There is Nothing “Phunny” About Phishing

We recently heard from one of our clients who received an email from “Melynda”.  The email stated Melynda is a photographer and claimed copyright infringement regarding photos used on our client’s website.  Obviously, this caused great alarm and required immediate attention.  Or did it?   This is an example of a phishing scam and has been documented in multiple sources online.  We encourage you to research this for yourself.

In case you receive a comparable email, the “sender” is generally Mel, Melinda or Melynda.  As noted, she claims her intellectual property in the form of photos has been stolen and demands you remove them immediately.  The email even offers to “prove” ownership and provides a link for you to follow.  DON’T!!!  This is all a bunch of garbage designed to gain access to your personal information.

Phishing?

The Oxford Dictionary defines phishing as “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers”.

Dating back to the 1990s, phishing is one of the oldest, and most common, forms of cyber scam.  In fact, phishing is so pervasive that statistic indicate over 78% of all data breaches are a result of a phishing attack.   Notable phishing related data breaches in the last 5 years include:

  • Hackers (Phishermen) convinced Hillary Clinton’s campaign chairman John Podesta to give up his Gmail password, opening his mail up for their perusal.
  • Apple iCloud servers were breached on multiple fronts and intimate photos of several celebrities were made public.
  • University of Kansas employees were convinced to share their paycheck direct deposit information, costing them their paychecks.

As you can see, this form of cyberattack works on intelligent, well educated individuals just as well as the gullible, naïve, or elderly – even you could be a victim!

The information phishing attacks looks for are generally either

  • Financial information, such as credit card numbers
  • Personal information, like passwords
  • The user to click on a link/download and allow ransomware installation on a system.

Regardless of what the phisherman wants, it is an attach on your system and your business.

Why is Phishing Effective?

According to cybersecurity officials, so-called “phishermen” can purchase phishing “kits” on the dark web.  These kits are what makes the scam look so realistic and fool the intelligent eye.  A kit provides the framework and information necessary to set up a fake website, fake URL, and fake email all of which are designed for one single purpose – to convince you of the sender’s legitimacy and convince you to provide the information they want.

The kit works like this:

  1. The legitimate website is cloned to look like a reputable company you trust.
  2. The login page is changed to point toward a script focused on stealing your credentials.
  3. These modifications are then bundled together in a Zip file and sold as a kit on the dark web.
  4. Once purchased, the cybercriminal uploads this zip file to the fake website and the files are unzipped.
  5. Emails are then sent with links that point to the fake website. When you login, you receive the script that asks you for your personal information.  Since you’re a professional, you want to immediately handle the problem and provide the information.

A company called Ironscales monitored 50,000 fake log-in pages.  The most common companies for phishers to clone were:

  • PayPal – 22%
  • Microsoft – 19%
  • Facebook – 15%
  • eBay – 6%
  • Amazon – 3%

How to Reduce Your Risk of Getting Caught

There are some steps you can take to reduce the risk of being a phishing scam victim.

  1. Always double-check the spellings in URLs before you click on a link or share sensitive data. Frequently, these have a minor, and easily overlooked change.  For example, PayPal may show as Paypal
  2. Watch for URL redirects, where you are sent to a fraudulent website, with a duplicated design.
  3. If you receive a suspicious email, don’t hit respond. Instead, open a completely different email.  This prevents the hacker from gaining access to your system.
  4. Don’t share personal data such as birthdays, vacation plans, your phone number or address on social media. Cyber thugs can use this information to make their phishing expeditions more believable.
  5. Have your IT department “sandbox” all inbound email. This step checks the validity of all links BEFORE the email hits your computer.
  6. Get Top Jump Marketing’s Ongoing Security/Protection Program. This won’t stop a phishing attempt; but should that attempt result in damage to your existing site, it will get your site repaired at no cost to you.  Additionally, the increased security and routinely updated WordPress platforms may reduce to potential for a cyberattack in the future.

For more information, please call the Top Jump Marketing team today at (800) 795-2187 and make cancel the cybercriminals “phishing” license on your business website.