Special Report: The Anatomy of a Phishing Scam

In October 2016 CNN reported, “A phishing email sent to Hillary Clinton campaign chairman John Podesta may have been so sophisticated that it fooled the campaign's own IT staffers, who at one point advised him it was a legitimate warning to change his password.”[1]  In March 2017, now French President Emmanuel Macron’s campaign was hacked using a phishing scam that dumped numerous records into the public domain just days before the election.

Not just high profile politicians get hacked, American businesses of all sizes are now under siege. From 2013-2016 American Business have been scammed out of $1.6 billion, or $500 million per year. And those are just the cases that were reported and investigated by the FBI, as many businesses don’t report cybercrime.

What are Phishing Emails and Why are They So Effective?

Phishing emails are fraudulent emails that use social engineering (psychological manipulation) to trick the recipient to:

  1. Give up sensitive financial information
  2. Transfer large sums of money to criminals
  3. Install a malware virus such as ransomware on your company’s network.

Anyone can be fooled

Imagine getting an email from a trusted vendor requesting payment to a new bank account. The email looks exactly like the invoices you’ve received in the past and contains enough information about your relationship with the vendor to appear credible. See Below

You’ll notice the cleverly disguised links to redirect you to a fake website.  At first glance, these links look like a legitimate addresses, but once you hover over them the real address is revealed.

Cybercrime is an ever-evolving threat to American businesses

Phishing emails are designed to by-pass your anti-virus, anti-malware, and firewall and play on the recipients fears, usually by threatening action such as disabling your account.

The best defense is to take a pro-active risk-based approach to your data and network security.

Here’s what you can do today to protect your profits, reputation, employees, and vendors:

  1. Share the information in this email with your employees today. It’s important to start a conversation with them about phishing email scams, engage in regular training sessions to help them spot a phishing email, and put a reporting mechanism in place so your IT department is made aware of the issue.
  2. Beef-up your firewall with Unified Threat Management (UTM) that includes:

  • Intrusion Prevention Service
  • WebBlocker
  • Gateway AntiVirus
  • Reputation Enabled Defense
  • Network Discovery
  • SpamBlocker

  1. Don’t allow your employees to shop, visit social media sites, or check their personal email from any devices that are on your network. This includes laptops, mobile phones, or tablets.

  1. If you get a request for payment from a vendor to a new bank, call the vendor to confirm (but don’t use the phone number given in the email or respond directly to the email).
  2. If the CEO of your company sends you a request to pay a consultant that you’ve never met, then call the CEO to confirm.

  1. Have a data and network security assessment completed. You may have potential security risks that you’re not aware of.

  1. Make sure that you have a business continuity plan in place that includes instant recovery of your data, files, network, applications, and server.

[1] http://www.cnn.com/2016/10/28/politics/phishing-email-hack-john-podesta-hillary-clinton-wikileaks/index.html