Author: Mario Chilin
With the ever growing threats of viruses, malware, and ransomware targeting the financial industry as of late, I just want to remind everyone how easy it is for cyber-criminals to bypass regular anti-virus solutions with a process called Phishing. Here are some tips and pointers on some other subjects too that pertain to our industry.
What is phishing?
Most of the attacks on financial institutions the past 3 years have NOT been through brute force attacks on firewall appliances, it has been through acquiring users’ passwords, this technique is called “Phishing”. Phishing scams are basically an email that leads you to a link that will download a file to your computer that will bypass regular anti-virus and will record your keystrokes. Or the email could contain a link that could lead you to a website that will ask for your personal information. Here is some great info on Phishing that is very “non-techy” friendly.
Types of Phishing Scams and Attacks
Email Phishing: BEWARE Before Clicking a Link Contained in an Email
- Emails that say “You have received a Fax”
This type of Phishing email has become very common lately. Please keep this in mind *Please make sure, and double check that you are expecting an electronic fax from someone. Do NOT open these emails if you have not verbally confirmed that someone is sending you a fax*
These emails may look real, but the best practice is to verbally confirm a person, or a business, is going to send you an electronic fax. If you see one of these emails stating “URGENT-You Have Received a Fax” or something along these lines and you are not expecting an electronic fax, please delete it immediately.
- Emails from Fidelity, Schwab, TD, Bank of America, Chase Bank Etc…
I have seen Phishing emails with a Fidelity, BofA, eBay, and a Schwab logo in the past couple of years so beware. We all do business with these companies so these ones will be especially tricky. Please refer to the below screenshot to help you determine if these emails are genuine.
- Spelling and Bad Grammar
Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email with spelling errors and bad grammar to go out to its users.
- Beware of Links Contained in a Email
If you see a link in a suspicious email message, don't click on it. Rest your mouse (but don't click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address. The string of cryptic numbers looks nothing like the company's web address.
How to Prevent Phishing
- Password Complexity and Password Rotation
Trust me, I know it’s a pain to constantly have to change your password, have a special character in it with a specific length that must contain a capital letter etc. etc., but I cannot stress enough how important it is to make your password strong and complex, and to change it at least every ninety days. It is very easy these days for a cyber-criminal to extract an easy password, the more complex you can make it with special characters, text mixed with numbers, and a mixture of upper case and lower case letters, the harder it will be for a cyber-criminal to extract it with software tools they use and distribute amongst themselves. If your password length is more than 9 characters, with a mixture of numbers, upper and lower case letters, and special characters, this will slow down the cyber-criminal and eventually frustrate them. And at that point they will just give up and try to find another victim. This is why password length and complexity is super important.
- Do NOT leave your password on a post-it in plain sight on or near your desk. And DO NOT let anyone remotely access your computer
This may seem silly, but it is very very important. I have seen this unsafe practice so many times in the years I have been doing support. Please remember, your office cleaning crews, house cleaners, gardeners, plumbers, electricians, anyone who has access to your home or office, if your password is visibly stuck to your monitor, or on a post-it anywhere on your desk, this completely nullifies password security. If you need to be reminded of your password, do not write it on a piece of paper, store it electronically. Put it in a note on your phone (because your phone locks), email it to yourself and make the email easily accessible, ideas like this. Also, DO NOT SHARE YOUR PASSWORD WITH ANYONE. NO ONE should be asking for your computer password, OR, asking if it is ok to remotely access your computer. You may get a call saying they are from “Microsoft” and they have detected a virus on your computer and need remote access to your computer to clean it, DO NOT BELIEVE THEM AND HANG UP THE PHONE IMMEDIATELY. If a virus is detected on your computer, only the software installed on your computer will alert you. If you get a call like this, it is a fraudulent call and hang up immediately. So to recap, if a website, or an email, or if a caller is asking you for your password or remote access, do NOT give it to them under any circumstances.
Below are some examples of emails that use the Phishing technique and they contain some good info on how to identify these emails. Happy Web-Surfing everyone and please stay safe out there on the WWW (The Wild, Wild, Web).
More Phishing Examples: