It’s time we admit it to ourselves, that the bad guys who draft up phishing emails to capture logins are getting much more thrifty. They have become so crafty in fact that even I could be fooled by these increasingly clever email attacks, one of them almost got me.
The Email That Almost Had Me Fooled
This email appeared from a trusted client, who we worked with for several years. The message read, that this client sent me a private message that was ready for me to read. Included was a link for me to click to take me to the message, or so one would think. The scary part of this is, it’s not unusual behavior at all. This fits the normal back and forth style of communication we have used in the past. In this instance, I didn’t check the email tool-tips, as I always recommend for people to do. Instead, I went ahead and clicked the link, opening what read as “Encrypted by Microsoft Office 365.” Asking me immediately to verify my identity by inputting my email and password. It was just about this time, I decided to review the URL and to my surprise, it was filled with an unpronounceable assortment of random numbers and letters. It was at this point, I realized this was not a Microsoft page. I stopped right then, in a moment of over-reaction, I unplug my internet connection, and run my anti-virus; they didn’t get me.
This example shows just how far employee training can go, showcasing how internal training and vigilance has been and continues to be, the foundation layer of every IT Security Strategy.
Lay & Wait Phishing
Another example I’ve seen countless times, something so subtle your anti-virus and SPAM tool wouldn’t have seen it coming. I received an email, from what appears to be a legitimate domain, asking to confirm the information on a business card they received, as their call didn’t go through. Once again, this is typical communication we all see and hear every day. What caught me off guard, is I never send anyone a digital business card, so why would they be referring to a link? I quickly hovered over to find a fishy address, one correlated to another message in my SPAM folder. The first message, from a different sender, included an email attachment asking why they are receiving the following bill.
When it comes to these phishing scenarios, a cool head, and proper training can combat the ever-evolving phishing techniques used by many today, adding further protection to improve the margin for error at your business.
3 Layers of Protection That Should Be Part of YOUR Security Strategy
Given the reality, nearly security-minded people can be fooled by these scams, employee training should always be backed by multiple layers of security, so you can ensure client data is safe.
Consider the costly ramifications and damages when a business fails regulatory compliance, letting in ransomware and losing customer trust.
- When I was moments away from handing over credentials to a scammer, I can still take comfort in knowing I had 2-Factor Authentication (2FA), adding a required code to my login process. For the bad guys, they would have had to gain access to my phone, the moment the key was sent to me, otherwise logging in is useless. I prefer the functionality of Duo 2FA, it’s simple for users, making it an easy to use app, for employees or clients to login. Providing a barrier that can defend against the vast majority of attacks.
- Demonstrable protection for device security is essential for protecting and securing your business data. If data remains and attacks that infiltrate systems can still be thwarted, and breaches averted. Showcasing things like forensics on how, and where the attack started. How they were able to penetrate your other defenses, through recording of log files we shorten the time it would take to restore all data.
- Finally, the most important of the three layers. We need something with the ability to endure successful attacks and recover quickly from such a disaster. This means having a data backup system in place that’s both robust, 100% trustworthy, designed to specifically maintain your business continuity. For your data backup to have value, data should be restorable with minimal downtime, with the ability to isolate and immune other devices from falling prey to these attacks. In those worst-case scenarios, where production data is corrupted or systems are locked by ransomware, the ability to simply replace data from a backup, empowers you to take victory over the attackers. We’ve found immense reliability, and when these scenarios occur you will want a backup solution to simply work, it might not make you 100 percent bulletproof, but your ability to recover data with haste will be.
While we understand the reality, mistakes will happen, click on phishing emails or compromising security can leave you, and your customers scrambling and outraged. Take a stance against cyber-attacks, knowing your Managed IT Support has your back, with layers of security to ensure no harm can be done.
Call us today to begin talking about what approach to security, would be the best fit for your business.