Canada, Alexio is a full-service security solution for any small business, specializing in the advanced needs of healthcare practices.

Book a call and we’ll be happy to help you with the cyber-security solutions you need. At minimum, take advantage of our FREE micro-training to help keep you and your staff in-the-know on the basics of business breaches – sign up here to receive a 60-second video each week for 10 weeks and better protect your business’ data.

Anne Genge, CEO Alexio Corporation

Anne Genge is the CEO and co-founder of Alexio Corporation. She and her team of certified privacy and security professionals help dentists, physicians, and other healthcare providers to secure their data & systems, and comply with privacy laws & college mandates. She is a firm believer that good training in cyber-security is the key to protecting not just her family and clients, but also government bodies and major corporations. To this end, she has partnered with many organizations, including the Canadian Dental Association, to produce training in order to reduce the frequency of human error resulting in a security breach.