As the world becomes more connected, the potential for security issues increases. The internet makes it possible for hackers to steal money and information in new ways, including through what are known as phishing attempts. Everyone, especially business owners, should be aware of phishing and what it can lead to so they can protect their personal information and their money.
What is Phishing?
Phishing is an attempt to gain personal information, including passwords or credit card numbers, by sending emails that appear to be from a reputable company. The hackers who set up the phishing attack make their email address look like it’s official, then request the receiver clicks on a link or downloads an attachment. If the recipient does this, the attacker then has their username and password or has the ability to control their computer to get the personal information they’re looking for.
Phishing is one of the oldest types of cyber attacks and it’s becoming more prevalent today because of technology improvements. The attacks of 2018 are far more sophisticated, enabling the hackers to try to get personal information from anyone, even those who normally would know what to look for and how to avoid this type of cyber attack. The oldest version of phishing is to send out an email that looks like it’s coming from the person’s bank. The goal was to get the recipient to visit a fake website and use their real login information to sign into the bank to verify information. Once they entered their information into the fake website, the hacker had the ability to log on to the bank’s actual website and transfer money from the victim’s account to their own.
Phishing is Still Prevalent Today
Phishing has been around for so many years because it still works. Hackers can still use phishing attempts against both individuals and businesses to steal personal information and money. Business owners have to be especially careful to avoid phishing attempts as the ones used today are used to steal all of the personal information for the business’s customers. This often includes names, phone numbers, physical addresses, email addresses, and credit card numbers. Phishing attempts that successfully lead the hacker to this information cause a huge breach for the business and can cause serious amounts of damage. Some of the biggest types of phishing attacks that occurred throughout 2018 include compromised MailChimp accounts, tax fraud, account takeovers, and others listed below.
MailChimp Account Phishing
At the beginning of 2018, a new phishing attack started out by using compromised MailChimp accounts. The accounts were compromised by data stolen through fake invoices. The emails were then used to send a zipped file to other people. Since MailChimp is a trusted email company used by businesses to send invoices and other important information, these emails were able to reach just about anyone. The emails were not caught by spam filters because they appeared to be legitimate emails. When the zipped file was opened, it downloaded a malware app that was then used to monitor the computer and steal information. This attack ran for around three and a half months.
Shortcut Phishing Attacks
First detected in July of 2018, the shortcut phishing attack targeted users of Windows 10. A hacker named TA505 sent out emails appearing to be from Windows that offered an opportunity to create unique shortcuts to settings within Windows. The email included a PDF file that had a PowerShell script to download a trojan on the computer when it was opened. The trojan, FlawedAmmyy, gave the hacker remote access to the infected machine. They had complete access to any information stored on the computer, allowing them to get personal information such as bank account information or credit card numbers.
Phishing Attacks Relating to the GDPR
In 2018, the European Union’s General Data Protection Regulation (GDPR) took effect. This is intended to protect data and privacy for all members of the EU by giving users more control over their own personal data. It also helped simplify regulations for international companies that do business in the EU or the European Economic Area (EEA). While the new law was intended to simplify regulations and help protect privacy, it did cause confusion for many business owners who were trying to figure out how to comply with the new laws. Phishing attacks started targeting businesses who might need help with compliance. Emails promised information or services to help with the new regulations but led to malware being downloaded or information being stolen from the businesses instead.
Tax-Related Phishing Attacks
During the tax season, scams are prevalent. Phishing attacks generally involve an email claiming the recipient owes money and offers a link to send money to avoid fines or other legal actions. Another scam has become prevalent as well, with the email claiming to be from a state accounting office. In this phishing attack, the email was sent to obtain usernames and passwords for accountants so the hacker could access not only the accountant’s personal information but their clients as well.
These types of phishing attacks have occurred for a number of years now. In 2018, a new method was tried to get money from the victims. In this new method, the hackers use the victim’s bank account to deposit funds, then use a variety of different methods to try to retrieve the funds. These types of phishing attacks are always more prevalent during tax season but can occur at any time of the year.
Phishing Attacks Involving Cryptocurrency
With the huge rise in popularity of cryptocurrency during 2018, phishing hackers started looking for a way to take advantage of this. Most of the time, it involves taking advantage of new cryptocurrencies that hold an Initial Coin Offering (ICO) to raise money for their cryptocurrency. The company generally creates an email address for money to be sent to by those who want to purchase the cryptocurrency. While many of these are legitimate, hackers will use emails to set up fake ICOs and have the funds go to an account they control, instead of one controlled by the company creating the cryptocurrency. Purchasers of the ICO believe their money is going to the company when it’s actually being sent to a hacker.
Account Verification Phishing Attacks
This type of phishing attack has been around for some time but became far more prevalent during 2018. Most of the time, the victim receives an email that seems like it’s from a major retailer or social network site. The email states there’s a problem with the account that needs to be fixed immediately. The email is designed to look just like one from the company and uses an email address that’s close to the one used by the company. The links in the email, however, take the victim to a fake website that looks similar to the company’s website and steals the person’s login information. That information can often be used to sign into other accounts on other websites or used to get personal information that might be stored on the real company’s website.
Phishing Attacks to Take Over Accounts
Most phishing attempts are designed to steal personal information that can be then used to gain money. A new type of phishing attack, however, is an attempt to take over an email account so it can be used by the hacker. Once the hacker gains the username and password for the email account, they’ll watch it to learn more about the victim. They can then use the information to steal money or other personal information. Right now, the biggest targets for this type of phishing attacks are real estate agents. The hacker takes over the account, watching the emails sent and received by the real estate agent until they see a pending house sale. They then use the email address to send a fake email about the wire transfer, getting the home buyer to send the funds to the hacker instead of the seller of the home. This phishing attack can take a while to accomplish, but it can allow the hacker to steal hundreds of thousands of dollars.
Phishing attacks lead to billions of dollars in losses every year. Even when certain attacks seem to disappear, new ones that are far more sophisticated are being created. Individuals and business owners can protect themselves from phishing attacks. Most of the time, this can be done by just being careful. Keep an eye on information about the latest phishing attacks to know what could potentially happen. This enables you to make sure you know about the newest types of phishing attacks so you can avoid them. When you do receive an email, it’s better to type in the address of the company instead of clicking a link. It’s also a good idea to scan any attachments with antivirus software before opening them to be sure they’re safe, even if they appear to be from a trusted source. Working with a cybersecurity company can also help you make sure your potential for becoming a victim of a phishing attack is minimized to protect your personal information and your business.