Imagine you’re going about your day when suddenly you receive a text from the CEO asking for your help. They’re out doing customer visits and someone else dropped the ball in providing gift cards. The CEO needs you to buy six $200 gift cards and text the information right away.

The message sender promises to reimburse you before the end of the day. Oh, and by the way, you won’t be able to reach them by phone for the next two hours because they’ll be in meetings. One last thing, this is a high priority. They need those gift cards urgently.

Would this kind of request make you pause and wonder or would you quickly pull out your credit card to do as the message asked?

A surprising number of employees fall for this gift card scam. There are also many variations. Such as your boss being stuck without gas or some other dire situation that only you can help with.

This scam can come by text message or via email. The unsuspecting employee buys the gift cards and sends the numbers back to the boss. They find out later that the real company CEO wasn’t the one that contacted them, it was a phishing scammer.

The employee is out the cash.

Without proper training, 32.4% of employees are prone to fall for a phishing scam.

Read about our Employee Security Awareness training and the services it offers here.

Why Do Employees Fall for Phishing Scams?

Though the circumstances may be odd, many employees fall for this gift card scam. Hackers use social engineering tactics and manipulate emotions to get the employee to follow through on the request.

Some of these social engineering tactics illicit the following:

• The employee is afraid of not doing as asked by a superior
• The employee jumps at the chance to save the day
• The employee doesn’t want to let their company down
• The employee may feel they can advance in their career by helping

The scam’s message is also crafted in a way to get the employee to act without thinking or checking. It includes a sense of urgency. The CEO needs the gift card details right away. Also, the message notes that the CEO will be out of touch for the next few hours. This decreases the chance the employee will try to contact the real CEO to check the validity of the text.

Illinois Woman Scammed Out of More Than $6,000 from a Fake CEO Email

Variations of this scam are prevalent and can lead to significant financial losses. A company isn’t responsible if an employee falls for a scam and purchases gift cards with their own money.

In one example, a woman from Palos Hills, Illinois lost over $6,000. This was after getting an email request from who she thought was her company’s CEO. 

The woman received an email purporting to be from her boss and company CEO. It stated that her boss wanted to send gift cards to some selected staff that had gone above and beyond.

The email ended with “Can you help me purchase some gift cards today?”  The boss had a reputation for being great to employees, so the email did not seem out of character.

The woman bought the requested gift cards from Target and Best Buy. Then she got another request asking to send a photo of the cards. Again, the wording in the message was very believable and non-threatening. It simply stated, “Can you take a picture, I’m putting this all on a spreadsheet.” 

The woman ended up purchasing over $6,500 in gift cards that the scammer then stole. When she saw her boss a little while later, her boss knew nothing about the gift card request. The woman realized she was the victim of a scam.

Tips for Avoiding Costly Phishing Scams

Always Double Check Unusual Requests

Despite what a message might say about being unreachable, check in person or by phone anyhow. If you receive any unusual requests or one relating to money, verify it. Contact the person through other means to make sure it’s legitimate.

Databranch recommends using the SLAM Method to review your emails and act accordingly. Don’t know what the SLAM Method is? Click here to read all about it.

Don’t React Emotionally

Scammers often try to get victims to act before they have time to think. Just a few minutes of sitting back and looking at a message objectively is often all that’s needed to realize it’s a scam. Don’t react emotionally, instead ask if this seems real or is it out of the ordinary.

Get a Second Opinion

Ask a colleague, or better yet, your company’s IT service provider, to take look at the message. Getting a second opinion keeps you from reacting right away. It can save you from making a costly judgment error. 

Need Help with Employee Phishing Awareness Training?

Phishing keeps getting more sophisticated all the time, are your employee’s up to date on their security awareness training?

Take training off your plate and train your team with cybersecurity professionals. We can help you with an engaging training program that helps your team change their behaviors to improve cyber hygiene.

Contact Databranch today at 716-373-4467 x 115 or info@databranch.com if you would like to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.

Article used with permission from The Technology Press.

Read More

Phishing. It seems you can’t read an article on cybersecurity without it coming up. That’s because phishing is still the number one delivery vehicle for cyberattacks.

A cybercriminal may want to steal employee login credentials, launch a ransomware attack, or possibly plant spyware to steal sensitive info. For a hacker, sending a phishing email can accomplish all of this.

80% of surveyed security professionals say that phishing campaigns have significantly increased post-pandemic.

Phishing not only continues to work, but it’s also increasing in volume due to the increase in remote workers. Many employees are now working from home and don’t have the same network protections they had when working at the office.

Why has phishing continued to work so well after all these years? Aren’t people finally learning what phishing looks like?

It’s true that people are generally more aware of phishing emails and have gotten better at stopping them. However, it’s also true that these emails are becoming harder to recognize as scammers evolve their tactics.

One of the newest tactics is particularly hard to detect, the reply-chain phishing attack. 

What is a Reply-Chain Phishing Attack?

Just about everyone is familiar with reply chains in email. An email is sent to one or more people, one replies, and that reply sits at the bottom of the new message. Then another person chimes in on the conversation, replying to the same email.

Soon, you have a chain of email replies on a particular topic. It lists each reply one under the other so everyone can follow the conversation.

You don’t expect a phishing email tucked inside that ongoing email conversation. Most people are expecting phishing to come in as a new message, not a message included in an ongoing reply chain.

The reply-chain phishing attack is particularly insidious because it does exactly that. It inserts a convincing phishing email in the ongoing thread of an email reply chain. 

How Does a Hacker Gain Access to the Reply Chain?

How does a hacker gain access to the reply chain conversation? By hacking the email account of one of those people copied on the email chain.

The hacker can email from an email address that the other recipients recognize and trust. They also gain the benefit of reading down through the chain of replies. This enables them to craft a response that looks like it fits.

For example, they may see that everyone has been weighing in on a new product idea. So, they send a reply that says, “I’ve drafted up some thoughts on the new product, here’s a link to see them.”

The link will go to a malicious phishing site. The site might infect a visitor’s system with malware or present a form to steal more login credentials.

The reply won’t seem like a phishing email at all. It will be convincing because:

• It comes from an email address of a colleague. This address has already been participating in the email conversation.
• It may sound natural and reference items in the discussion.
• It may use personalization. The email can call others by the names the hacker has seen in the reply chain.

Business Email Compromise is Increasing

Business email compromise (BEC) is so common that it now has its own acronym. Weak and unsecured passwords lead to email breaches. So do data breaches that reveal databases full of user logins. Both are contributors to how common BEC is becoming.

In 2021, 77% of organizations saw business email compromise attacks. This is up 65% compared to the year before.

Credential theft has become the main cause of data breaches globally. 

The reply-chain phishing attack is one of the ways that hackers turn that BEC into money. They either use it to plant ransomware or other malware or to steal sensitive data to sell on the Dark Web.

Tips for Addressing Reply-Chain Phishing

Here are some ways that you can lessen the risk of reply-chain phishing in your organization:

• Use a Business Password Manager: This reduces the risk that employees will reuse passwords across many apps. It also keeps them from using weak passwords since they won’t need to remember them anymore. Click here to learn more about our password manager solution, LastPass.
• Put Multi-Factor Controls on Email Accounts: Present a system challenge (question or required code). Using this for email logins from a strange IP address can stop account compromise. You can learn more about MFA here.
• Teach Employees to be Aware: Awareness is a big part of catching anything that might be slightly “off” in an email reply.  Many attackers do make mistakes. Our Security Awareness Training will give your employees the tools they need to identify threats. Click here to learn more.

How Strong Are Your Email Account Protections?

Do you have enough protection in place on your business email accounts to prevent a breach? Let us know if you’d like some help!

Databranch has a foundation security suite with systems in place to identify any anomalies before cyber criminals have a chance to do significant damage to your network. Contact us at 716-373-4467 x 15, info@databranch.com, or request more information below. 

Article used with permission from The Technology Press.

Read More

In 2020, 75% of companies around the world experienced a phishing attack. Phishing remains one of the biggest dangers to your business’s health and wellbeing because it’s the main delivery method for all types of cyberattacks.

One phishing email can be responsible for a company succumbing to ransomware and having to face costly downtime. As many as 92% of data breaches are due to human error such as falling for a phishing email. This can result in a user unknowingly handing over the credentials to a company email account that the hacker then uses to send targeted attacks to customers.

Phishing takes advantage of human error, and some phishing emails use sophisticated tactics to fool the recipient into divulging information or infecting a network with malware.

Mobile phishing threats skyrocketed by 161% in 2021.

Your best safeguards against the continuous onslaught of phishing include:

• Email filtering
• DNS filtering
• Next-gen antivirus/anti-malware
• Ongoing employee cybersecurity awareness training

To properly train your employees and ensure your IT security is being upgraded to meet the newest threats you need to know what new phishing dangers are headed your way.

Here are some of the latest phishing trends that you need to watch out for in 2022.

PHISHING IS INCREASINGLY BEING SENT VIA TEXT MESSAGE

Fewer people are suspicious of text messages than they are of unexpected email messages. Most phishing training is usually focused on the email form of phishing because it’s always been the most prevalent.

But cybercrime entities are now taking advantage of the easy availability of mobile phone numbers and using text messaging to deploy phishing attacks. This type of phishing (called “smishing”) is growing in volume.

People are receiving more text messages now than they did in the past, due in large part to retailers and service businesses pushing their text updates for sales and delivery notices.

This makes it even easier for phishing via SMS to fake being a shipment notice and get a user to click on a shortened URL.

BUSINESS EMAIL COMPROMISE IS ON THE RISE

Ransomware has been a growing threat over the last few years largely because it’s been a big money-maker for the criminal groups that launch cyberattacks. A new up-and-coming form of attack is beginning to be quite lucrative and thus is also growing.

Business email compromise (BEC) is on the rise and being exploited by attackers to make money off things like gift card scams and fake wire transfer requests.

What makes BEC so dangerous (and lucrative) is that when a criminal gains access to a business email account, they can send very convincing phishing messages to employees, customers, and vendors of that company. The recipients will immediately trust the familiar email address, making these emails potent weapons for cybercriminals.

Enabling Multi-Factor Authentication (MFA) is one of the best ways you can protect yourself and your business from BEC. Reach out to Databranch with any questions or if you would like assistance setting up MFA for your companies users.

SMALL BUSINESSES ARE BEING TARGETED MORE FREQUENTLY WITH SPEAR PHISHING

There is no such thing as being too small to be attacked by a hacker. Small businesses are targeted frequently in cyberattacks because they tend to have less IT security than larger companies.

43% of all data breaches target small and mid-sized companies, and 40% of small businesses that become victims of an attack experience at least eight hours of downtime as a result.

Spear phishing is a more dangerous form of phishing because it’s targeted and not generic. It’s the type deployed in an attack using BEC.

It used to be that spear-phishing was used for larger companies because it takes more time to set up a targeted and tailored attack. However, as large criminal groups and state-sponsored hackers make their attacks more efficient, they’re able to more easily target anyone.

A result is small businesses receiving more tailored phishing attacks that are harder for their users to identify as a scam.

THE USE OF INITIAL ACCESS BROKERS TO MAKE ATTACKS MORE EFFECTIVE

We just discussed the fact that large criminal groups are continually optimizing their attacks to make them more effective. They treat cyberattacks like a business and work to make them more profitable all the time.

One way they are doing this is by using outside specialists called Initial Access Brokers. This is a specific type of hacker that only focuses on getting the initial breach into a network or company account.

The increasing use of these experts in their field makes phishing attacks even more dangerous and difficult for users to detect.

BUSINESS IMPERSONATION IS BEING USED MORE OFTEN

As users have gotten savvier about being careful of emails from unknown senders, phishing attackers have increasingly used business impersonation. This is where a phishing email will come in looking like a legitimate email from a company that the user may know or even do business with.

Amazon is a common target of business impersonation, but it also happens with smaller companies as well. For example, there have been instances where website hosting companies have had client lists breached and those companies sent emails impersonating the hosting company and asking the users to log in to an account to fix an urgent problem.

More business impersonation being used in phishing attacks mean users have to be suspicious of all emails, not just those from unknown senders.

IS YOUR COMPANY ADEQUATELY PROTECTED FROM PHISHING ATTACKS?

It’s important to implement a multi-layered security strategy to defend against one of the biggest dangers to your business’s wellbeing, phishing attacks. Contact Databranch today at 716-373-4467 x 15 or info@databranch.com if you would like to learn more about what options are available to improve your organizations cybersecurity. Our Foundation Security Plan offers a wide variety of benefits such as increasing malware/ransomware protection, reduces phishing compromises, and helps prevent data theft/loss.

To request a free Baseline Security Assessment, click here.

Article used with permission from The Technology Press.

Read More