{"id":14585,"date":"2019-02-13T10:10:11","date_gmt":"2019-02-13T18:10:11","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/02\/13\/news-8335\/"},"modified":"2019-02-13T10:10:11","modified_gmt":"2019-02-13T18:10:11","slug":"news-8335","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/02\/13\/news-8335\/","title":{"rendered":"Businesses: It&#8217;s time to implement an anti-phishing plan"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Wed, 13 Feb 2019 16:54:28 +0000<\/strong><\/p>\n<p>Businesses: phishers aren\u2019t just coming for you. They\u2019re coming for your employees and your customers, too.<\/p>\n<p>Phishing attacks are <a href=\"https:\/\/mashable.com\/article\/phishing-attacks-are-rising\/#Gen6LbI4iZq9\" target=\"_blank\" rel=\"noopener\">on the rise this year<\/a>, thanks in part to massive Emotet and TrickBot campaigns, which make use of phishing emails to deliver their payloads. If you don&#8217;t already have one in place, then it&#8217;s time to implement an anti-phishing plan.<\/p>\n<p>Where phishes are concerned, it doesn\u2019t matter if the technique being used <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2019\/01\/sly-criminals-package-ransomware-malicious-ransom-note\/\" target=\"_blank\" rel=\"noopener\">is revolutionary<\/a> or old hat. Somebody, somewhere is going to fall for it. It&#8217;s up to you and your employees to ensure that your business is secure, and that your customers are performing safe email practices, too.<\/p>\n<p>If your customers are logging into fake portals, eventually they\u2019re going to tie up your support channels asking for help, refunds, reorders, and more. If your employees are being stung, they open the door to data theft, network infiltration, ransom demands, spying, and a massive dent in your company&#8217;s reputation to boot.<\/p>\n<p>All of these are poor directions to head in. So let&#8217;s first take a look at some of the targets of phishing campaigns. Then, we&#8217;ll talk about what your employees and customers can do to identify a phish.<\/p>\n<h3>Targets for phishers<\/h3>\n<p>The<span class=\"Apple-converted-space\">\u00a0<\/span><em>2018 Phishing Trends &amp; Intelligence Report<\/em> (<a href=\"https:\/\/info.phishlabs.com\/hubfs\/2018%20PTI%20Report\/PhishLabs%20Trend%20Report_2018-digital.pdf\" target=\"_blank\" rel=\"noopener\">PDF<\/a>) from PhishLabs stated that Email\/Online Services were the top targeted industry in the second half of 2017 by a margin of 26.1 percent, with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages.<\/p>\n<p>Office 365 is enormously popular for businesses, with Microsoft <a href=\"https:\/\/www.windowscentral.com\/there-are-now-12-billion-office-users-60-million-office-365-commercial-customers\" target=\"_blank\" rel=\"noopener\">revealing in 2016<\/a>\u00a0that is has:<\/p>\n<ul>\n<li>60 million active commercial customers<\/li>\n<li>50,000 small business customers added every month<\/li>\n<li>340 million downloads of its mobile app<\/li>\n<\/ul>\n<p>As our\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2019\/01\/2019-state-malware-report-trojans-cryptominers-dominate-threat-landscape\/\" target=\"_blank\" rel=\"noopener\">2019 State of Malware report<\/a>\u00a0shows, there\u2019s no real sector of industry left alone by malware attackers. Trojans (which include Emotet and TrickBot) lured in targets in manufacturing, education, and retail in 2018 with phishing emails. And ransomware, which is also a popular payload of phishing attacks, crippled organizations in government, as well as education, manufacturing, retail.<\/p>\n<p>Outside of those verticals, however, phishers know that every business is sitting on something juicy: personally identifiable information (PII). Just about any organization in any vertical is sitting on databases of customer names, emails, and their payment details.<\/p>\n<p>That\u2019s a huge number of potential targets at which to aim.<\/p>\n<h3>What should we do?<\/h3>\n<p>While it\u2019s nearly impossible to predict every threat model, or what an attacker may want with your company&#8217;s data, you can better thwart phishing attacks by putting in place a clear anti-phishing plan. There\u2019s never been a better time to start beefing up your <a href=\"https:\/\/blog.malwarebytes.com\/101\/2016\/03\/how-to-create-a-successful-cybersecurity-policy\/\" target=\"_blank\" rel=\"noopener\">cybersecurity policy<\/a> for employees, as well as update your website with solid anti-phishing tips for your customers.<\/p>\n<p>If you&#8217;re short of a few ideas on how to help your employees and customers identify phishing attempts, we have a handy introductory list below.<\/p>\n<h3>Anti-phishing tips for your employees<\/h3>\n<ol>\n<li>Attachments aren\u2019t always a guarantee of malware. Often, phishers will send perfectly clean files as an additional confidence trick. \u201cPlease fill this in and send it back,\u201d they\u2019ll say. Having said that, many phish campaigns will happily try to backdoor a network with a rogue file alongside a phish attempt. When in doubt, do not open the file. Instead, try to contact someone you know from the organization listed in the email to confirm.<\/li>\n<li>Mobile devices are particularly at risk from <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/barclays-bank-customers-targeted-phishers\/\" target=\"_blank\" rel=\"noopener\">lengthy scam URLs<\/a>, as the visible portion may be tailored to appear legitimate, but the rest of it\u2014which would give the game away\u2014is hidden offscreen. Employees checking email on their phones or browsing the Internet should always review the whole URL before clicking. If it looks suspicious, or uses numbers or peculiar letters in place of what you\u2019d expect to be there, it\u2019s best to leave immediately.<\/li>\n<li>Dubious apps are also a <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/05\/google-docs-app-spam-goes-phishing\/\" target=\"_blank\" rel=\"noopener\">potential problem<\/a>, so it\u2019s best to review apps you plan to install on your work mobile device or desktop with a hawk eye. Are the logos the same? Does the user experience match what you&#8217;d expect?<\/li>\n<li>Promoted content on social media can <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2016\/10\/promoted-tweet-leads-to-credit-card-phishing\/\" target=\"_blank\" rel=\"noopener\">lead to phishing<\/a>, and it\u2019s worth advising all employees and customers to be wary of this\u2014especially as ads tend to be targeted to your interests (thanks, <a href=\"https:\/\/blog.malwarebytes.com\/security-world\/2019\/01\/what-does-consent-to-tracking-really-mean\/\" target=\"_blank\" rel=\"noopener\">trackers<\/a>). While you may not want to prohibit use of social media at work entirely (especially as it&#8217;s part of the job for many folks in marketing), recommending that users not engage on social media from work devices, or limiting their engagements to work-specific tasks, could help thwart phishing attempts.<\/li>\n<li>Bit of a niche one, but you may wish to advise employees not to waste spammer&#8217;s\/phisher\u2019s time with <a href=\"https:\/\/blog.malwarebytes.com\/101\/2018\/09\/5-safe-ways-to-get-back-at-spammers-a-guide-to-wasting-time\/\" target=\"_blank\" rel=\"noopener\">any of these tactics<\/a>\u00a0during work hours. Using personal accounts is all fun and games, but replying with anything work-related could go terribly wrong. The bad guys know your work mail exists for one thing, and they\u2019ll either spam it hard, send you more junk, or go after your business even more than they were already.<\/li>\n<\/ol>\n<h3>Anti-phishing tips for your customers<\/h3>\n<ol>\n<li>Look at some anti-phish pages from the biggest brands. You\u2019ll notice that they all mention the most obvious forms of attack. If you\u2019re eBay, you\u2019re going to see customers sent fake auction missives, or \u201cproblem with your auction\u201d attacks. If you\u2019re Steam, it\u2019ll be \u201cproblems with your marketplace item\u201d or free game keys. A bank? it\u2019ll be bogus re-authentication mails. For Apple, it\u2019ll be issues with pending refunds for items they don\u2019t remember purchasing. This is how you should lead the charge.<\/li>\n<li>Point out that the presence of a padlock isn\u2019t a guarantee the site they\u2019re on is real. Certificates for websites are easily obtained for free these days, and scammers are taking full advantage of it. It may have been useful to tell people \u201cAvoid sites with no padlock because it isn\u2019t real\u201d years ago, but the game has changed and so must our messaging.<\/li>\n<li>Warn them about bad spelling, errors in formatting, and email addresses in the \u201cFrom\u201d field which look suspicious. Also mention that many phishers spoof mails in the \u201cFrom\u201d field so this isn\u2019t a guarantee of safety either. Perhaps the formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. The possibilities are endless.<\/li>\n<li>Desperation is a surefire sign that something may be wrong. It\u2019s panic buying, but not as we know it. Emails claiming a tight time limit to login and perform an action, alongside the threat of losing X or Y forever, is a good sign of bad things afoot.<\/li>\n<li>Warn them off emails asking for additional personal information (and if your organization sends such emails, try to wean yourself off this practice, too). Links to sites asking for logins is bad practice. Train your customers and employees out of this habit. If they won\u2019t click links asking for information, the battle is halfway won.<\/li>\n<li>The URL shown on the email and the URL that displays when you hover over the link are different from one another. An oldie, but goodie.<\/li>\n<\/ol>\n<h3>My business uses Office365, what else can I do?<\/h3>\n<p>Microsoft has a <a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/security-best-practices\" target=\"_blank\" rel=\"noopener\">handy list of security suggestions<\/a> for you to deploy on your network. Suggestions include:<\/p>\n<ul>\n<li>A <a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/office-365-secure-score\" target=\"_blank\" rel=\"noopener\">secure score rating<\/a> for your network<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/admin\/security-and-compliance\/multi-factor-authentication-plan\" target=\"_blank\" rel=\"noopener\">Multi-factor authentication<\/a> plans<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/admin\/manage\/customer-lockbox-requests\" target=\"_blank\" rel=\"noopener\">Secure lockbox requests<\/a> for customers<\/li>\n<\/ul>\n<h3>And finally<\/h3>\n<p>Google has come up with a short, fun, and difficult <a href=\"https:\/\/motherboard.vice.com\/en_us\/article\/43zgmw\/google-jigsaw-phishing-quiz\" target=\"_blank\" rel=\"noopener\">anti-phishing test<\/a>. It&#8217;s a fantastic way to experience some common phishing techniques safely. There aren&#8217;t many ways to experience real phishing examples in a safe environment, so it&#8217;s well worth having a go. You&#8217;ll likely find that there&#8217;s a few tactics in there you haven&#8217;t seen before, and it&#8217;s always a good idea to test your employees on some left-field phishing techniques. However you choose to go about putting together an anti-phishing plan for your organization, we wish you many years of safe emailing ahead.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/02\/business-anti-phishing\/\">Businesses: It&#8217;s time to implement an anti-phishing plan<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/02\/business-anti-phishing\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Wed, 13 Feb 2019 16:54:28 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/101\/2019\/02\/business-anti-phishing\/' title='Businesses: It's time to implement an anti-phishing plan'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/shutterstock_529183144.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>If your organization doesn&#8217;t have an anti-phishing plan in place, it&#8217;s time to start thinking about one. Here&#8217;s what to tell your employees and customers about phishing attacks.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/101\/\" rel=\"category tag\">101<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/101\/business\/\" rel=\"category tag\">Business<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/anti-phishing\/\" rel=\"tag\">anti-phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/business\/\" rel=\"tag\">business<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/email\/\" rel=\"tag\">email<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/mail\/\" rel=\"tag\">mail<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/microsoft\/\" rel=\"tag\">microsoft<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/office-365\/\" rel=\"tag\">office 365<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/organisation\/\" rel=\"tag\">organisation<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing\/\" rel=\"tag\">phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/scam\/\" rel=\"tag\">scam<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spam\/\" rel=\"tag\">spam<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/101\/2019\/02\/business-anti-phishing\/' title='Businesses: It's time to implement an anti-phishing plan'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/02\/business-anti-phishing\/\">Businesses: It&#8217;s time to implement an anti-phishing plan<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10519,18778,1001,11222,16802,10516,17374,20909,3924,3985,10518],"class_list":["post-14585","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-10519","tag-anti-phishing","tag-business","tag-email","tag-mail","tag-microsoft","tag-office-365","tag-organisation","tag-phishing","tag-scam","tag-spam"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14585","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=14585"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14585\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=14585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=14585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=14585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}