Email Looking Fishy? Avoid Taking the Bait!

If you still think that Phishing is just a fancy word for attempting to catch a fish, you are one of the lucky few who haven’t experienced a fraudulent cyber-attack. But be on guard! Your turn could be coming momentarily…especially if you work in the Life Sciences industry.

Three million cases of identity theft and consumer fraud were filed in 2018, according to the Consumer Sentinel Network (maintained by The Federal Trade Commission). Perhaps you are clever enough to avoid romance scams, inheritance scams, travel prize scams, and investment scams, but are you vulnerable to a cyber-attack at your workplace?

The answer is an emphatic YES! Cyber-crime has come a long way from the “Nigerian Prince” advance-fee scam (also known as 419) that surfaced in the mid-1990s, costing Americans close to $58 million. Cyber-criminals have grown in sophistication and are in a neck-and-neck race with cybersecurity technology. What makes phishing so dangerous? The attacks use specific inside information to target specific individuals (like you). Attackers collect this information with amazing ease from different platforms on which we all do business.

The latest fraudulent tactics, known as spear-phishing, are engineered to collect sensitive data by appearing to have been generated by a trustworthy source - often your manager or boss. Here’s a real-life example of how Ubiquiti Networks Inc., an American network technology company for service providers and enterprises, lost millions because of a spear phishing e-mail:

A report by the U.S. Securities and Exchange Commission shows that the attack was carried out through “employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.” The transfers were performed directly by Ubiquiti employees that were tricked into thinking that they were getting legitimate requests from executives thanks to spoofed e-mail addresses and look-alike domain names.

Unfortunately, examples like this are growing by the day – with 65% growth in phishing attempts just this past year! It is estimated that 1.5 million new phishing sites are being created monthly. Seventy-six percent of companies reported falling victim to a phishing attack in 2018.

The Life Sciences industry is so vulnerable to malicious, targeted cyber-attacks, that the United States Department of Homeland Security has published a 28-page Analytic Exchange Program to help combat the “Vulnerabilities of Healthcare Information Technology Systems.”

The problem is so serious that it is not only prudent, but necessary for each company and every individual within it to take every precaution possible to avoid vulnerability to attack. Navitas Data Sciences (NDS) has been very proactive in combating phishing, requiring all employees to complete an awareness course.

The NDS Systems Administration team is like the dragon at the gate, working hard to prevent breaches and malicious actors from entering the company’s information vault. “Every employee takes our Cybersecurity Awareness Program course, which outlines common threats to look out for, and our best practices while using e-mail, the web, or other communication tools in the workplace,” says a senior member of the IT department.


“We follow up this course with periodic simulated phishing testing where we actually phish our users with emails containing elements that we teach them to look out for. These include tactics such as misspellings in e-mail addresses, links in the email body that appear legitimate until hovered over to expose their true destination, actionable requests that are out of the ordinary, or indicating urgency, etc.,” he adds.


Users are instructed to report to administrators any phishing e-mails they receive. If they take the bait and click on a phishing link, they are redirected to another training course that goes into more detail on why they shouldn’t have done what they just did. This is a great approach to a growing crisis.


Simulated phishing scenarios can be very effective, and can reduce susceptibility by as much as 95%. Small businesses with limited resources can purchase Phishing Simulation Software, or hire Security Awareness Companies* to provide security training and phishing tests for employees.

Phishing IRS.jpg


In closing, we encourage you to read this helpful article by Forbes: “Four Phishing Attack Trends To Look Out For In 2019” in which they detail these 4 most recent trends, why they are effective, and how to combat them:

 

1. Phishing Attacks Targeting Your SaaS Credentials – Cybercriminals are targeting your business by impersonating SaaS services like Dropbox, Slack, and Office 365. Be on alert!

 

2. Phishing attacks Sent Through Messaging Apps – Apparently Slack, Skype, Facebook Messenger, and similar messaging platforms are vulnerable, since they do not have strong security measures built-in, like email does. (Who knew?)

 

3. Interactive Business Email Compromise (BEC) – These threats can actually be delivered by phone or text messaging in addition to email, and are super convincing.

 

4. Phishing Inside of Shared Files – Attackers are now embedding malicious links in shared files that refer to a legitimate service.

 

The best advice we can give you is to train your staff to avoid the temptation to open links in emails, and to turn on multi-factor authentication in your company. Instituting channel-switching is also great policy. (e.g. If information is being requested by email, send the sender an authenticating text.) Lastly, sign on to a password manager, an important service that simply will not allow you to enter your password on a fake site.*


Remember that 91% of cyberattacks begin with just ONE CLICK on a spear-phishing email!

Don’t find yourself on the pointy end of a Phishing Spear!


*See MSSP Alert’s Top Security Awareness Companies here:

https://www.msspalert.com/cybersecurity-news/top-10-security-awareness-training-companies/


*For more information about password managers, visit this article and thorough comparison of the top 10 companies by PC Magazine:

https://www.pcmag.com/roundup/300318/the-best-password-managers