Posts Tagged Phishing

What Is W-2 Phishing Attack?

W-2 phishing was launched with an intention to swipe away your tax refund. More than 100 employers became victim of W-2 phishing attack in first 10 weeks of 2017, putting 120,000 taxpayers at risk of an identity fraud. As per statistics by IRS Return Integrity Compliance Services, reports of W-2 phishing emails increased by 870% in 2017 and the figures are quite alarming.

How Is It Launched?

The cybercriminal shall send an email in which he might impersonate himself as the CEO of the company. The email contains an urgent request to send employee tax information. On receiving the email, the concerned employee often sends the file and hands over confidential & personal employee information to the fraudsters.

W-2s are important forms that are attached when one files their tax return. It contains a person’s confidential information such as name, address, income, social security number etc. Employee’s sensitive information is acquired from W-2s to commit an identity fraud.

Following are some ways in which this information can be misused –

  • Your social security number can be used to claim a duplicitous tax refund.
  • Take a loan on your name
  • Open up a new credit card
  • Make payments from your account

Ways To Protect Yourself From W-2 Phishing Attack

  • Raise Awareness – Since W-2 phishing attacks are on rise it is important to keep your staff aware about the phishing scam. Make sure that you educate your employees on regular basis about the recent phishing scams. It is important that your staff that deals with all the financial statements and tax information is aware about the W-2 and other similar threats.
  • Set Relevant Policies – To protect your company from such attacks, it important to set up some secretive policies and communicate them to your employees. There should be policies that decide what kind of requests should be catered to through an email. For e.g. when there is a policy that top executives would never ask for sensitive information via email, then the concerned employees would not be deceived by any fraudulent email asking for employee credentials. Also it is important to be vigilant when responding to any email.
  • Flags Spam Emails – If you are able to identify a W-2 phished email then flag it and forward it to your employer and other concerned employees to prevent them from falling into a trap.
  • Verify The Sender – Make sure that your employees do not revert to an email sent from an untrusted source. Follow a practice of reconfirming the request of sending any confidential information with the concerned executive once, before actually sending it.It is important to stay alert about such attacks to take preventive measures well in advance.

For more information about IT Security, call Centex Technologies at (254) 213-4740.

, ,

No Comments

What Is Vishing & How To Avoid It

Vishing is the term used for voice or VoIP (voice over IP) phishing. It is a social engineering attack that is launched with a primary goal to extract user’s confidential information and is usually done using an automated dialing and voice synthesizing equipment.

Vishing works just like any other phishing scam. The imposter generally pretends as someone from the bank or as a government representative seeking information. Sometimes, the fraudster may even use voice to text synthesizers or recorded messages to masquerade himself. The attack is launched with an intention to gain access to a person’s PIN number, credit card details, passwords, social security number etc. In most cases, the scammer is successful in making the victim part with their credentials.

When a vishing attack is launched, either of these things happen 

  • A person will receive a call. On answering that call, an automated voice system will ask the victim for their personal information.
  • Sometimes, a fraudster will call the victim and inform that they should call their bank to avail some offer or to provide certain information. The victim then hangs up the phone to dial bank’s number but fraudster doesn’t and keeps the lines open. Victim hears a spoofed dialing tone and some other scammer answers the phone call. They impersonate their identity as bank official to steal the required information.

How Do They Obtain Your Number?

There are several possibilities by which the fraudsters obtain your number. Some of which are

  • Using stolen phone information
  • Auto – generated numbers
  • Numbers and details compromised in a previous data breach

Techniques Used By Them

  • Impersonate As Genuine Callers – There is high probability that these scammers already have your personal information and address you as genuine people over the phone.
  • Holding The line – Sometimes, cyber criminals hold your call. They then direct your call to another scammer when you call them back.
  • Sense Of Urgency – The most common approach is to incite fear in the mind of a person. The caller makes the victim believe that their money is in danger. He/she then acts hastily without thinking much and commits the mistake of sharing their confidential information with the fraudster.
  • Phone Spoofing – The number from which the call comes seems to be genuine and so you believe what the caller says, often ending up in sharing your login credentials or passwords.

How To Avoid Them

  • Never Share Your Personal Information Over The Phone – If you pick a call that seems to be from a legitimate caller, never share your personal information over the phone in the first place. No bank or government institution will ask you to provide your credentials over the phone. In case they do, then ask the caller’s name and tell them that you would call them back after some time. Search for the bank’s official number and inquire from them about the call.If you sense something suspicious then there are chances that the call was a vishing attack launched at you.
  • Use A Caller ID App – There are numerous apps such as Truecaller that allow you to know the callers identity. It has billions of spam numbers locked in their database and if you come across such a number then you can also add it to their spam database.

For more information on IT Security, call Centex Technologies at (254) 213-4740.

, ,

No Comments

Common Phishing Attacks And How To Protect Against Them

Phishing attacks are launched to steal sensitive user data comprising of passwords and important login credentials. The attacker generally masquerades itself as a legitimate sender and sends an email, message or link infected with malware. It is a type of social engineering attack that can have devastating results. There are numerous types of phishing attacks, here we have listed few:

Deceptive Phishing
It refers to an attack in which a hacker deceives the user by impersonating as a legitimate website but steals away a person’s personal information. An email with malicious content often posing as a threat or urgent message is sent to force the user to click it. For example, sometimes they send the user an email posing as a mail from their bank regarding some discrepancy in the account. The user, often in all the haste, clicks on the link and is directed to an illegitimate site that steals away their passwords & login credentials.

Spear Phishing
The hacker personalizes the attack. Emails are specifically addressed and have the target’s name, position, company name etc. mentioned in them to win the user’s trust. This is done to dupe the user and make them click on the malicious link. When once the user parts away with their confidential information, their login credentials and sensitive data is stolen.

Whaling
In this type of attack, the executives at the highest level are targeted. Generally the employees at top level do not undergo a security awareness training program which is why they are prone to cyber-whaling. An attempt is made to pitch the executives using specially designed emails or social engineered attacks. Then the attacker launches a BEC (Business Email Compromise) scam to use the executive’s email to initiate fraudulent wire transfer to a financial institution.

Pharming
This attack resorts to domain name system cache poisoning. The alphabetical website name is converted into numerical IP address which is used to locate computer devices. The attacker then directs the user to a malicious website even if the user entered a correct website name.

Mimic Phishing
An authentic website such as GoogleDocs, Dropbox etc. is mimicked to lure users to sign in. This way their passwords & login credentials are stolen.

How To Protect Yourself Against Such Attacks –

  • Carefully check the URL of the website before clicking on it.
  • Organizations must conduct employee training programs in which every employee should participate.
  • Companies must invest in software that have the ability to analyze inbound emails in order to keep a check over the malicious links/ email attachments.
  • Financial transactions should not be authorized through emails.
  • Only enter the websites that begin with – https as such sites are much secure.
  • Install a high quality anti-virus and update your system on a regular basis.
  • For more information on IT Security, call Centex Technologies at (254) 213-4740.

, , ,

No Comments

Frequently Asked Questions About Phishing

27 October, 2016

Phishing is a common form of online identity theft that involves sending fraudulent emails in order to steal the target user’s personal information, credit card details, social security number and other sensitive data. A phishing email is crafted to look legitimate and often creates a sense of urgency to instigate immediate action from the receiver. However, despite the increasing number of phishing attacks, many people are not able to identify fraudulent emails and get tricked into giving out their personal information.

Given below are some frequently asked questions that will help you avoid becoming a victim of phishing attack:

How do I identify a phishing email?

Cybercriminals send out phishing emails masqueraded to be sourced from a legitimate entity, such as a bank or credit card company. Although these emails can be recognized easily by poor grammar and hoaxed email addresses, some of the phishing attempts can be highly sophisticated. The typical characteristics of a phishing email are that they create a sense of urgency and require the user to update his bank account information. Also, fraudulent emails do not address the sender by his name.

What should I do if I receive phishing email?

If you receive a phishing email, make sure you delete it without opening, particularly if it contains any links or attachments. You must remember that banks and financial institutions do not ask for sensitive information over emails. In case you have any doubt regarding the authenticity of the email, contact the sender directly.

How do hackers get my email address?

In most cases, the hackers do not know your email address. They simply send out the emails to randomly generated addresses so that they are likely to reach some customers of a specific bank or credit card company. The hackers may also detect an unprotected email server and send out phishing messages to the addresses on it.

What should I do if I have been scammed by a phisher?

If you suspect being a victim of phishing attack, immediately change your login credentials for the online accounts that may have been potentially compromised. Review your financial statements to identify any unauthorized activity. Inform your bank or credit card provider and request them to block all online transactions from your account.

Centex Technologies is a leading IT security company in Central Texas. For more information on phishing attacks, feel free to call us at (855) 375 – 9654.

,

No Comments

How Can Organizations Guard Against Phishing Scams?

23 August, 2016

Business organizations are a worthwhile target for the hackers to carry out phishing scams. Whether it is to steal passwords, employee details or any other sensitive data, just a single click from an ignorant employee is sufficient to give out the information sought by the hackers. Though most phishing emails are detected by spam filters, it is important for the employees to understand the risks and consequences to avoid falling victim to such attacks.

Listed below are some steps organizations should take to guard against phishing scams:

Initiate A Security Awareness Program

The reason why phishing attacks have a high success rate is because they target the end users, i.e. people who have little or no technical knowledge about data security. Therefore, educating your employees about this aspect can help to decrease the probability of a potential data breach. As phishing attacks mainly involve a fake email, malicious attachment or ad, unsolicited friend request on social media etc., security awareness program will help your employees identify such suspicious activities more easily.

Keep Software Regularly Updated

Though security software do not offer complete protection against phishing attacks, they can prevent application downloads or website redirects that seem to be potentially dangerous. Hence, it is important to install and update anti-virus, anti-malware and anti-spyware software on all the computers in the organization. The same rule applies to the operating system and other programs installed on the systems. Keeping the software patched will protect you against the latest security threats and vulnerabilities.

Use Layered Security

Make sure your organization’s confidential information is protected by multiple layers of security. With this, even if a phishing attack is successful, the hackers would not be able to gain access to all the data stored on the victim’s computer system. Use secure user IDs and passwords, followed by data encryption, access control protocols, user activity monitoring and other such types of layered security.

Follow Best Password Practices

Encourage your employees to follow the best practices when it comes to maintaining confidentiality of their official email accounts. Make sure they create strong passwords and change them at frequent intervals. Also, the login credentials should be stored in an encrypted format in the computer system. By combining difficult and lengthy passwords with two-factor authentication, you can considerably reduce the consequences of a phishing attack.

For more tips on preventing and managing phishing attacks, feel free to contact Centex Technologies. We can be reached at (855) 375 – 9654.

, ,

No Comments