Cyberattacks. Phishing. Ransomware. These words sound like something out of a science-fiction movie, but as we face the ever-growing challenges of Cyberattacks, “Phishing and Ransomware” are becoming much more commonplace. According to the Webroot Quarterly Threat Trends September 2017 report,  Phishing is the number one form of Cyberattack, and in 2016, 93% of Phishing attacks led to Ransomware. What does this mean? It means that hackers are no longer using brute force and password guessing techniques to get themselves into your network anymore. Instead, they are using social engineering to trick you into letting them in.

Let’s break it down a little bit. Phishing is a scam. The scam is usually in the form of a fake email message that is designed to trick you into providing login information to your email, bank or other online sites.  These emails are typically embedded with, or direct you to, a website which appears to be legitimate, but isn’t. The website will most likely contain a Ransomware virus which allows a hacker to gain access to your network. They can then hold it for ransom by encrypting all of your data, and forcing you to pay $ to gain access to it again.

How Phishing Works

Picture this, you get an email from a “colleague” and in that email is a “link” to a Dropbox file that the sender supposedly sent you. The chain of events looks something like this:

1. You click on the link and it takes you to a legitimate-looking website.
2. The site then prompts you to log in with your email account in order to view the document. A list of common email providers is displayed (Outlook, Gmail, Office 365, AOL, Yahoo).
3. You click on your email provider and are then directed to another website that looks exactly like your email providers’ login page.
4. You enter your login information, and a file downloads.

So what do you do now? Of course you click on the file (that your friend or colleague supposedly sent to you), thinking it’s a document that you need to review. But what has actually happened?  Well first, there is no document.  Second, your credentials are now in the hands of hackers. They have your email account login information, and depending on your user account permissions, or how effective your Anti-virus/Anti-Malware software is, you may now have a virus running on your machine.  That virus may be a variant of Ransomware, which encrypts the contents of your machine and all of the machine and network folders that it can access.

The hackers will then use your credentials obtained in #4 above to login to your email account, download your email and list of your contacts.  A new phishing campaign is launched using your account and sent your contacts.  And the cycle continues…

Sounds terrifying, right? It sure is – and for businesses that have unfortunately succumbed to these kinds of attacks they can wholeheartedly attest to that. Could you survive without access to your systems and data for days? Or even just bare the thought that some awful hacker had access to it? By the time your data is encrypted and being held for ransom, the hackers could have a considerable amount of information on you and/or your company. This is very unsettling itself, aside from the fact that you will now have to pay to get your data and files back. The ransom amount is determined by the hackers using information such as: the size of your company; your annual revenue; the type of business you conduct, etc. (all of which is public information that can be found by a Google search).

The Best Defense Is Education

You might be sitting there thinking, “Oh I would never click on an email and enter my login information, I know better!”, however, the number of people who actually have done so is startling. These scams sometimes appear so legitimate, that even IT Managers are fooled.  Research has shown that end-user training is the greatest method of prevention against phishing attacks.  Most Outsourced IT Providers offer employee cyber-security training to their customers.  If you haven’t already, discuss setting up cyber-security and phishing training with your IT Provider or IT Department.  At Diligex, we have found that companies and employees who have gone through this training show a significantly improved awareness of phishing scams and how to avoid them.