Watch out for these phishing scamsWe’ve covered small business scams before, but there’s one scam that deserves more attention than any other. Experts have been talking about the growth of phishing for years, and with the popularity of phishing still rising among cybercriminals, it looks like it’s unfortunately here to stay. This means that ensuring that your company and your employees are properly trained in detecting and dealing with phishing attacks is of the utmost importance. That’s why this post is giving an in-depth breakdown of the most popular types of phishing campaigns, how they will attempt to impact your business and what you can do to stop them.

The anatomy of a phishing scam

Although phishing comes in many shapes and sizes, most phishing scams involve one or more of these attributes:

  • The sender pretends to be a person or entity you’re familiar with, like a company whose services your organization uses or an employee within your organization. In some cases, phishing scams do involve cold approaches, meaning the phisher isn’t pretending to be someone you may know, but phishers perpetuating these scams tend to impersonate popular services that you’d conceivably need, like tech support.
  • The phisher’s message makes a request of you, usually one that involves sharing information that the party the phisher is impersonating should already have (e.g., a payroll associate should already have your W-2 on file). Other times, phishers will attach a link or file with embedded malware that they make seem necessary to click on (e.g., fill out the attached form and send it back to me).
  • Because phishing techniques have matured, in some instances phishers will set up passive phishing campaigns. These are circumstances in which phishers set up fake sites and services that sometimes appear in search engines as well as social media websites and feeds, making these phishing sites seem legitimate. Instead of proactively targeting potential victims, these phishing campaigns allow phishers to make victims come to them.

Why do scammers phish?

The purpose of phishing is to use social engineering to either extract useful information from someone, or to dupe victims into installing malware onto their systems. The latter can be used as a setup to potentially steal information down the line, activate ransomware, add a target device to a botnet and many other nasty things. Scammers will target businesses to steal their money, gather trade secrets (to sell on the black market or use for other nefarious purposes) and more.

Types of phishing techniques

There are very many different types of phishing, some of which we’ve covered before, but below are the types that most commonly target small businesses.

Spear phishing and whaling

Spear phishing isn’t new, but modern variants are far more devious. Unlike more general forms of phishing, spear phishing involves targeted campaigns, usually specific to individuals. Phishers usually study targets for large periods of time, collecting as much information as possible in order to create a message that appears to be genuine. To further sell the ruse, many spear phishers spoof email “from” headers to make emails appear like they come from a familiar source.

Whaling is spear phishing, but directed at CEOs, executives, politicians and famous individuals. Its name comes from the fact that such high profile targets are seen as “big fish” by scammers. Successfully compromising these targets through phishing campaigns allows scammers to not only take a swipe at their personal assets, but to also impersonate them. Whaling campaigns targeting company executives can be used to steal information from them directly or to take their credentials to impersonate them in spear phishing campaigns directed at lower-level employees, who would likely be unalarmed by sensitive information requests from their “superiors.”

Both of these types of phishing rely on implicit trust victims assume they should grant the sender, but the truth is that there’s no way to truly know who’s contacting you online — even if it’s an email from someone you know. As such, requests for personal or financial information as well as requests to review documents and links should always be treated with suspicion. You can always call or text the sender using a trusted phone number (not the one in the email) to verify that the request is legitimate or just give them the information they’re asking for in person rather than over email, which isn’t the best medium for sending sensitive information, anyway.

Clone phishing

Clone phishing attacks involve a phisher either intercepting an email or copying it once it’s been sent. The phisher’s message will generally purport to be an “updated” version of a legitimate message that was genuinely sent moments before, making it much harder to spot. As stated above, any time you get a request to share information, even from an associate or friend, you should be on your guard. You can always ask the sender via phone, text or some other medium if they really sent their email twice or sent a follow-up email.

Pharming and fake websites

We’ve talked before about scams like pharming and typosquatting, which both involve websites that were either hijacked or created by scammers. These scams aim to send users to a site that is designed to steal their information without their knowledge. As such, users should be aware that simply because they’ve been given a link to a site, or have navigated to one on their own, doesn’t automatically mean that that the site is safe.

Whenever you visit a site and aren’t sure of its legitimacy, you should do a WHOIS lookup on the domain name to see who owns it and then look at the site’s SSL certificate. These are the certificates issued to websites with HTTPS encryption, and they often detail who officially owns the certificate and who gave it to them. If you’re on a major company’s website and they have limited certificate information, it could be a sign that something is amiss. Keep in mind that scammers also create HTTPS phishing sites, so just because the site has HTTPS, doesn’t mean it’s safe.

Macro malware and other attachments

Some phishing emails will include links or attachments and encourage you to click on them. In business and office environments, some of the most common types of attachments are Microsoft Office files with modified macros. Macros are advanced commands that allow for the automation of certain processes within a specific program. For example, macros in Microsoft Excel might allow you to have the program automatically create charts and graphs whenever you import data meeting specific criteria, saving you hours of work. Since macros rely on code, if someone injects malicious code into a macro, they can cause damage to any device running that code. In the early 2000s, Microsoft, noticing that macros could be exploited in this harmful way, set macros to remain off by default. Still, hackers wanting to exploit macros to transmit malware often dupe their targets into turning macros on. It’s important to note that macros aren’t inherently dangerous, and any macros created by you or someone you trust are fine. Documents containing macros created by a stranger with unknown intentions, however, could be designed to compromise your computer. While it’s totally feasible that you could receive a document from an associate that requires you to activate macros, you should always err on the side of caution by first verifying the file’s sender or getting the file from them another way.

As technology evolves, unfortunately cybercrime does, too. Continue reading our scams blog to keep up with today’s top threats to your business and your identity.