Phishing in the Workplace: 3 Attacks and 3 Ways to Protect Yourself

About the time most people learn how to spell phishing, they realize that it is an email-based social engineering tactic to get access to a user’s account or financial information. It probably won’t come as a surprise that phishing is now fairly common on LinkedIn and Text. 

No matter whether it is email, LinkedIn, or text, the tactics the scammers use are consistent. Here are three of the most common tactics being used by scammers today: 

1. Fake Messages from the “Boss” 

This is a particularly insidious and effective tactic. A message is sent via email/text/LinkedIn to the user with an urgent request to contact them from the CEO, CFO, or other high-ranking employees at the company. The scammer typically uses more targeted language in the messages that applies to the business to make the attack more effective. This is typically called a spear-phishing attack because of its more targeted nature.

2. Fake Tech Support Messages  

Some phishers try to mimic the IT support staff rather than an executive to get people to engage. The focus of this type of attack is to get the target to give up their credentials to important company accounts. The attacks usually start with something like “Important Alert: Your Account Has Been Hacked”. The user will then be instructed to click on a link to reset their password and/or give up other important information. The links will always go to fake sites that will not match the company name or name of the software that has been supposed hacked. 

3. Fake Contact Requests 

This is used most often on social platforms like LinkedIn, but it is seen on email and text also. When a fake LinkedIn request comes via email, the link embedded in the email will go to a nefarious site that can load malware or ask for login information. We are often excited to receive a request that might lead to new business, so these attacks are particularly effective on sales and finance staff. 

These are just a few examples, and it is important to know that the types of phishing attacks and the format by which employees are targeted in the workplace continue to expand. Regardless, there are some basic tactics that apply across email, text or LinkedIn. Here are three ways to keep yourself from getting “social engineered” by one of these attacks:

1. Look at the Sender Information 

Whether in email, text, or LinkedIn, the sender’s information will look wrong. Most sending info will have the right name with the incorrect email like: 

Boss Lady <badactor234@gmail.com> 

In the case of LinkedIn, you need to look at their profile picture, name, and work history. The picture will typically be pulled from publicly available photos and the work history will be very limited. 

2. Look for Poor Grammar and Terminology 

While the sophistication of attacks continues to improve, it is difficult to completely mimic a message from a boss, customer, or colleague. If the fake sender is using the term “customer” when you know the real sender always says “client”, you should be concerned. 

“Hey, send me your phone number. I have some important work for you” 

Also, if they send an email to ask for your phone number, you need to think whether that fits with how they would really interact with you. Once they ask for your phone number, and they text you rather than call you then it is 100% a scam. 

 3. Reach out Separately or Just Don’t Respond 

In most workplace phishing attacks, you have alternate ways to communicate with the supposed sender. If you are concerned, reach out to them by a different method – phone call or Slack – and see if that is really them. If you do not have another way to verify the information, and you are not certain if it is legitimate then ‘do nothing’ is not a bad option.

“John, I just received a strange email message that is supposedly from you. Did you just send me something?” 

If the scammer is trying to create a false sense of urgency for the boss or a customer, this is difficult to do. Just remember, though, if it is really an emergency – even in today’s world – they will call you. If it is a social network connection request, just login to the service separately and view the request there rather than clicking the email link. 

There is a lot more your company can do to help including using email filters and text blockers on company accounts and providing cybersecurity training on an annual basis. In fact, for many companies, these actions are required for them to follow industry cybersecurity regulations. If you aren’t certain what tools are available to you, reach out to your company’s IT staff or service provider. They will be happy to help you stay safe!  

Have a Cyber Readiness Plan

12 Cyber Readiness Strategies

Is your business ready to handle a targeted cyber-attack? In the 2020 Thales Data Threat Report, 49% of US companies have already experienced a data breach. To enable you to become more proactive and vigilant in defending against cyber threats, Montra will review 12 Cyber Readiness Strategies to over the next series of blogs.

The first is to have a Cyber Readiness Plan. Your ability to overcome security threats or breaches determines your business’s success and survival. How you handle and protect your data is central to your business’s security and customers, employees, and partners’ privacy expectations.

You need a cyber readiness plan that includes prevention, continuity, and recovery strategies. The Federal Communications Commission provides an excellent planning guide addressing six critical areas for companies to follow and practice: 

1. Privacy and Data Security

2. Scams and Fraud

3. Network Security

4. Email

5. Website Security

6. Mobile Devices

Download the associated cheat sheet to help you quickly navigate these best practices and assess your readiness.

 

PSAP Cyber Risks to 911

CISA Report on Cyber Risks to 911: TDoS

A telephony denial of service (TDoS) attack is a specific type of DDoS attack directed towards a telephone system to bring the targeted system down. These attacks can affect anyone, including our 911 infrastructure, and may often include ransomware requests. 

As such, TDoS attacks present a unique risk to public safety communications stakeholders, including Emergency Communications Centers (ECC), Publics Safety Answering Points (PSAP), and other 911 centers. 

In response, the Cybersecurity and Infrastructure Security Agency (CISA) developed the Cyber Risks to 911: Telephony Denial of Service fact sheet to educate the public safety community on TDoS threats. 

Specifically, the fact sheet reviews:

  • The most common TDoS attack vectors
  • Real-world TDoS incidents and impacts
  • Best practices to mitigate TDoS vulnerabilities

One of the key takeaways is for ECC/PSAPs should consider a managed service provider to address two of these migrations:

  • Implement the National Institute of Standards and Technology Cybersecurity Framework to improve cybersecurity posture
  • Conduct cybersecurity assessments, identify capability gaps and vulnerabilities, and determine appropriate cybersecurity standards

Take Action to Prevent Attacks:  Download CISA’s TDoS fact sheet to see the seven steps to prevent cyber attacks.