Tag Archives: whaling

Consumer Watch: Scam terms and what to guard against

Hopefully, no reader felt any unwanted twinges from last week’s scamming procedures. Combine those with today’s list for savvy consumerism.

  •  Ransomeware — a program that almost knocked yours truly upside the head last week — restricts or disables a computer, hijacks and encrypts files, then demands a fee to restore the machine’s functions. As savvy as I like to think I am, I believed most ransomeware hit businesses, rather than individuals. Nope. Luckily, I contract with a smart IT expert (Chris Wesson) who told me to perform the exact opposite instructed by the program. Lesson learned. Anytime you’re remotely suspicious of a computer activity, call your provider immediately before taking other action.
  •  Scareware is a program that gives an on-screen warning saying you’re being infected by nonexistent viruses. Its objective is to trick users into installing malware or buying false antivirus protection.
  • Skimmer is a tiny device that deducts cash from your ATM account and gathers credit card information from a gas pump or restaurant, among other robberies. These aren’t the only scenarios. That little magnetic stripe on credit and debit cards is the skimmer’s target so be cautious about handing over your cards to anyone you don’t know for any service whatsoever, and be extra careful to ensure any slot you slide your card into is vacant. Inspect the card reader to be sure it’s identical to others nearby, is firmly in place and no small camera can be seen around. Never use a debit card at the gas pump so you won’t have to input its PIN.
  •  Smishing is a phishing attempt that goes to your mobile devices via text messages. The assault “advises” the user to call a toll-free number, which often plops lots of change into the pockets of the Smisher.
  •  Spear-phishing uses phishing with personalized email, often appearing to be from someone you know. (Many robocalls with local area codes fit this bill.)
  •  Spoofing allows scammers to disguise themselves as a specific person or, perhaps, a person within a specific agency. Moreover, these fraudsters manipulate your phone’s caller ID to display a false name or number.
  •  Spyware is a type of malware. A scammer installs this bad program on your computer or cellphone to track your actions and collect information without your knowledge.
  •  Vishing, another form of phishing that uses recorded phone messages to trick you into revealing very private info.
  •  Whaling phishes for corporate executives or employees who work in the company’s payroll departments. The scammer poses as the company’s CEO or, perhaps, its attorney or even a vendor to obtain payments or hush-hush data.

We heard great news last week from the Federal Communications Commission (FCC) that it intends to put robocallers out of business. However, until that happens (as well as all other trickery), it’s urgent we never forget that scammers create new schemes and fraudulent activities every day. Whether to burglarize our bank accounts or to steal our personal identities, criminals never rest; therefore, consumers must remain vigilant. No more victims around here, okay?

Contact Ellen Phillips at consumerwatch@timesfreepress.com.

Cyber security basics: How to recognise phishing attacks

FavoriteLoadingAdd to favorites

CBR sits down with Luis Corrons, Technical Director at PandaLabs, to talk phishing.

Phishing attacks are on the rise, but how can you recognise them? CBR’s Alex Sword talks to Luis Corrons, Technical Director at PandaLabs.

AS: What are some common examples of phishing attacks?

The most common examples of phishing attacks are emails that supposedly come from a bank or payment provider, courier company, or popular shopping site (Amazon, itunes etc.). One way or the other, it will be trying to get our personal information so it can be used to steal further information or empty our accounts.

Phishing attacks take many different forms. What are some common characteristics that people can look out for?

Most times the initial phishing message always says there has been some kind of security incident involving your account, and tells you that in case you do not take action it will be suspended. There will be a link in that message that the user have to click in order to fix the problem, once clicked it takes the user to a web page with the look & feel of the organisation they are trying to fake and will ask the user for their personal information (credentials, security questions, etc.).

AS: What would a good employee training programme in an organisation look like?

The best training programme should start by launching a controlled phishing attack against company’s employees. This can then be used in the follow-up training to show how effective a real attack would have been and teach all employees to be able to recognise these types of attacks. Repeat this periodically to measure the success of previous training.

panda-securitySpecial attention should be given to the finance team to ensure they are aware of CEO fraud (aka Spear Phishing or Whaling) which occurs when an email supposedly coming from a C-Level executive requests an urgent and often substantial bank transfer. The FBI estimate $2.3bn has been lost to this type of fraud over the last three years. Having a system in place where the finance team can verify anomalous transactions directly with the C-Level executives or senior members or staff at any time can stop these losses.

AS: What are some basic checks that can be put in place so that suspicious emails can be vetted?

Most phishing messages rely on the user to click on the link that is in the message or just opening an attachment. Not doing it solves the problem.

By learning the typical characteristics (there is a serious security problem, urging us to act as soon as possible threatening us with closing / suspend our account, giving us a link to solve the problem…) the users can spot phishing attempts.

At the end of the day if the user has any doubts and considers it might be a valid message, they can always go to the company website from the browser without clicking on the link. If available report suspicious emails to your IT team or provider.

Never trust attachments from unknown sources, of course.
AS: How are phishing attacks evolving?

PandaLabsLuis Corrons, Technical Director of PandaLabs.

Historically the cyber-criminals behind these attacks had problems with the language used as English was not their first language, and it was easy to spot grammar mistakes as well as misspelled words. Nowadays they have improved and in general they do not make these kinds of mistakes.

Phishers are more professional, and it is a continuous battle to realise we are facing a phishing attack, by contacting the originator by phone or directly visiting their website will normally confirm if the email is genuine.

Although phishing has often been linked to the theft of online banking credentials, there are some other kinds, such as those made to steal Facebook or Twitter credentials. In these cases instead of an email you get a message with a link, if you click on it, it takes you to a website with the same look & feel as the social network and asks you for your credentials.

AS: Is it possible to protect our data online to make phishing attacks less successful?

Yes, of course. First tip is not reusing passwords. Using a password manager is the most effective solution for this. On top of that we should enable 2FA (two factor authentication) so even if a phishing attack succeeds and our credentials are stolen, our accounts will be safe

How to save yourself from a phishing attack [Infographic]

Do you know how to prevent yourself from a phishing attack? This neat little infographic should help recognize and prevent one.

Phishing attacks are growing more sophisticated and more serious by the day, but they aren’t always easy to recognize. To make matters worse, hackers are getting better at targeting high-level people in an organization, knowing full well the CEO probably doesn’t have a lot of experience in infosec. This is called spear-phishing, and sometimes whaling if the target is big enough. Humans are the weakest link in info security and targeting the right person can bring down an organization.

Thankfully the vast majority of phishing operations are still low level and easy to recognize. Look for things like misspelled words and domains that aren’t quite what they should be. Those are the obvious things.

Vishing and Smishing are also growing trends- hackers use the phone or text messages to try to gain access to your personal data. If it sounds urgent and your bank account is in peril, it’s probably a scam. It will sound convincing- they can glean personal information from your social media accounts very easily, making it sound like they have all the information they should have to be legitimate.

Learn more about protecting yourself from phishing attacks from this infographic! You might be surprised how common phishing has become and how easy it is to protect yourself- you just need to know the warning signs.