Coleman Technologies Blog
Phishing has become one of the great problems for technology users in the 21st century. The ironic part of the whole thing is that it has taken a good old-fashioned social engineering scam to make today’s robust information systems less secure. Phishing is the predominant way that hackers and scammers gain access to the systems they target. Today, we’re going to spell out what to train your employees on to help them identify phishing attacks.
Let’s discuss what this signifies, and how this may shape how users authenticate themselves in the future.
Defining CAPTCHA
Short for Completely Automated Public Turing Test to tell Computers and Humans Apart, CAPTCHA has long been the standard tool used by Google to prevent automated spam from polluting the Internet by requiring (in theory) a human being to interact with content in some way before allowing access or a task to successfully be completed.
Give Me the Short Answer - What’s Phishing?
Phishing is where you get an email that looks like an actual legit email. The goal that a cybercriminal has is to trick you into giving them a password or access to an account (like to PayPal, Facebook, or your bank) or to get you to download malware.
The problem with phishing emails is how real they can seem. A phishing attempt for your PayPal information can look just like an everyday email from PayPal.
Even worse, often phishing emails try to sound urgent. They make you feel like you have to take action quickly, or that a bill is overdue, or that your password has been stolen. This can lower the user’s guard, and force them into a sticky situation.
How to Spot a Phishing Attack
Like I said, it’s not always going to be obvious when you get phished. Even careful, security-minded, technical people can fall victim because phishing is just as much of a psychological attack as it is a technical one.
Still, there are some practices you and your staff should use:
Always Use Strong, Unique Passwords
This can solve a lot of problems from the get-go. If your PayPal account gets hacked, and it uses the same password as your email or your bank account, then you may as well assume that your email and bank account are infiltrated too. Never use the same password across multiple sites.
Check the From Email Address in the Header
You’d expect emails from Facebook to come from , right? Well, if you get an email about your password or telling you to log into your account and it’s from , you’ll know something is up.
Cybercriminals will try to make it subtle. Amazon emails might come from or emails from PayPal might come from . It’s going to pay off to be skeptical, especially if the email is trying to get you to go somewhere and sign in, or submit sensitive information.
Don’t Just Open Attachments
This is nothing new, but most malware found on business networks still comes from email attachments, so it’s still a huge problem. If you didn’t request or expect an email attachment, don’t click on it. Scrutinize the email, or even reach out to the recipient to confirm that it is safe. I know it sounds silly, but being security-minded might build security-mindfulness habits in others too, so you could inadvertently save them from an issue if they follow your lead!
Look Before You Click
If the email has a link in it, hover your mouse over it to see where it is leading. Don’t click on it right away.
For example, if the email is about your PayPal account, check the domain for any obvious signs of danger. Here are some examples:
- Paypal.com - This is safe. That’s PayPal’s domain name.
- Paypal.com/activatecard - This is safe. It’s just a subpage on PayPal’s site.
- Business.paypal.com - This is safe. A website can put letters and numbers before a dot in their domain name to lead to a specific area of their site. This is called a subdomain.
- Business.paypal.com/retail - This is safe. This is a subpage on PayPal’s subdomain.
- Paypal.com.activecard.net - Uh oh, this is sketchy. Notice the dot after the .com in PayPal’s domain? That means this domain is actually activecard.net, and it has the subdomain paypal.com. They are trying to trick you.
- Paypal.com.activecardsecure.net/secure - This is still sketchy. The domain name is activecardsecure.net, and like the above example, they are trying to trick you because they made a subdomain called paypal.com. They are just driving you to a subpage that they called secure. This is pretty suspicious.
- Paypal.com/activatecard.tinyurl.com/retail - This is really tricky! The hacker is using a URL shortening service called TinyURL. Notice how there is a .com later in the URL after PayPal’s domain? That means it’s not PayPal. Tread carefully!
Keep in mind, everyone handles their domains a little differently, but you can use this as a general rule of thumb. Don’t trust dots after the domain that you expect the link to be.
Training and Testing Go a Long Way!
Want help teaching your staff how to spot phishing emails? Be sure to reach out to the IT security experts at Coleman Technologies. We can help equip your company with solutions to mitigate and decrease phishing attempts, and help educate and test your employees to prepare them for when they are threatened by cybercriminals.
The first thing you need to remember is that, while your unhappy customer or client may not be correct, they are always right. What does this mean? Simple - even if they misinterpreted what they were entitled to through your services, you have the obligation to make them happy. This is not to say that you kowtow to every demand a customer makes, regardless of how ludicrous it is… you just need to make sure they stay happy.
How can you do this? It all boils down to communication.
How to Communicate With an Unhappy Client
Chances are, you’re going to find out that a client was unhappy by reading a review that they leave somewhere online - perhaps on Facebook, or on Google, or on a third-party review website. What they will have to say may upset you. That’s fine. Nobody likes to hear that there is something wrong with one of their endeavors. You have every right to be a little upset - just don’t let that upset seep into your conversation with your unhappy client.
After all, in their eyes, they have every right to be upset as well.
Therefore, once you’ve regained a cooler composure, you need to respond directly and politely to the negative review. While this initial interaction should be public, offer to continue your conversation in a less public way, in an offline forum. If the reviewer accepts, try to come to a mutually beneficial compromise with them. This will help to insulate you from a rash decision.
This brings up another important point - while you may really want to, you should never just remove a negative review. Not only will that make it look like you are hiding something (not good), it also squanders the opportunity to make lemonade out of your reviewer’s lemons. Again, try to make whatever issue your reviewer had right, and ask them to revise their review once things have been settled. If you play your cards right, the result could be a much better review, describing the care you put into fixing their issue.
Reviews Can Be Good, Too!
Whenever they are, you have another opportunity to embrace by responding to them.
I can almost hear you now: “Wait, if a reviewer is happy, doesn’t that mean I’ve done what I had to do?”
In a way, yes. If someone is willing to leave a positive review of your services, you clearly were able to strike a chord with them. However, while responding to a negative review could be somewhat accurately seen as damage control, responding to a positive review has a very different motivation to it.
Look at it this way: anyone who is willing to take the time out of their day to speak highly of you online is an invaluable ally to have. Positive reviews and negative reviews are very different things, especially in that people are generally more inclined to leave negative feedback if they have the opportunity.
Reflecting on this, it only makes sense to take the time and respond to positive reviews as well. A positive review is more or less a confirmation of a successful onboarding process - to keep these contacts engaged, you need to continue communicating with them beyond the point that their invoice is settled.
Are you happy with our services or our content? If so, we’d love to hear about it. Leave us a review or drop us a line in the comments!
Chances are, you’re all too familiar with exactly the kind of scam I’m describing. The one that makes the Do Not Call List sound like wishful thinking, that makes it look like someone from your area - or even your contacts list - is trying to reach you.
Chances are, you’ve answered one of these calls, only to hear silence, broken after you say “Hello?” As soon as you do, a (likely prerecorded) voice launches into its tirade, being a nuisance and bothering people.
Chances are, you may have even received angry phone calls from people you’ve never met, let alone called, claiming that your number has been the source of repeated calls just like these.
You aren’t alone.
Unfortunately, the scammers responsible are talented at skirting rules and regulations.
Calls like these have been harassing users for quite some time, simply because the scammers understand how to cheat and find loopholes. This is all despite the efforts of regulatory bodies like the FCC (the Federal Communications Commission).
In November of 2017, the FCC enabled telephone providers to block calls that were presumably fraudulent. This was based on many factors, like the calls coming from invalid numbers or numbers with no service provider attached.
However, the rules outlined in the 2017 Call Blocking Order weren’t enough to stop scam robocalls for long.
Now, we all have had to deal with the huge nuisance of neighbor spoofing. Neighbor spoofing has almost certainly affected you directly, and if you’ve been lucky enough to avoid it, it’s happened to someone you know.
But you may be asking, what is neighbor spoofing?
If your phone rang, and you have caller ID enabled, you’ve probably developed the habit of checking the number before you answer it - after all, a local number is probably safe to pick up.
Neighbor spoofing has made it so that assumption is no longer the case.
Instead of using a fake number to call their targets, scammers using neighbor spoofing will actually use someone’s real number to call someone relatively nearby - sometimes literally next door. If you’ve ever received an angry phone call from someone demanding an explanation for someone with your number repeatedly calling them and harassing them, your number just so happened to be the one that these cybercriminals spoofed.
There have even been reports of people receiving calls from their own number, claiming to be from the phone company as an attempt to “verify a hacked account.”
Neighbor spoofing is also a very effective method for scammers because it can bamboozle the automated protections already in place to stop scam calls, just like it fools the targeted phone’s user. This also keeps the Do Not Call list from affecting these scammers’ attempts (as if it ever stopped them before).
Additionally, many apps may add some unwanted complications, even if they are effective.
There are mobile applications available that are intended to stop robocalls from ringing your smartphone in the first place. One such application, the aptly-named RoboKiller, does this in two ways. First, RoboKiller references a list of numbers identified as spam, and blocks these calls completely. Second, it uses a patented analysis of the call’s audio fingerprint to compare it to those of other spam calls. Regardless of the number it appears to come from, RoboKiller can identify if it is a match to a known attempt.
You’ll only know that you were targeted after you read the notification that RoboKiller provides.
Meanwhile, RoboKiller responds to the scammer with a time-wasting prerecorded message. You can then review the calls that RoboKiller blocked by opening the app on your phone. There, you can listen to a recording of blocked calls to determine which calls were spam, and which were legitimate attempts to reach you. From there, you can whitelist a number by pressing the Allow button.
Users of RoboKiller can also add numbers to their list of permitted callers to allow them to come through. RoboKiller is a subscription-based application that charges $2.99 each month ($24.99 for an annual subscription), which may be seen as a relatively low cost if you’ve received enough of these calls.
As RoboKiller states on their website, “With RoboKiller, you don’t stop neighbor spoofing. You take action in the fight against the robocall epidemic.”
However, this approach isn’t without some worries.
For one, consider the cost of admission for this app. Yes, $2.99 may seem like a bargain if you have a smartphone, but what about all the people who still don’t? Furthermore, many mobile users today are of older generations, and may not understand how to work the application (or again, may not have a device that is compatible with the app). Yet, these worries may not be necessary for long.
Both the government and the telecom industry have had enough.
It wasn’t long after the 2017 Call Blocking Order was released that the attorneys general from a full 40 states came together to form the Robocall Technologies Working Group. This is a bipartisan commission intent on collaborating with service providers to learn about robocalling technology with the ultimate goal of stopping it.
On October 8th, the attorneys general of 35 of those states signed a letter to the FCC stating that the efforts of law enforcement had not and would not be sufficient to stop abusive scam attempts and robocalls. In this letter, the attorneys state some chilling facts:
- 30.5 billion illegal robocalls were made in 2017 alone, up from the estimated 2016 total of 29.3 billion.
- Estimates have placed the total calls made by the end of 2018 to be somewhere near 40 billion.
- Phone scams allowed cybercriminals to steal an estimated $9.5 billion in 2017.
- August of this year saw 1.8 billion scam attempts in the 4 billion illegal robocalls made that month.
Facts like these only highlight the pervasiveness of these scams, and how important it truly is to eliminate them as much as possible. In fact, the Federal Communications Commission has gone on the record to demand that mobile providers figure out a standardized system to help prevent these calls from reaching mobile users, echoing the demands made by the attorneys general.
This system would rely on call authentication to ensure that only legitimate calls would make it though, and that spoofed calls would be caught by requiring all calls be verified as coming from the correct source.
Not only did Commissioner Ajit Pai release a statement to the press demanding that this system be created, he sent a letter to 14 telecom CEOs, including AT&T’s John Donovan, Charter’s Tom Rutledge, Verizon’s Hans Vesterburg, T-Mobile’s John Legere, Comcast’s Brian Roberts, and Google’s Sundar Pichai.
Pai demanded that these changes be ready to deploy in one year, giving telecoms a ticking clock to establish what they call the SHAKEN/STIR framework (Secure Handling of Asserted information using toKENs/Secure Telephone Identity Revisited). This move was met with the approval of the attorneys general, who went on to encourage the FCC “to implement additional reforms, as necessary, to respond to technological advances that make illegal robocalls and illegal spoofing such a difficult problem to solve.”
As the attorneys general said: “Only by working together, and utilizing every tool at our disposal, can we hope to eradicate this noxious intrusion on consumers’ lives.” Fortunately, this will also benefit the businesses that have been affected.
With any luck, we’ll only have to deal with the robocalling nuisance a little while longer. For assistance in keeping other scams from interrupting your business and putting it at risk, reach out to Coleman Technologies. We have the experience to stop the other threats you would otherwise deal with on a daily basis. Call (604) 513-9428 today.