We have discussed previously how small businesses are being targeted by cyberattacks, and back in June I published how Malware was targeting at least 500K devices worldwide. Well, did you know that in the past year alone, phished credentials technique, or credential phishing, caused twice as many breaches as malware?
Some Background
The bad guys are always looking for ways to get your information, money, or anything else that may be useful to them. Malware has been the classic example in the past, where all your information is encrypted on your disk and the bad guys ask for a ransom to decrypt it. This exercise requires the coding of the ransomware, or getting the code from the dark web, and spending hours testing it to make sure it does what it is intended to do. Once the ransomware is delivered and not stopped by antivirus or malware applications, the next step is collecting the money. As you can see, this is a lot of work, and who wants to work hard and not get paid in the end?
In addition to that, users are getting more and more clever when using passwords. There are more people not reusing their passwords (my dream has come true). This has made it very difficult to “guess” or brute-force passwords, as they are no longer common.
A New and easy way
As a consequence of that, the bad guys have started to use more phishing techniques. Credential phishing is very simple: They send you a fake email that looks like it is coming from your bank, ATO, Centrelink, or even your IT Department or your boss! Because you are always in a rush, you open the email, click the link or attachment, and enter your credentials. And voila! You have just leaked your username and password to the bad guys without even knowing it.
You may think, I don’t have any anything important to hide, why should I care? Well let me ask you a few questions:
- Do you use the same password in your personal email at work?
- Do you use the same password in your bank account?
- Do you send, receive invoices to pay or be paid by email?
If you answered ‘yes’ to any of the previous questions, then the bad guys can instruct your employee or accounting department to pay an invoice, which looks legit, but to a different bank account number. When you realize that the payment went to the wrong bank account, the money is already outside the country.
How easy is that?
What can I do?
Scammers are getting very sophisticated, not only by email but also by phone calls to get some payments. You can take the following precautions to guard against credential phishing attacks:
Be especially vigilant about emails requesting money or bank transfers and unexpected phone calls requesting personal information. If you receive an email requesting payment and the bank information has changed, call support immediately to verify before proceeding. Just because you receive an email from them does not mean they have not been compromised.
If your email system and account package support multi-factor authentication, enable it. If for whatever reason your password is leaked, the attacker will need a second-factor authentication to log in.
Be safe out there until next Malware Monday.
