Phishing Attacks On Mac Users Doubling, Dont Get Fooled
It's hard to put a total cost on the fraud that flows from phishing scams, because losses can range from a few dollars for a phishing attack against one person, to successful phishing attacks against large organisations potentially costing millions of dollars.
Phishing attacks on Mac users doubling, don’t get fooled
One research paper suggests the cost of phishing for large companies is almost $15 million a year, whie the FBI suggests that the total cost of online attacks has cost US businesses over $43 billion in recent years.
While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it's easy to forget that there are billions of internet users -- and every day there are people who are accessing the internet for the first time.
Lots of internet users won't even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it. Why would they even suspect that the message in their inbox isn't actually from the organisation or friend it claims to be from?
Training, training and more training. It might seem like a simple idea, but training is effective. Teaching staff what to look out for when it comes to a phishing email can go a long way to protecting your organisation from malicious attacks.
At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren't designed to be malicious -- they're designed to help users perform repetitive tasks with keyboard shortcuts.
Multi-factor authentication (MFA) also provides a strong barrier against phishing attacks because it requires an extra step for cyber criminals to overcome in order to conduct a successful attack. According to Microsoft, using MFA blocks 99.9% of attempted account hacks. If applying MFA to accounts is possible, it should be applied.
These early attacks were successful because it was a new type of attack, something users hadn't seen before. AOL provided warnings to users about the risks, but phishing remained successful and it's still here over 20 years on. In many ways, it has remained the same for one simple reason -- because it works.
While the fundamental concept of phishing hasn't changed much, there have been tweaks and experimentations across two decades as technology and how we access the internet has changed. Following the initial AOL attacks, email became the most appealing attack vector for phishing scams, as home internet use took off and a personal email address started to become more common.
Many early phishing scams came with telltale signs that they weren't legitimate -- including strange spelling, weird formatting, low-res images, and messages that often didn't make complete sense. Nonetheless, in the early days of the internet, people knew even less about potential threats and that meant these attacks still found success -- and are still effective today.
While spear phishing does target consumers and individual internet users, it's much more effective for cyber criminals to use it as a means of infiltrating the network of a target organisation as it can produce a far more lucrative bounty.
It's quite possible for hackers to compromise the account of one user and use that as a stepping stone for further attacks. These 'conversation hijacking' attacks take advantage of using a real person's account to send additional phishing emails to their real contacts -- and because the email comes from a trusted source, the intended victim is more likely to click.
The growth of remote working in recent years has arguably made it easier for criminals to conduct BEC scams and other phishing attacks, because people working from home can't as easily talk to one of their colleagues to check if the email is legitimate.
For cyber criminals, that means, if exploited, LinkedIn is a useful too for helping to conduct phishing attacks to steal passwords and other sensitive corporate information. For example, a fraudster could browse your LinkedIn profile to find out who you work and regularly interact with.
SMS phishing -- or smishing -- attacks work in much the same way as an email attack; presenting the victim with a fraudulent offer or fake warning as an incentive to click through to a malicious URL.
In a prominent example of cryptocurrency phishing, one criminal group conducted a campaign that copied the front of Ethereum wallet website MyEtherWallet and encouraged users to enter their login details and private keys.
The theft of cryptocurrency in phishing campaigns like this and other attacks is costing crypto exchanges and their users hundreds of millions of dollars, as accounts and whole platforms get hacked and cyber criminals take the money for themselves.
It might have been around for almost 20 years, but phishing remains a threat for two reasons -- it's simple to carry out -- even by one-person operations -- and it works, because there's still plenty of people on the internet who aren't aware of the threats they face. And even the most sophisticated users can be caught out from time to time.
While there are many guidelines and practices that can reduce the risk of phishing and email hijacking, the best way to prevent a malicious actor from taking over your email accounts is to strengthen your authentication. One solution is to use two-factor authentication, which requires users to have a secondary token (such as a mobile device or a physical key) in addition to the password when signing into the account. An even stronger solution is the use of passwordless authentication technologies, which totally obliviate the need for passwords and make it impossible for hackers to gain access to accounts through phishing.
For instance, say a victim usually uses the Wi-Fi network of a Starbucks where she eats breakfast. A hacker who wants to stage a man-in-the-middle attack on the victim goes to the same Starbucks and picks up the ID and password of its Wi-Fi network. Then, the attacker sets up his own Wi-Fi network with the same name and password using a router or a laptop computer. Now, devices of users who have previously connected to the Starbucks network (including the victim) will automatically connect to the evil twin when they come within its network range. The attacker can then use the connection to stage man-in-the-middle attacks.
Phishing attacks are a subset of social engineering strategy that imitate a trusted source and concoct a seemingly logical scenario for handing over login credentials or other sensitive personal data. According to Webroot data, financial institutions represent the vast majority of impersonated companies and, according to Verizon's annual Data Breach Investigations Report, social engineering attacks including phishing and pretexting (see below) are responsible for 93% of successful data breaches.
While phishing attacks are rampant, short-lived, and need only a few users to take the bait for a successful campaign, there are methods for protecting yourself. Most don't require much more than simply paying attention to the details in front of you. Keep the following in mind to avoid being phished yourself.
Webroot's threat database has more than 600 million domains and 27 billion URLs categorized to protect users against web-based threats. The threat intelligence backing all of our products helps you use the web securely, and our mobile security solutions offer secure web browsing to prevent successful phishing attacks.
Those messages aren't really from the companies they purport to be. Manipulative, believable, and increasingly popular, criminals who want to bilk consumers out of money are orchestrating sophisticated phishing and scamming attacks using text messages.
Encryption may sound like a subject best left to hackers and tinfoil hat wearers, but don't be fooled: It's a critical part of contemporary life and something that's important for everyone, especially business users, to understand. And one of the places where encryption is most relevant and misunderstood is in the realm of email.
Cash App does not offer live customer support and encourages users to report any issues, including fraud and scams, through the app instead. But many Cash App users have been fooled by scammers who impersonate Cash App customer service employees through phone scams.
Like phishing emails and vishing attacks, the scam called smishing is a form of social engineering that tries to trick you out of personal information. Victims of this scam receive texts that appear to be from Cash App at first glance. But in reality, a fraudster is behind the phony message.
Unfortunately, between 2019 and 2020, there was an approximately 1,200% increase in malicious PDF files, from about 412,000 to over 5.2 million. For scammers, PDF files are an enticing phishing option as they work across different platforms and allow criminals to engage with users, making their schemes more believable as opposed to just a text-based message with a plain link.
Business email compromise attacks are a class of cyber crime that use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization. Examples include invoice scams and spear phishing spoof attacks which are designed to gather data for other criminal activities. A business deceived by an email spoof can suffer additional financial, business continuity and reputational damage: fake emails are a favored route for ransomware that can stop operations unless a ransom is paid; consumer privacy breaches can also be enabled.
A website may seem to be in all respects legitimate. Of course, on the Web, not everything is what it seems. Some sites are phony, created to install viruses and malware on a surfer's computer, or steal their personal information. Immediately separate the real from the fake with VerificationEngine. With VerificationEngine Anti Phishing Software installed, the border around the web browser will glow green to let you know the site is secure. It's that simple, and it's free. Plus, Verification Engine isn't browser-based, so anyone can use it with their preferred web browser, and it can't be fooled by cyber-attacks on a particular browser.