RESOURCES

Don't Fall for These New Phishing tricks

3:30 Minute Read

If you’re like most owners of small businesses, you may feel pretty well protected against phishing attacks—the fraudulent emails hackers send in order to trick you or your employees into divulging sensitive business information. You probably think twice, for example, before clicking on unfamiliar links or attachments, which can serve as entryways for system-crippling ransomware.

The problem: Just as the general public has grown savvier about the phishing game, so have hackers. “The bad guys are getting smarter,” says Mark Cline, vice president, sales at Netsurion network security specialists. Phishing scams still play on the basic human drives of fear and urgency (e.g., “Your account has been disabled”), but they’ve added layers of sophistication. Here are some of the latest tactics phishers are using, and how to protect against them:

They’re priming recipients in advance of a scam. Phishers may send a preliminary email to verify that so-and-so is still with the company. Or they’re calling the receptionist to double-check titles and name spellings of company executives. “Now they have a tidbit of information that makes the spam email they ultimately send seem that much more credible,” Cline says. “It’s a kind of social engineering.”Precaution: Don’t give out company information, such as an org chart, unless you know who is asking, and why.
They’re displaying photos of trusted contacts. “Email spoofing”—in which an email header and signature are forged to make a message look legit—is, by this point, child’s play for phishers. Even worse, the spoofed email may now display the “sender’s” photo, cautions Anne P. Mitchell, Esq., CEO of SuretyMail email reputation certification service. “That’s because mail programs automatically grab these photos when you merge contact lists,” she explains.Precautions: Disable the “profile picture display” feature in your email program. And always double-check the “reply to” address—it will generally have one small spelling alteration from the legitimate one. Know that even what appears to be an email from the CEO may be spoofed, especially if it’s asking you to take quick action on a financial matter, like a funds transfer.
They’re getting better at impersonating big organizations. Scammers know that small businesses routinely deal with big companies like Amazon, PayPal, DHL, Apple, major banks and more. They’ve moved beyond obvious misspellings in a domain name, and now impersonate them by swapping out one or more letters in a non-Latin alphabet (for example, using the Greek “chi” symbol in place of a Latin “X”). Most major browsers will flag alphabet combos in URLs, but they can’t always catch them.Precaution: “Even if the email from a big company looks secure, don’t click on a link within the email,” says Fatih Orhan, vice president, Threat Labs at Comodo Security Solutions. “Instead, go into your bookmarks, log in to the company from there, and check any information directly in your account.”
They’ve hijacked the green lock icon. When an email directs you to a website, you might seek reassurance by looking for this icon—which indicates that the site has an SSL (Secure Sockets Layer) certificate—at the beginning of a browser bar. Nope. In the past few years, these have become cheaper and easier to get, and it turns out that non-legitimate sites like to have them, too. “Since the end of 2017, we are seeing a huge increase in phishing websites using SSL certificates,” Orhan says.Precaution: Eternal vigilance. Comodo has created an eye-opening website, PhishBank, with screenshots of recently confirmed phishing URLs.

Overall safety measures include keeping employees (including remote workers) up to date on the latest phishing scams. Experts also urge business owners to be prompt in installing security updates and to back up data regularly. To have all those cybersafety matters and more attended to, consider a managed security suite such as that offered by Spectrum Business.

“The important thing is to start somewhere,” says Cline. “If you think you’re ‘too small’ to be a target, remember—that kind of thinking makes your business the perfect target.”