Phished credentials are growing…

Marcelo Orlandi
Phished credentials are growing…

We have discussed previously how small businesses are being targeted by Cyber Attacks, and back in June I published how Malware was targeting at least 500K devices worldwide.

Well, did you know that in the past year alone, phished credentials technique caused twice as many breaches as malware?

 

Some Background

The bad guys are always looking for ways to get your information, money or anything else that may be useful to them. Malware has been the classic example in the past, where all your information is encrypted on your disk and the bad guys ask for a ransom to decrypt it. This exercise requires the coding of the ransomware, or getting the code from the dark web, and spending hours testing it to make sure it does what it is intended to do. Once the ransomware is delivered, and not stopped by antivirus or malware applications, the next step is collecting the money. As you can see this is a lot of work, and who wants to work hard and not get paid in the end?

In addition to that, users are getting more and more clever when using passwords. There are more people not reusing their passwords (my dream come true). This has made very difficult to “guess” or brute-force passwords, as they are no longer common.

 

A New and easy way

As a consequence of that, the bad guys have started to use more Phishing techniques. This type of attack is very simple: They send you a fake email that looks like is coming from your bank, ATO, Centrelink, or even your IT Department or your boss! Because you are always in a rush, you open the email, click the link or attachment and enter your credentials. And voila! you have just leaked your username and password to the bad guys without even knowing it.

You may think, I don’t have any anything important to hide, why should I care? Well let me ask you a few questions:

  • Do you use the same password in your personal email at work?
  • Do you use the same password in your bank account?
  • Do you send, receive invoices to pay or be paid by email?

If you answered ‘yes’ to any of the previous questions then the bad guys can instruct your employee or accounting department to pay an invoice, which looks legit, but to a different bank number. When you realize that the payment went to a wrong bank account, the money is already outside the country.

How easy is that?

 

What can I do?

Scammers are getting very sophisticated, not only by email but they are also using phone calls to get some payments as well.

Be vigilant of all unexpected phone calls asking for any personal information, but be especially vigilant of emails asking for any sort of money or bank transfer. If you receive an email asking for payment and the bank details have been changed, grab the phone, give the customer a call and confirm the details before doing any transaction. Just because you receive an email from them it does not mean they have not been compromised.

If your email system and account package support multi-factor authenticationenable it. That way, if for whatever reason your password is leaked, the attacker will not be able to login as they will be asked for a second-factor authentication.

Be safe out there, until next Malware Monday.