As phishing attacks rise, knowledge is the greatest weapon to combat them
There was a 76% increase in direct financial loss as a result of phishing attacks from 2021 to 2022 according to Proofpoint’s 2022 State of the Phish report. As phishing attacks increase, scammers find new techniques and tools to trick people into giving up information or sending money. Arming personnel with knowledge of what types of attacks to expect and how to spot them is the best way to stop these attacks from affecting your organization.
There are two types of attacks that Facility Security Officers (FSOs) need to be aware of: non-targeted and targeted attacks. Non-targeted attacks are generic and could be sent to anyone, like a call claiming there’s an issue with your car’s extended warranty. While employees should report these to their FSO when they get them, and to their IT department if they click on any links or download anything from a scam, the FSO doesn’t necessarily need to pass that report onto their Industrial Security (IS) representative.
Targeted attacks are aimed at the organization specifically. These could be emails claiming to be from accounting, saying the recipient needs to update their bank account information or risk not getting their next direct deposit. These are attacks that the FSO should definitely report to the IS rep. While they may just be a more sophisticated type of financial attack, the goal could be stealing proprietary or classified information from the company.
Currently, common ways scammers will try to reach their victims are emails, text messages, social media and phone calls. Different types of attacks will have different tactics and indicators you and your employees will need to learn to catch.
Types of Phishing
Email remains one of the main ways scammers try to contact people. Common non-targeted attacks include messages from companies with slightly misspelled names like amazonn claiming there’s an issue with your billing and attacks related to student loan debt relief. Targeted attacks may be harder to spot, especially when they come from an email address only a letter off from your company email. Some common scams include a message claiming to be from HR, saying the recipient is being accused of sexual harassment with a link to schedule an appointment to discuss the accusation. Personnel may also receive an email from someone pretending to be company leadership, like the CEO, asking them to buy digital gift cards on their behalf.
There are a few ways you can spot these fake emails. The first step is always to check the address of the person who sent it. Sometimes the email address will be completely different from what it should be. If your CEO is named Mark Wright but the email address is from John Doe, it’s easy to tell this isn’t from who it should be. Other times there’s a small typo, like adding a repeated letter that shouldn’t be there. If the email is coming from Wallmart instead of Walmart, it’s a phishing scam. If there are a lot of grammatical or spelling errors, this is also often an indicator of a fraudulent email. If there are logos used, they may be a mirrored version of the company’s logo or the logo being the wrong color.
This is also known as Smishing, or SMS phishing. These scams come in forms like a claim that there’s an issue with your Netflix billing or that you’ve won a gift card. You may see targeted attacks similar to the CEO email scam, where an unknown number sends a message claiming to be the company CEO and asking for information or money in some form.
Watch for any texts that want you to click a link to a secondary site. If you don’t recognize the sender, always be wary with any links. If the text is coming from a company claiming you have a billing issue or someone like your bank claiming your account is overdrawn, go to the company’s website directly rather than clicking the link, as they may have a realistic looking login screen they use to steal your information. If there actually are any issues with your accounts, they’ll be visible on the company website. Messages sent at odd hours, like the middle of the night, are also suspicious. A company won’t be trying to reach you about your billing at midnight.
Social Media Phishing
Similarly, be wary of strange messages on social media. Scammers will hack people’s accounts and send messages to their friends, which makes it seem legitimate since it comes from someone you know. If someone you haven’t talked to in a while reaches out with a message like “can you believe this person got arrested?” and a link to click, do not engage with it. Those with a high-level clearance may also face targeted honey pot attacks on social media, where attractive people attempt to seduce them to steal information.
Phone Call Phishing
Vishing, or voice phishing, is another common type of attack to watch for. You may receive a call reaching out about your car’s extended warranty or telling you there’s a warrant out for your arrest. If an unknown number that your phone doesn’t identify as potential spam pops up and you aren’t expecting a call from anyone not in your contacts, it’s best to let it go to voicemail. If they leave a voicemail and it’s either a robocall or in a language you don’t speak, you can mostly assume it’s a scam.
If you receive an email, text or phone call that you’re not sure is a scam and tells you something you’re concerned about, like that you’re wanted for tax fraud or that there’s an issue with your bank, don’t engage with the potential scam. Check your accounts and contact your bank, local law enforcement or relevant party directly. It’s better to take the 10 minutes to clarify if you actually do have something to be concerned about than to end up dealing with a stolen identity for months or years.
The Evolution of Phishing and What to Expect in the Future
With the current economic downturn, attacks threatening people’s finances in some way, like a faked claim that someone’s account is overdrawn, are more likely to occur. When people are facing financial stress, they are more likely to engage with an email claiming their money is at risk than they would be otherwise. As the State of the Phish report found, financial loss as a result of phishing attacks have increased significantly since last year.
AI is also a new threat that could lead to more sophisticated phishing attacks at a higher volume, according to Forbes. With software like ChatGPT, phishers can create a message in seconds that won’t have the grammatical or spelling errors that many scams currently have. When it only takes a few seconds, they can create far more messages to use. They can also train the AI on past scams that were successful in tricking a high volume of people in order to consistently create more effective attacks. However, AI can also be used in combatting phishing scams through AI-powered tools that are trained to distinguish between legitimate and illegitimate senders and emails.
Training will always be the greatest defense against phishing. The State of the Phish report found that there is currently a large knowledge gap in many organizations, with only 56% of them having a security awareness program that trains all their employees. Nearly a third of those surveyed couldn’t even define terms like phishing and malware, and 68% of them thought their company email platform could automatically block all malicious emails. Organizations that fall prey to phishing scams pay a major price, whether it be monetary or informational. Proper training is a necessity for all employees regardless of what their role is.
If you’re looking for help with training for your cleared facility, Adamo can help. Our FSO support services can run your trainings or help you manage the more tedious parts of your job so you can focus on improving your facility’s security.