Author: Leonard Rivera
Social engineering is the use of deception to manipulate individuals into doing something they wouldn’t normally do.
According to the National Institute of Standards and Technology (NIST), phishing is:
“[A] technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.”
According to Wombat, there are “3.4 billion phishing attacks per day which are highly effective 76% of the time.”
The cost of social engineering attacks is “1.6 billion dollar impact per business on average, ransomware, impact to customers, legal fees, brand and reputation cost.”
The goal of phishing is to “trick individuals into disclosing sensitive personal information through deceptive computer or electronic communications,” according to NIST.
These goals include:
Spear phishing is a targeted attack which utilizes information gained through open sources to gain specific background information to aid in the deception. Fake emails with targeted information gained from social media sources are often used to gain this information.
Spoofed emails, which are emails that contain address which look similar to an authenticated sender but contain slight errors in spelling or domain mismatches, are red-flags of spear phishing.
Whaling is “a specific kind of phishing that targets high-ranking members of organizations,” according to NIST. This type of phishing utilizes many of the same techniques as spear phishing, but aims to attain high level executive information or attributes that can be used to exploit a business.
Fake DocuSign documents are often used to attain signatures or other credentials. Information gained from lower level personnel emails may be used to launch a targeted whaling attack. Indications are often breaching in company process, procedure or protocol.
Once a target’s username and password is captured, phishing scammers then use software to bounce on other related websites and send fake email pages for benefits and other common services. Once access is gained, then the password is changed to deny the legitimate user access and/or to take advantage of the account.
SMishing employs many of the same tactics as typical phishing, but uses a different attack distribution (or “vector”) which is text/SMS. For example, you might receive a text message saying that your Apple ID or another accounts is disabled, followed by a “bit.ly” links (example: http://bit.ly.2ol59Uu). This malicious link gives attackers access to your accounts. Even phone numbers can be spoofed to seem like they are coming from your local area.
In this case, vishing occurs over the phone. An example would be a call from a person claiming to be Microsoft Tech support and saying that they noticed a problem with your computer. “Can you login to your device so we can fix it?” they might ask, which actually leads to a malicious website.
Customer support and call centers are frequent targets of voice phishing, so be sure to train your employees. IT help desk or other Tier 1 support is also susceptible to vishing.
Small businesses that don’t have IT support are the most vulnerable to phishing scams because they are more likely to have old software, missing updates, or unsupported operating systems.
While not 100% foolproof, one method to defend against phishing is to implement a layered defense — that way even if one tactic doesn’t work, another defense will.
Lack of resources also means it’s important to find a quality outsourcing alternative. Find an MSP that can provide basic IT and network security.
Lastly, report phishing to your email provider. Report vishing to your cell phone company.
Here’s what to look for when receiving a suspected email, Text/SMS, or phone call:
Trust your “spider sense” — if something’s not quite right, rely on your instincts and double check or make a call to check it out.
EnableIP is a telecom solutions provider founded by Wired Networks’ founder Jeremy Kerth and head engineer Steve Roos after they realized there was a deep market need for helping mid-size businesses establish better uptime rates for their Wide Area Networks (WANs). Armed with the best-in-class carriers and partners, Jeremy and Steve set out with a bold plan: Guarantee better uptime rates than the industry standard of only 99.5%.
Their bold plan became a reality. EnableIP’s solutions guarantee clients 99.99% (even 99.999%) network uptime. But we don’t stop there. Many telecom providers promise high availability network solutions but fail to deliver because they’re in the business of providing services, not solutions.
That’s the EnableIP difference: We deliver highly available networks by providing a complete system (called “Cloud Assurance”) that ensures 99.99% or above uptime.
We deliver this bold promise by: