By John Alec Stouras
In times of social anxiety, scammers always look to take advantage of the population at large. According to Wired, an online technology news outlet, often during major events such as holidays and tax season, scammers often attempt to capitalize on people’s anxiety and lack of awareness (for the article, click here). Even during the California wildfires that raged in years past involved a huge uptick in scammers trying to take people’s sensitive information (click here for the article). One of the main mechanisms for scammers is phishing. And phishing doesn’t stop during times like these.
The Federal Bureau of Investigation (F.B.I.), and the World Health Organization (W.H.O.) have both released warnings of phishing emails that are attempting to capitalize on the anxiety of COVID-19. Per Consumer Reports, often these emails will pretend to be an official organization like the Center of Disease Control and Prevention (C.D.C.) and act as if they have important information for you. For more information, click here.
Also, another scary thing is that per The Cyber Post, about 13% of all phishing attacks in 2020 are related to the COVID-19 pandemic (click here for more information). Further, there has been a significant spike in attacks since hackers know that everyone is at home sending information more than ever before. In order to avoid phishing, you have to figure out how phishing works.
Phishing is a method for hackers to access sensitive data and information on your system or network by using a fraudulent email (“email spoofing”) or other type of method like SMS (instant messaging). The way it works is it relies on victims to click on a link or download something from an email that looks legitimate, but in actuality is not. The steps that make phishing dangerous is downloading content, which allows the phishing email to deploy various threats like malware directly onto your computer. If you click on a link that contains one of the various types of threats, they can access almost all of your sensitive information on your computer. Think about everything you have sent and downloaded with your computer. It is one of the most pervasive communication systems available, especially with official documents being sent, received, and stored.
Cyber attackers do not need all of your info to complete other types of cyber-attacks and fraud. Often, users feel that they are safe merely because they didn’t enter any sensitive information like their credit card to the phishing email and therefore, they are fine. That could be true, but in most cases it is not. Simply clicking a link, or even submitting one piece of information like a password reset, is enough for scammers to attack you in a way that can lead to serious damages.
You have to avoid phishing attempts at all costs. When one system in a network is compromised, it likely will compromise the entire network. This is especially important when you are using your business network because you could lose more than just your personal information; it could sink the ship. Because there is no real snake oil cure to take care of phishing emails once in for all, I have created “The Avenues”. These avenues are ways to identify, assess, and act when seeing phishing attempts.
The Phishing Avenues
1. Secure Your Frontline
One of the first avenues small business owners should take is to secure your frontline defenses. Here, we are talking about antivirus programs, cybersecurity tools, and even using more secure forms of e-mail communications. Cybersecurity tools are offered at some of the major cybersecurity firms such as McAfee and Norton. Often, these tools can assess documents before you download them, and also identify potentially dangerous websites before the link sends you to the phishing source. Often, the email service you use already assist with identify potentially harmful emails, but it is important to always have additional lines of defense, especially when we are talking about your private information.
Further, always make sure you update your system software on all devices you use. Often, system updates are created to improve security systems through patches. For steps of updating your system software, click here. Though updates are basic, they can actually keep vulnerabilities secure.
2. Be Proactive, Assess
Be proactive and assess emails, links, and downloads prior to clicking on them. Though your cybersecurity software can help you out, it is ultimately your decision on whether you need to open a document or link. Even if you feel like you know the source, scammers have disguised many emails to look as if they are from legitimate sources. Per the Consumer Reports article above, scammers often disguise emails to appear as if they are from the CDC and even your Human Resources (H.R.) department at your work. Always check where the email came from (so look at the email address “From”), and not just the headliner of the email sent to you.
CNET has an article on how to spot phishing articles, (click here for the full article). There are typically four signs that the article identifies: 1. That the “to” line in the email sent to you is blank and therefore did not actually come from the source it suggests. 2. Bad grammar and spelling, as large companies and official organizations have professional editors for email communications and wouldn’t make such simple mistakes. 3. Your name is missing and it simply offers a hello. Often the real company has your name associated with the email and would include your actual name. 4. Not actually having an account with them. Often it is a scare tactic to make you feel as if you did not create an account and therefore click on a button to clear up the mistake. Often, other fishing emails that will look real will state things such as “Verification of Account”, “Account Compromised”, “15% Off Deal Waits”, “Delivery En Route” and other deceptive emails that look surprisingly real.
A simple three step questionnaire for you to spot scammers is this:
· 1. Is the sender suspicious? (Do you not know the number or email address it was sent from?)
· 2. Is the language unusual? (bad grammar, weird sentence format, suspiciously enticing?)
· 3. Is this an unexpected request? (nothing from what you know prompted this request)
The most common general advice you will get is “think before you click.” This is extremely sound advice when dealing with anything online related.
Lastly, if you really do not know if it is a scam or it is legitimate, feel free to contact the company that is allegedly contacting you to make sure. It definitely doesn’t hurt calling their customer service to clarify if you actually need to update your card information, username, or password.
3. Stay Informed
Keep in your news feed various news sources that keep up-to-date information on the latest cybersecurity attacks and phishing attempts. Often, tech news networks like Wired and CNET will keep up-to-date information on various new phishing attempts. Further, official organizations that are on notice of phishing problems involving the use of their name will post to their homepage about a new phishing attempt, as seen with the WHO above. Therefore, if you see a suspicious email, check the company website of the email that is allegedly from that organization. It may contain information about a potential phishing attempt.
But, let’s say you don’t know a breach has occurred. Or maybe you have heard of a breach in passing but you have no idea if your data was compromised, a really good website called, haveibeenpwned?, helps Internet users find if there data has been compromised in the event of a breach. It does so by finding the data dump and looking at which users have been affected. The website was created by cybersecurity experts and is trustworthy. I even use it to see if a data breach occurred in a company that has my personal information.
4. Seek Help: Cybersecurity and Legal
I’ve already referenced some cybersecurity methods that could assist you and your small business from falling prey to scammers and phishing attempts; however, it is also important to know that phishing is covered by many different laws. The two common federal crimes scammers who use phishing get slapped with are wire fraud and identity theft.
Wire fraud is using a device that sends information across state lines in an attempt to defraud someone. It is important to know that what they are doing is criminal and there are repercussions for their actions. The hard truth is it is often very difficult to find and prosecute phishers, so often you do not have the ability to seek this route as a remedy. How is it so difficult? Don’t all computers have IP addresses? Of course, but the problem is the IP addresses scammers and attackers use are almost always proxy IP’s. Meaning, it’s an IP connected to a different system they’ve already compromised and will likely not track back all the way to the identity of the scammer themselves. Moreover, there are methods for attackers to switch their IP’s.
But, hope is not lost. If your system has been compromised by a phishing attempt, there are a couple steps you can take. First, screen shot the phishing email and send it to the organization it is pretending to be. Next, report the incident to the FBI’s Internet Crime Complaint Center, so the government is on notice of a widespread fishing attack. Then, scan your computer to see if there are any viruses left. Make sure you begin the process of changing your usernames and passwords immediately as to ensure that some of your accounts are not compromised. Additionally, file a report with the F.T.C. (Federal Trade Commission) as they will tell you how to navigate the process of stolen credit. And lastly, contact your financial institution to make sure your business account can be frozen and you can receive a new account number.
Wrapping It All Up
Being paranoid of phishing attempts does not help that much. But being aware and keeping vigilant is important. Keeping your eyes peeled not only can protect your personal accounts, but also your business accounts. Because your business makes money, and a good amount of it, small businesses and their coffers are prime targets for a phishing attack. Often, they also implement ransomware tactics to make it seem like they already have sensitive or defamatory information on you and will request money as to make sure “it isn’t leaked.” The best response to ransom tactics is to not respond. I know, a bit counterintuitive, but it pays off in dividends.
These four steps are not exhaustive. But, they’ll get you started for establishing a safer, stronger, and more secure Internet presence.
Are you interested in launching or sustaining a pandemic proof small business? Spot issues, take action, stay safe, and thrive in a post Covid-19 world with Legalucy. Learn more at thelucyreport.com
Your interaction with Legalucy and mypandemicproofbusiness.com does not create an attorney client relationship. We provide information for your reference only. Such information should not and cannot be construed as legal advice. For more information, please contact email@example.com.