What are they?

Phishing scams are cyberattacks that target an organization’s employees to get them to give away confidential business information via e-mail, over-the-phone, through text, or even through physical mail letters. Phishing scams usually attempt to gain confidential information by impersonating a trustworthy company or organization. Cybercriminals also use phishing tactics to access a business’s computer network to install malware or viruses such as ransomware or trojans that can lock the essential files on the computer. According to phishingbox.com, 90% of the data breaches are linked to phishing attacks.¹

Be wary of ransomware attacks stemming from phishing e-mails.

According to healthitsecurity.com, e-mail phishing has now become the dominant attack vector for ransomware as of Q4 2020.² Ransomware is a form of malware that finds its way onto a target computer and then encrypts essential files and systems on the computer, rendering it unusable. The perpetrators behind this ransomware attack then demand that the computer owner pays a ransom to regain control of their computer. Computer owners that do not have backups of their data are often compelled to pay these ransoms, although they often do not get their files back after paying. In 2020, only 67 percent of people who paid their ransoms reported recovering their computer data.³ Avoid phishing e-mails and keep a backup of your computer and other important data to thwart ransomware attacks.

Facts & Figures:

• 91% of cyber attacks come by way of phishing,⁴
• Cybercrime is currently up 600% due to the COVID-19 pandemic,⁵
• 94% of malware is delivered via e-mail;⁶

How to recognize phishing e-mail messages, links, or phone calls:

• Phishing (or fraudulent) e-mails look like they’re from a trusted source, and often contain links to a phony login page on a fake website,
• The subject lines may be threatening, insist that “immediate” or quick action be taken, or promise some amazing and over-the-top benefits,
• Usually, the text in phishing e-mails has many spelling errors, poor grammar, obvious grammar mistakes, and awkward sentence structure, as if it was written by a computer program or someone whose native language is not English; besides that, most of the email starts with a generic “Dear Customer,” salutation,⁷
• In most cases, the e-mail address in the phishing e-mail doesn’t match the official organization e-mail address; always verify that an e-mail address that claims to be from a government agency or an organization website ends with .gov or .org,
• Phishing scammers give their targets a false sense of security by purposely using the trusted logos of established and legitimate companies, or by pretending to be a well-known person,
• Phishing scammers pretend that personal information is required immediately–-otherwise, there will be terrible consequences; for example, they’ll write that you have won money or your online bank account has been compromised and it needs to be fixed now, or even that one of your close family members has been grievously hurt;

How to Avoid Phishing Attacks:

• If you think you have encounter a phishing e-mail, do not download any attachments or click on any links within the e-mail,
  • Instead, call the business themselves and ask them for verification of the e-mail sent to you,
  • Do not use the contact information provided in a suspicious e-mail (or a suspicious website) to contact the company,
  • Do not call the phone number given in phishing scam;
• If an e-mail has a link, make sure to always “hover over” the link with your cursor to check where the link actually leads to,
  • A header will usually pop up with the true URL link, and/or the bottom-left corner of your browser will display what website that link actually leads to;
• Pay attention to the sudden visits, non-requested e-mail messages, or phone calls from unknown people that try to seek information about employees or information about the business; verify the background of the supposed employee who is seeking the information;
• Always refrain from disclosing classified information about the business or yourself if you are unsure of the legitimacy of the source asking for that information;
• Make a backup of essential files on some external source like an external hard disk or cloud storage service to protect it from a virus or malware attack;
• Do not reveal personal or financial information through e-mail, and do not respond to e-mail solicitations for this information; this includes the links that can be found within the e-mail;
• Only use trusted software for securing your computer, and make sure it is updated regularly;
• Refrain from sending important information over an unsecured network; check that the URL contains “https” and not just “http,” as the ‘s’ means it is a secure and encrypted connection;
• Always pay attention to the URL of legitimate websites, as cyberattackers use websites that are identical to the official website’s URL, but with small changes in the URL,
• You can always gather information about known phishing attacks from online forums such as Anti-Phishing Working Group (APWG),
• Always have anti-virus software, anti-malware, and firewalls active and installed on your computer systems to safeguard against phishing attacks.

If you encounter a phishing e-mail:

• If you identify a phishing email, please forward it to spam@uce.gov along with the name of the organization in the e-mail;
• File a complaint with the Federal Trade Commission at FTC.gov/complaint;
• In the event that classified information is leaked, please visit identifytheft.gov;
• In addition, phishing e-mails can be reported to reportphishing@apwg.org (the Anti-Phishing Working Group).⁸

Sources:

1. “2019 Cyber Security Statistics Trends & Data.” PurpleSec, 21 Feb. 2021, purplesec.us/resources/cyber-security-statistics/.

2. Davis, Jessica. “70% Ransomware Attacks Cause Data Exfiltration; Phishing Top Entry Point.” HealthITSecurity, HealthITSecurity, 9 Feb. 2021, healthitsecurity.com/news/70-ransomware-attacks-cause-data-exfiltration-phishing-top-entry-point.

3. Truta, More from Filip, et al. “Successful Ransomware Infections Surge to Record in 2020 as Victims Grow More Willing to Pay, Research Shows.” Security Boulevard, 3 Apr. 2020, securityboulevard.com/2020/04/successful-ransomware-infections-surge-to-record-in-2020-as-victims-grow-more-willing-to-pay-research-shows/.

4. “91% Of Cyber Attacks Come by Way of Phishing. Know the Different Types.” Graphus, 22 Feb. 2021, www.graphus.ai/blog/91-of-cyber-attacks-come-by-way-of-phishing-know-the-different-types/.

5. “How to Recognize and Avoid Phishing Scams.” Consumer Information, 19 Feb. 2021, www.consumer.ftc.gov/articles/0003-phishing.

6. Verizon. “2019 Data Breach Investigations Report.” 2019. PDF file.

7. “Learn How to Protect Yourself against Email Phishing Scams.” HealthCare.gov, www.healthcare.gov/blog/protect-against-email-phishing-scams/.

8. “Phishing Facts.” Statistics on Phishing and Other Cyber Threats, www.phishingbox.com/resources/phishing-facts.