{"id":2624,"date":"2016-06-16T10:00:33","date_gmt":"2016-06-16T17:00:33","guid":{"rendered":"https:\/\/berkonomics.com\/?p=2624"},"modified":"2016-06-13T14:29:24","modified_gmt":"2016-06-13T21:29:24","slug":"dont-go-on-a-phishing-trip","status":"publish","type":"post","link":"https:\/\/berkonomics.com\/?p=2624","title":{"rendered":"Don\u2019t go on a phishing trip!"},"content":{"rendered":"

Dave\u2019s note: Our guest author this week is Kevin McDonald, <\/em>Executive Vice President and Chief Information Security Officer at Alvaka Networks, a network services and security firm in Irvine, California. He is a trusted technology and security consultant and public policy\u00a0advisory\u00a0to some of America’s most influential people and organizations.\u00a0<\/em><\/p>\n

By Kevin McDonald<\/em><\/strong><\/p>\n

Phishing, a play on the word \u201cfishing,\u201d is a dangerous form of executive or CEO email fraud, and is negatively impacting individuals and companies worldwide. You certainly have seen some form of this social engineering – where criminals pretend to be an organization or individual such as the IRS, a creditor, partner, CEO\/CFO or other key executive.<\/p>\n

The goal is to \u201cphish\u201d a person into taking actions they shouldn\u2019t. An attack may involve a \"phishing\"call demanding payment to the phisher for past due invoices from a legitimate supplier, or verification of credit card data to create facilitate the fraudulent transaction. Phishing can hook you through infected emails – or links to a fake website containing malware – or information capturing forms you are asked to complete.<\/p>\n

Many websites are compromised and have been hacked with or set up with embedded nefarious software. \u00a0A successful attack can lead to you or one of your associates providing highly sensitive personal details of self, customers or employees \u2013 including social security numbers, usernames, passwords, and\/or banking information. Phishing victims have been known to transfer large sums of money as a result of appeals, threats, or claims.<\/p>\n

[Email readers, continue here…]<\/em> <\/span>\u00a0Some attacks are rudimentary, but watch it! Sophisticated attacks fool highly astute users. \u201cSpear phishing\u201d is directed at specific individuals or groups and is especially effective. \u00a0From IT staff to controllers, many comply with a phisher who has done homework. Attackers use social media and professional pages to understand their targets. Being rushed to respond and clear a task, aiming to please when seemingly appropriate, or fearing threats to leadership or the entity under attack can easily lead to mistakes.<\/p>\n

So what does phishing look like? You may recognize some obvious attempts yourself. For example, you receive a PayPal email revoking your credit, but the email contains obvious grammar and spelling errors, and you don\u2019t have a PayPal account. You may have received a notice of default for some critical service you do or don\u2019t have \u2013 along with a request to transfer money outside of the normal payment channel.<\/p>\n

Attacks have resulted in losses from a few dollars to hundreds of millions. Anthem Blue Cross for example could be a phishing loser. It reportedly suffered a phishing attack that exposed an estimated eighty million patient records. The attack is believed to have started with custom malware sent to Anthem IT staff. Unfortunately, patients were further victimized when they were then targeted with fake Anthem emails offering credit protection. \u00a0According to a recent lawsuit filed by a New York U.S. Attorney, another unnamed company was phished for nearly $100 million and luckily, so far recovered much of that. FireEye has reported Apple phishing campaigns using fake Apple domains to lure victims into providing Apple Store IDs and passwords<\/a>. \u00a0The list goes on and becoming a victim is not difficult.<\/p>\n

So, what can you do?<\/p>\n