Ransomware has dominated the news recently when it comes to IT Security. In fact, it was recently reported that 1 out of 5 companies that suffers a Ransomware attack ends up going out of business at least temporarily and 30% of affected companies lost revenue. Now we turn to the question of how does Ransomware get into a company? While everyone has heard of Phishing and read blog posts on what is phishing, I want to focus on the different types of phishing and ultimately what the goals of phishing are.
Before we get into the different types of phishing emails associated with Ransomware and Malware, we need to identify the goal of these activities. The ultimate goal is to make money. Whether that is to get you to pay a ransom or to steal sensitive information (credit card numbers, social security numbers, etc.) that will later be sold, the goal is to make money. This is a business that criminal organizations engage in that has become very profitable. And the key to these activities is email phishing campaigns designed to take advantage of the weakest link in IT Security: People. Here are three different types of phishing emails that target your employees with the goal of making money:
Phishing – This is the most basic form of an email that has the goal of installing malware on your system. We have all gotten these emails and while most are easy to spot, there are some out there that can be quite difficult to spot. A good example of this is the screenshot in this blog post that I received from USAA. First, I am not a USAA customer so that is the first red flag. Second, I “hovered” over the link to the USAA website, which you can see at the bottom of the pic. While the beginning of the URL looks legit, later in the URL you can see it redirects me to Employment Solutions Australia dot com dot au. This is obviously a scam but if I were a USAA customer, on the surface it looks pretty legitimate.
Spear Phishing – This is a very targeted attack, usually targeted towards Sr. Level Executives due to the permissions they have and access to more sensitive information. While the example above used USAA, these individuals were guessing whether I had a USAA account. With spear phishing, this will come from someone that you know (or think that you know) so it will not appear strange. The goal again is to either install Malware or Ransomware on your system and ultimately gain access to your network to make money.
Whaling – This is another interesting one as it is a twist on phishing. These are emails that are designed to look like they are coming from your Sr. Executives, usually to a lower level employee, that asks them to transfer large sums of money to an offshore account that cannot be recovered. I included this with phishing as it is doing the same thing, just from a different angle. The angle here is “ordering” an employee to follow a Sr. Executive’s directive to transfer the money.
There are many more types of Phishing campaigns out there, these are just 3 different examples of the tactics that these criminal entities use to steal your information or data and make money. So the next question becomes, how can I protect myself from this type of scenario? The short and simple answer is to ensure that your staff is properly trained. As we all know, it is far more detailed than that.