Beware of Phishing!!!

Hackers will start with low-level employees first, making their way to executives’ accounts.

Hackers are constantly trying to find ways to hack into company accounts. They start off by sending trust-worthy emails to their employees, directing them to a scam website where they ask for them to input their username or password. Once the hacker is able to access the employee’s account, they are able to move towards sending phishing emails to higher-positioned employees, which can potentially compromise the company. 

With this access, they are able to leverage the company’s domain and send emails to others. Scammers compile phishing attacks by jeopardizing small, vulnerable businesses and compromising their trust with business partners that they work with. 

 

In phishing, it’s all about gaining the trust of the recipient, so that they click on it. 

 

There is another phishing scheme that resurfaced called “typosquatting”, or URL hijacking. With this, attackers buy domains that are slightly misspelled of popular websites, like goggle.com or yuube.com. “Spear phishers”, another term for hackers, can sometimes put in various amounts of effort into targeting a specific person. Hackers try a number of different things like creating multiple misleading webpages/websites, create fake social media pages, or fake personal blogs to trick their targets. They create these fake sites that mimic the login screens of trusted services, to get information like email addresses & passwords. 

Sophisticated hackers are willing to sell their services to specific organizations, individuals, or nation-state entities who want to steal information from someone. Some phishing providers offer networks of bots that produce fake websites, while others sell phishing toolkits to clients. 

 

Signs you’ve received phishing emails and how to Spread Awareness:

Check the Web address! Just because the address looks OK, don’t assume you’re on a legitimate site. Look in your browser’s URL bar for these signs that you may be on a phishing site: 

• Always confirm the sender’s email. Sometimes the sender email will look legitimate until you actually click on it. When clicking on the email, you will see if the sender is actually coming from the website stated as shown. 
• Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look for tricks such as substituting the number “1” for the letter “l” in a Web address (for example, www.paypa1.com instead of www.paypal.com).
• “http://” vs. “https://”  at the start of the address on Yahoo sign-in pages. A legitimate Yahoo sign-in page address starts with “https://” ― the letter “s” must be included. So check the website address for any Yahoo sign-in page.
• Be leery of pop-ups. Be careful if you’re sent to a website that immediately displays a pop-up window asking you to enter your username and password. Phishing scams may direct you to a legitimate website and then use a pop-up to gain your account information.
• Give a fake password. If you are not sure if a site is authentic, don’t use your real password to sign in. If you enter a fake password and appear to sign in, you’re likely on a phishing site. Do not enter any more information; close your browser. Keep in mind, though, that some phishing sites automatically display an error message regardless of the password you enter. So, just because the website rejected your fake password, don’t assume the site as legitimate.
• Use a Web browser with anti-phishing detection. Internet Explorer, Google Chrome, & Web browsers other have free add-ons (or “plug-ins”) that can help you detect phishing sites.

 

For more information about Phishing & preventing a cyber-attack contact a Risk Advisor or call (914)-357-8444