With the recent public service announcement from the FBI, ransomware and cyber security has become serious business for nonprofits. Not only do they need to protect themselves from attacks, but they have a responsibility to protect sensitive client and donor data. Here are the three most common attacks scammers will employ.
[Here is our blog post covering the FBI's PSA on ransomware.]
In a March 2016 article in SC Magazine, a payroll employee at Pivotal Software received an email from CEO Rob Mee asking them for tax information on employees. Not realizing something was wrong, the employee replied with the W-2 information for an unknown number of employees. As you might guess from the title of this article, it was not, in fact, Rob Mee that sent the email.
Phishing seeks sensitive information through a deceptive email that masquerades as a trustworthy source. Typically, this is a wide-net activity: the more people an attacker approaches, the more likely they are to find a victim. If the net is wide enough, even a .01% response rate can be productive.
We now see these same tactics employed to convince users to download files or attachments which contain malware (in the best case) or Ransomware that encrypts your files, and demands payment in the form of bitcoins before it will decrypt the files again. For those who do not backup their systems to an external device on a regular basis, this can be devastating.
The events at Pivotal are an example of a more targeted attack called spear phishing. This type of attack is characterized as a more personalized attack directed at specific individuals, groups, or companies.
Whaling is another form of phishing directed at executives and other high-value targets. These attacks often appear in the form of a legal subpoena, customer complaint, or executive issue. In both spear phishing and whaling, the attacker will often spend a great amount of time doing research on their target in order to craft a believable attack that is harder to identify.
“I’m really sorry to bother you, but I’m running really late for my appointment with the Head of Marketing, and I managed to leave my laptop at home with the client list! He’s really counting on me here—can you forward me a copy?”
Pretexting is creating an invented scenario which engages a target to act in a way they otherwise wouldn’t. To make their scenario more believable, an attacker will often play on their target’s sympathy by crying on the phone, admitting something embarrassing, or telling someone about just how terrible their day has been. The attacks involve a lot of prior research so the attacker sounds as natural as possible and can think on their feet while interacting with their target.
Other examples include the “Microsoft phone scam” where the attacker calls claiming to be from Microsoft, saying that your PC has a virus, and that they can help you over the phone. These calls often end with the attacker asking their target to download malicious software onto their computer.
“Aw sweet, free USB drive!”
The modern day Trojan horse. Have you ever found a USB on the ground and wondered what treasures it might hold? Or more likely, you’ve needed to access your email urgently and connected to a Wi-Fi hotspot you didn’t verify first.
This attack is all about putting a carrot out and waiting for someone to take it. The USB is infected or a hacker is snooping your web traffic on their Wi-Fi. This is often seen online in the form of free music or movie download advertisements. These adverts will often ask that the victim create an account asking for personal information or the file itself is malware. Baiting is also being seen with phones via cell tower spoofing, meaning a third party could be looking at your call, text, and mobile data in real time without your being aware.
Office 365’s security features are truly exceptional when compared to many other cloud services. Attend our new webinar and learn all the new features.