Preventing Ransomware Attacks: Don’t take the bait!
Reprinted from the Canadian Centre for Cyber Security – Cyber Security Guidance
What does a phishing attack look like?
Step 1: The bait
The scammer tailors a message to look like a legitimate one from a major bank or service. Using spoofing techniques, the message is sent to numerous recipients in the hope that some will take the bait and fall for the scam.
In phishing and whaling attacks, the scammer first gathers details about the target individual or company. For example, the scammer can harvest information from social media profiles, company websites and internet activity to create a customized message.
In “vishing” attacks, the scammer might use a computerized auto dialer (robocall) to deliver the fraudulent message to many victims.
Step 2: The hook
The victim believes the message is from a trusted source and contains information that entices them to take urgent action e.g. to resolve issues with their account.
If the victim clicks the link in the message, they will unknowingly be re-directed to the scammer’s fake version of the real website. The victim provides sensitive information (e.g. login credentials) which is sent to the scammer.
If the victim opens an infected attachment, a malicious code may get executed and infect their device.
In a vishing attack, if the victim responds by pressing a number from selected options, then they may get connected directly to the scammer.
Step 3: The attack
Credentials stolen—The scammer can now access the victim’s account, e.g. email account to send more phishing emails to the victim’s contacts. If the victim is an IT professional with privileged access, then the scammer can have access to sensitive corporate data or critical systems.
Malware installed—The scammer can use the malicious software to gain control of the victim’s device, to steal their data, or lock access to their files until a sum of money is paid (as in ransomware attacks). Over the past 15 years, ransomware has become one of the most popular types of cybercrime.
According to the Canadian Centre for Cyber Security, the most effective ways to protect your systems and information include: Step 1: The bait
The scammer tailors a message to look like a legitimate one from a major bank or service. Using spoofing techniques, the message is sent to numerous recipients in the hope that some will take the bait and fall for the scam.
In phishing and whaling attacks, the scammer first gathers details about the target individual or company. For example, the scammer can harvest information from social media profiles, company websites and internet activity to create a customized message.
In “vishing” attacks, the scammer might use a computerized auto dialer (robocall) to deliver the fraudulent message to many victims.
Step 2: The hook
The victim believes the message is from a trusted source and contains information that entices them to take urgent action e.g. to resolve issues with their account.
If the victim clicks the link in the message, they will unknowingly be re-directed to the scammer’s fake version of the real website. The victim provides sensitive information (e.g. login credentials) which is sent to the scammer.
If the victim opens an infected attachment, a malicious code may get executed and infect their device.
In a vishing attack, if the victim responds by pressing a number from selected options, then they may get connected directly to the scammer.
Step 3: The attack
Credentials stolen—The scammer can now access the victim’s account, e.g. email account to send more phishing emails to the victim’s contacts. If the victim is an IT professional with privileged access, then the scammer can have access to sensitive corporate data or critical systems.
Malware installed—The scammer can use the malicious software to gain control of the victim’s device, to steal their data, or lock access to their files until a sum of money is paid (as in ransomware attacks). Over the past 15 years, ransomware has become one of the most popular types of cybercrime.
According to the Canadian Centre for Cyber Security, the most effective ways to protect your systems and information include:
- Verify links before you click them. Hover over the link to see if the info (sender/website address) matches what you expect
- Back up information so that you have another copy
- Apply software updates and patches
- Filter spam emails (unsolicited junk emails sent in bulk)
- Block IP addresses, domain names, and file types that you know to be bad
- Use anti-phishing software that aligns with the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy
- Establish protocols and procedures for your employees to internally verify suspicious communications. This should include an easy way for staff to report phishing attacks
- Update your organization’s incident response plan to include how to react if you’re hit with a phishing attack
- Use multi-factor authentication on all systems, especially on shared corporate media accounts
Something may be “phishy” if:
- you don’t recognize the sender’s name, email address, or phone number (e.g. very common for spear phishing)
- you notice a lot of spelling and grammar errors
- the sender requests your personal or confidential information, or asks you to log in via a provided link
- the sender makes an urgent request with a deadline
- the offer sounds too good to be true
- the caller’s voice has a robotic tone or unnatural rhythm to their speech
- the call is of poor audio quality
Watch out for unsolicited communication with:
- Attachments
- Hidden links
- Spoofed websites
- Malicious QR codes
- Log-in pages
- Urgent Requests
- Prompts for personal information
- Caller claims to be a government official, bank representative, or from CRA
Ensure that your leaders, employees, and volunteer workers are aware of cyber threats and are provided with initial and refresher training. One effective way to do so is through sample case studies that help illustrate how easily anyone can fall prey to a cyber-crime, including allowing access to the organization’s computer system by opening an email or clicking on a link.
At a minimum, training should include the following topics:
- Identifying and handling phishing attempts
- Strengthening passwords
- Updating and patching systems
- Securing IT assets and sensitive information
- Reporting incidents
Including case studies or examples of publicly known cyber security incidents in training material can help demonstrate vulnerabilities, threat actor techniques and mitigation measures.
Do periodic phishing simulations to test and evaluate your organization’s cyber exposures and vulnerabilities to cyber-attacks.
Preventing Social Engineering Fraud Claims:
Although financial loss or damage resulting from many risks, including cyber-crimes, can be effectively addressed through insurance solutions, social engineering fraud is often the exception. There are several interrelated reasons for this:
First, because it is increasingly difficult to obtain this type of coverage for nonprofits, or for any business or organization, without robust internal controls. If insurance is available for this risk, it is often only a very modest amount of protection.
Second, because even cyber insurance policies that include a more substantial amount of coverage for this type of claim also commonly contain what is known as a “call-back” provision requiring strict verification protocols by the organization, and resulting in claim denials when a policyholder fails to follow their internal payment verification procedure for paying third parties.
Third, and directly related to the second, is because the solution to avoid fraudulently induced transfer claims is often quite simple, effective, and may not require insurance. It involves strict internal procedures and training of staff or volunteer workers about your organization’s digital and financial protocols, including:
* Implement a second authorization protocol for any payment requests from outside parties; no payment of invoices until they are approved by whomever in your organization orders the goods or services, never pay on the basis of a rushed email request, and never pay from a statement – always ask for original itemized invoice from supplier or third party including authorization for goods or services. Rushed or last-minute payment requests are a common strategy used by fraudsters, so train staff to always follow your established fraud prevention protocols!
* For any email or text requests from internal parties to transfer funds or to disclose or send sensitive information, including requests by an executive director, manager, board member or officer, require that the individual receiving the instructions pick up the phone and contact the sender to verify it is legitimate and to document the confirmation, prior to releasing sensitive data or sending money, whether by e-transfer, wire transfer, or cheque.
* Never make changes to a third-party supplier’s or vendor’s banking information based on an email request or telephone call. Always verify the change by contacting them directly at the existing email address or the telephone number on your file, and not at the contact details in the email requesting the change. Call the sender to verify legitimacy (e.g. if you receive a call from your bank, hang up and call them). * With respect to preventing e-transfer fraud perpetrated against a church or charity’s members and valued donors, it is important that email addresses provided by a charity to donors in hard copy, digitally or on their website to promote e-transfer donations are carefully checked for accuracy, and for the organizations leaders or IT department to be vigilant in regularly checking to ensure that they have not been fraudulently tampered with. Or alternatively, to not promote or offer e-transfer donations directly to the organization and its banking institution, or to do so only through a reputable third-party giving platform with an e-transfer option.
