Someone Clicked a Bad Link!
There are several common issues that we see as a Managed IT Services Provider.
At times we identify issues within our processes and use it as an opportunity to improve. Often we will find a new and better tool solution via a webinar, conference, or vendor product demo. But the most common issues we see relate to pain points we hear by talking to prospective customers—and we hear many of the same things repeatedly. Through this series of blog posts, we will examine some of these common items and talk about how you can deal with them.
Unfortunately, we’ve all seen them…poorly spelled or formatted emails, asking us for to log in for various reasons. These are a danger to us in a personal setting as credit card, banking, or identity theft are very real threats. However, this blog post will focus primarily on business applications…although many of the malicious techniques can be very similar.
While it can be quite easy to spot some phishing attempts, some are in fact very intricate and can easily deceive if one is distracted or not versed in what to look for. Emails can appear to be from vendors or other business partners. Fake Microsoft emails are very common. There are numerous examples, but for business use a frequent, if more targeted, technique is to appear as a person of some status within the company. For example, an HR representative contacting the company to login and accept a new company policy is not uncommon in many places of work, and, in turn, a juicy target for criminals.
The email address appears correct and the context is reasonably formatted. It is only upon examination of the link (by mousing over) does it reveal to be a threat.
Unfortunately, this is even more difficult on mobile as many will not allow to “preview” the link.It only takes one person in an organization to mistakenly click and login for credentials to be stolen. (Good advice for mail on the phone is that if it is asking you to login, do a double check from mouse and keyboard.)
The consequences of stolen credentials will vary. At worst, a person has access to company files/records and mass damage can be done. Some estimates show cyber criminals have stolen more than $12 billion from companies over a five-year span using phishing attacks. Often these come in the form of a ransomware attack, which encrypts data and demands remitting payment for the data to be unlocked. For businesses without proper backup, this can literally mean the end of the business—studies show that over half small-to-medium businesses are forced to close their doors after being extorted in this manner.
Excepting businesses with the most robust types of backups, many businesses that are able to recover data without paying the ransom will lose hours-to-days of productivity as their systems are rebuilt. In short, it’s often a nightmare.
Training is a common and effective solution. The goal of phishing is to exploit human error, which, unfortunately, is more common than security gaps in computers (at least for well-positioned machines). One of our partners, KnowBe4, calls their product “Human Firewall Training”, and for good reason! There are other methods of defense and product that are more reactive, as well. Both are in play for a quality, layered defense against phishing.
If you would like to explore what is out there for phishing training and other cyberdefense products, we would love to help! We have a variety of products that can fit your SMB’s budget. Click on Contact Us! and ask!