Phishing is performed by scammers to fraudulently obtain money or sensitive information such as user names, passwords and credit card details by “socially engineering” publicly accessible information. The hackers personalize and target the victim in electronic communication, pretending they are someone trustworthy.
Phishing scams are a big moneymaker for scammers, and they are getting more and more targeted, sophisticated and dangerous.
One of the simplest ways to avoid a personalized phishing scam is to never include individual email addresses (or any email address) on company websites. Use a submission form instead. It is also important to use CAPTCHA (“completely automated public turing test to the computers and humans apart”) authentication for your web forms to protect your site from spam and abuse. reCAPTCHA v3 is a free service available from Google.
The only real way to prevent phishing attacks from succeeding is with employee training. Employees can be trained to watch for anomalies and phishing security test campaigns can be performed. Phishing security test emails are purposely sent to determine if employees click on the attachments or answer the requests. They are safe emails, but highlight users who need more training.
DDoS (Distributed Denial of Service) Attacks
In a DDoS attack, the hackers attempt to make the target website, service, or portal temporarily or indefinitely unavailable to its true users. They accomplish this by flooding the target with tens of thousands of requests per second from a network of devices, making them difficult to resolve since the attack comes from many different sources. Reasons for DDoS attacks may include attacking competitors, blackmail, or activism, or there may be no reason at all.
One of the most famous DDoS attacks disrupted major sites like Netflix, The New York Times and Amazon. The reason for the attack was never verified.
A data breach involves the release of private information, either intentionally or unintentionally, to an untrusted environment. Data breaches are profitable for hackers and have become more common in recent years. With intentional data breaches, hackers gain access to databases, then copy and sell any personal identifiable information (PID) on the dark web. Millions of credit card numbers and email addresses are for sale on the dark web for pennies apiece.
According to Cyber Risk Analytics’ 2019 Data Breach QuickView Report, there were over 7,000 reported breaches exposing over 15.1 billion records, “a new worst year on record.”
Ransomware is a form of malware targeting both human and technical weaknesses in an effort to make critical data and/or systems inaccessible. Once an organization determines its data is inaccessible, the hackers demand a hefty ransom.
Ransomware is on the decline, however it is still a multimillion-dollar industry.
The FBI’s 2019 Internet Crime Complaint Report noted 2,047 complaints identified as ransomware with adjusted losses of over $8.9 million.
The best way to fight ransomware is to prevent it. The security of ransomware encryption is nearly impossible to crack, so if it gets into your system, you’re in dire straits.
Zero Day Exploits
A zero day exploit occurs after a network vulnerability is announced. One example is Microsoft announcing that they found a vulnerability in their operating system and made a patch available. This prompts hackers to move as quickly as possible to exploit the vulnerability before users fix it with the patch.
Many companies do not patch regularly, leaving their network and data exposed to hackers.
Another example is WordPress, around since 2003 and now one of the most popular platforms to build websites. In the early days WordPress had many vulnerabilities, where hackers were gaining access to the back end and sabotaging company websites.
Man in the Middle Attacks
In a man in the middle, or MiTM attack, the hacker invades communications between two parties who believe they are communicating with each other.
MitM attacks are more and more frequently centered around Internet of Things (IoT) devices that everyone uses, such as smart TVs, WiFi capable speakers, or even smart watches or other wearables like Fitbits.
These devices access the Internet but are not necessarily computing devices like PCs. As such, they are less likely to use encrypted traffic.
Another example is unprotected Wi-Fi in public places without password protection or encryption. Attackers will scan the network utilizing packet sniffer technology, to learn who is on the network, and what they are doing. They will then try to exploit it any way they can.
How to Protect Your Business from Cyber Attacks
There is no amount of protection that can save you from an unsavvy clicker. In addition to implementing the latest technology to prevent cyber attacks, employee education is one of the most important things you can do.
Cybersecurity Tips for Your Team
- Never click on an attachment from a suspicious email address. If the email looks off—has misspellings, is from someone you know but reads oddly, has offers that are too good to be true or asks for sensitive information—don’t download the file.
- Watch out for .zip and .exe files, as well as executable programs embedded into documents. Zip files are executable files by default, so be especially careful when downloading one. You can be duped into running programs embedded in Word DOCs and Excel files as well.
- Be suspicious of all links within emails or advertisements. Cryptowall is an example of malware that infects computers by sending malicious emails appearing to be from legitimate businesses or by using advertisements on popular websites. The links direct to ransomware. Here’s an example: An IT professional profiled on NPR revealed how an employee received an email that appeared to be from PayPal saying the recipient had received money. The compromised link loaded the computer with ransomware, and the business lost 14 years’ worth of data.
- Be aware that scammers have become very sophisticated, and can fool the savviest users. Even if there is a remote possibility that correspondence is a scam, inspect all details for accuracy, and don’t click reply—type in email addresses manually. Be suspicious even of emails that appear to come from within your organization rather than risking a ransomware infection.”
- Back up your information offline. If your machine or business network gets taken over, this is the best way to get back your data. However it is not foolproof and will still cost time and money.
- Keep your antivirus protection, operating system and other applications up to date. These updates primarily address security vulnerabilities or performance issues.
Data Protection Tailored to Your Business
Today, data protection is more complicated than it once was, and different types of businesses need different levels of security. It is our job as your IT partner to know where the vulnerabilities are, and help you make smart decisions about how to keep your business data safe.
This goes beyond patches. We use sophisticated firewalls, better antivirus software, GEO fencing, penetration testing and internal security assessments specifically tailored to your individual business. We take into account your compliance requirements such as HIPPAA, PCI, public sector SOX and regulations for merchants accepting credit cards.
We put our proactive security, business continuity management, and monitoring services to work for you, preventing breaks and fixing vulnerabilities before they can compromise your business performance.