​​Fight the Phish

Phishing is still the number one cause of data breaches and theft of personal information. If anything, the Covid-19 pandemic has reinforced this view, as there has been a huge rise in reported phishing incidents directly related to Covid. It’s difficult to put exact figures on the surge, but most sources quote around a 200% increase; one Canadian company, CGI, reported a massive 30,000% increase in Covid related malware, weaponized websites, and phishing emails.

Phishing is not a new phenomenon. It has been used to steal personal information ever since the Internet went mainstream in the early 1990s. One of the earliest recorded phishing scams targeted AOL users. Cybercriminals reportedly impersonated AOL employees requesting their dial-up credentials. People’s perception of online security was completely different back then, and countless credentials were offered up and then sold on the black market.

One of the most notorious phishing campaigns was called the LoveBug, sometimes known as ILOVEYOU. The malware was disguised inside a VBS script pretending to be a love letter email. Once opened, the malware encrypted local files and then emailed itself to all your Outlook contacts. It was very crude compared to today’s standards, but it caused millions of dollars of damage and forced businesses to rebuild infected computer systems.

What Is Phishing?

It’s highly likely that you have already heard of phishing and that you understand the basic principles of what phishing is. Awareness of phishing has grown rapidly in recent years because of the significant impact it is having on businesses and individuals. If you work in an office, it’s likely your company has rolled out a cybersecurity training program to help combat phishing.

Despite this increased awareness, we still have a long way to go when it comes to preventing phishing. Cybercriminals are exploiting phishing techniques to trick people into disclosing sensitive personal information or into downloading malicious malware payloads from fake websites.

The most common attack vector is a phishing campaign over email, but phishing can also happen over the phone, via text message, through social media, and so on. But what can you do to protect yourself in today’s interconnected world?

Make Yourself a Hard Target

Controlling the information that you share about yourself is a great start to controlling your privacy and limiting your digital footprint. Anyone who uses a computer online leaves a digital signature, history, and information about themselves. Often this is intentional, but other times others may inadvertently share information about you.

Social media is known to harvest huge amounts of data about its users and leaves a detailed history of your personal habits, places you visit, and things that you like. Have you ever downloaded the information Facebook keeps on you? Give it a try; you may be surprised.

Your personal data is out there and available, so take time to review your privacy settings and delete social media accounts you no longer use. Check the privacy settings on your cell phone and always be on the lookout for suspicious emails, texts, and phone calls.

Remember: never divulge sensitive information, and always think twice when answering an unrecognized phone number.

Phishing Has Become Harder to Spot

Phishing emails are getting more sophisticated as the rewards from the successes line the pockets of cybercriminals. Times have changed significantly since the ILOVEYOU malware was distributed; attacks are now coordinated, and hackers are using stolen personal information from data breaches to target individuals. The idea is that if the hacker has some correct information, you may be more likely to provide even more personal information.

Bogus emails now look identical to the real thing, and there are some in circulation that look identical to legitimate emails. There are still several phishing attempts that are borderline amusing, littered with spelling mistakes, outrageous claims, or promises of lost riches and fortunes.

However, there are still some tell-tale signs to be on the lookout for, so always think twice before clicking an embedded hyperlink or replying with personal data:

• Is the email addressed directly to you? Or to a “valued customer,” “friend,” or “fellow citizen?” This is a tell-tale sign of a scam.
• Spelling mistakes
• Low-quality graphic design
• Do the emails prompt for an “urgent response?”
• Are you being asked for personal information, bank details, social security numbers, etc?

If you are asked to provide information via email, alarm bells should sound, as no legitimate company will ask you to validate your data on email. Check the official website or phone the advertised number to make sure.

Technical Solutions to Combat Phishing

For businesses and organizations, the ability to combat phishing is rapidly becoming a mandatory business requirement. Customers expect robust security frameworks and technical solutions to counteract phishing. Businesses are allocating much bigger budgets to target cybercriminal activity.

One of the best ways to up your cybersecurity is to partner with a security-focused hosting provider. We expect outsourcing cloud security-as-a-service to increase in popularity throughout 2021.

Outsourcing will help to reduce the impact of phishing, ransomware, and other malware attacks, but it will also tackle the problem many organizations face with having a lack of IT experts available to secure their cloud environment.

Other benefits include a lesser chance of accidental information sharing by employees and fewer mistakes being made by system administrators thanks to additional managed services. Systems and controls can be introduced to limit the chance of data theft by employees (the insider threat), such as an added emphasis on endpoint device protection.

Training employees is essential, and additional training should be offered to high-risk employees such as executives, finance, and IT professionals. Despite growing awareness of phishing, certain demographics are vulnerable, in particular the elderly and 18-to-29-year-olds. Research has shown that educating users about phishing is the most effective tool to combat it.

What else can be done?

• Create a strong and enforceable password policy
• Use multifactor authentication (MFA)
• Patch your servers
• Patch your applications
• Never use deprecated Operating Systems such as Windows Server 2008 R2
• Monitor everything
• Use an Intrusion Prevention System  (IPS)  to ensure that network traffic is closely monitored
• Monitor TLS connections inbound and outbound
• Block all ports apart from those absolutely necessary on the firewall

How can Atlantic.Net help?

Atlantic.Net has over 30 years of experience providing high-end hosting solutions that are built to exacting security standards. Our platform gives our customers the best chance to combat cybersecurity issues. Our network and platform are segregated, meaning that even if someone manages a successful phish, it would be impossible for the hacker to traverse our network as the design prevents that possibility. Any issue would be isolated at the source.

Cloud platforms are very secure and offer highly durable and robust services; the biggest problem is user misconfiguration or users clicking on phishing links. When leveraging cloud services, the shared responsibility model comes into play. Atlantic.Net is responsible for protecting data, applications, infrastructure, and physical protections, but the customer is responsible for managing users.

If you are a healthcare provider, it is vital that you consider a fully audited HIPAA-compliant server infrastructure for your organization. To find out more about the solutions that we offer, contact our sales team today!

A brief version of this article was also published on HealthITanswers.com.