With the rise of phishing scams, IT consultants have taken on a new role: superhero. They may not wear capes (at least not every day), but they do protect their clients from online crooks.
We talked to several IT consultants to learn about the most common email phishing scams their clients fall for and how they help clients avoid phishing attacks.
1. Spear Phishing
What it is: Spear phishing is a type of email phishing attack that is carefully researched and customized for its intended recipient.
"Unlike regular phishing emails, which are sent out in great numbers to victims who have no relationship to each other, spear phishing emails are highly targeted and sent to only a few select victims at a specific organization," says
founder and managing partner of
(@Mosaic451), a managed cyber security service provider and consultancy. "Phishers typically perform research before launching their attack. Hackers examine the target company's website and social media networks and learn about the company's employees, their positions and responsibilities within the company, even their personal interests and hobbies – anything that they could use to make the phishing email look more genuine."
For a quick overview of spear phishing in action, check out this video. It was produced by Cisco and sent to us by
Tom Evans, a
retired IT professional who provides security awareness training for
Ashton Technology Solutions
(@AshtonSolutions), who we interviewed for "Spear Phishing Will Continue to Keep IT Consultants Busy in 2017."
How to combat it: This one's tricky because some spear phishing emails are convincing. You may suggest clients establish a way to verify the authenticity of a request that comes via email, especially if it involves transferring sensitive information.
2. Whale Phishing
What it is: When phishers target the head of an organization, that's whale phishing. People at the top are the "big fish" that have access to valuable information.
"We have seen C-level executives targeted with custom spear phishing attacks that access their domain or Office 365 credentials, allowing an attacker to access detailed corporate document shares from anywhere in the world," says
Christopher Ensey (@EnzOnInfoSec),
Dunbar Security Solutions
(@DunbarArmored). "The attacker will access and then present copies of contracts and client databases and demand payment to keep them private."
While a successful whale phishing expedition can mean a big payout for phishers, that doesn't mean they don't also go after lower-level employees at a company.
"Phishing targets executive admins, human resources, and finance departments just as often," says Ensey. "If you can convince someone that is in payroll to open an attachment or provide their credentials, you can gain access to detailed W-2 information companywide."
How to combat it: One way Ensey says his company protects clients against both spear and whale fishing is by encouraging them to store sensitive data in the cloud.
"With cloud services, this access is harder to track without proper security protections," says Ensey. "We recommend that organizations using cloud services for payroll, benefits management, or document management leverage single sign-on and strong multi-factor authentications methods."
3. Email Attachments
What it is: Sending a generic email with an attachment that contains malware is a very successful phishing tactic. By making the email appear as ordinary and routine as possible, many recipients are tricked into opening the attachment.
"Emails containing resumes, invoices, shipping labels, payment information, etc., are prevalent right now," says
president and owner of
Computer Repair Doctor
(@CompRepairDoc). "And it's smart because small businesses usually have a lot of vendors and it's easy to see a generic email about one of those items and think it's legitimate."
In many cases, these scams prey on the recipient's desire for either money or a package. A common ploy may ask the recipient to click on a fake tracking number or open an attachment with details about a phony wire transfer.
How to combat it: To help clients learn how to prevent phishing scams, Ham is a big proponent of education for his clients.
"The biggest thing to do for clients is educate them," says Ham. "Educating clients on how to spot a phishing email, how to constantly be aware of what they are clicking on, and how to determine the legitimacy of an email are all crucial factors. It's much more important to do this then have an up-to-date antivirus, firewall, etc. The people aspect is the most important."
What it is: These are phishing emails with ransomware attachments. Once a recipient clicks on the attachment, the ransomware can wreak havoc on their systems, allowing attackers to hold data hostage in exchange for money.
As we covered in our article "Why IT Consultants Should Use the WannaCry Cyberattack as a 'Teaching Moment,'" ransomware shows no signs of going away.
"The ransomware industry has grown and will continue to grow with amazing speed in the years to come, thanks in part to the spread of untraceable cryptocurrency such as bitcoins and the proliferation of ransomware kits on the dark web," says
vice president of marketing for
(@AtlanticNet), a web hosting solution provider.
How to combat it: Again, one of the best ways you can teach clients how to avoid phishing and ransomware is to provide training about common ransomware traps.
"There are many steps organizations can take to protect themselves from ransomware attacks," says Raja. "On many occasions, these attacks succeed because employees haven't been properly trained to recognize and avoid suspicious links or email attachments. Proper email security training, as well as establishing better rules for email attachments and which users are allowed to run executable files and install software, can go a long way toward bolstering your defenses against a ransomware attack."
Another way you can help protect your clients is by sending them our eBook Small Business Guide to Identity Theft Prevention and Data Security. It offers small-business owners tips and information on safeguarding their data. That way they will be protected, even if you are off fighting cybercrime in another part of the city.
About the Contributors
Mike Baker is founder and managing partner at Mosaic451, a managed cyber security service provider (MSSP) and consultancy with specific expertise in building, operating, and defending some of the most highly-secure networks in North America. Mike has decades of security monitoring and operations experience within the US Federal Government, utilities, and critical infrastructure.
Christopher Ensey is a 15-year cybersecurity veteran with an entrepreneurial spirit. He is currently COO of Dunbar Security Solutions, where he has delivered rapid growth through strategic partnerships and high-margin Managed Security Services Provider (MSSP) offerings.
Matt Ham is the founder and CEO of Computer Repair Doctor. Matt graduated from Columbia University with a Masters in Mechanical Engineering before moving from New York City to Tallahassee, Florida, and founding Computer Repair Doctor. Computer Repair Doctor is a phone repair, computer repair, and laptop repair company with locations throughout the United States.
Adnan Raja is the vice president of marketing for Atlantic.Net, a trusted web hosting solution that offers HIPAA-compliant, managed, dedicated, and cloud hosting.