You’ve been Phished by a Threat Actor, Now What?

What are the steps you should be taking after you’ve been phished?

In one of our recent blogs, the Ponemon Institute reported that business costs have tripled from 2015 to 2021 due to phishing incidents. It’s obvious that bad actors aren’t taking their foot off the gas anytime soon. In fact, they’re currently looking for easier and more effective schemes to rob you blind even as we speak

Here’s the thing—phishing exploded in 2020. The COVID-19 pandemic was a gold mine for threat actors. Fear ravaged the nation, millions of people suddenly lost their jobs, and misinformation ran rampant. This was an ideal environment for malicious actors to hook unsuspecting victims with fake low interest loans, fake government alerts, and phony charitable donation pages. 

Nonetheless, it’s been almost 2 years since the beginning of the pandemic. During this time, we’ve become a little wiser on identifying these phishing tactics. However, that doesn’t mean bad actors are ready to throw in the towel…not even close. They’re evolving and adjusting to the digital environment, which is bad news. 

In short, modern, malicious actors are willing to unleash bigger and bolder weapons to sink you into financial purgatory. Therefore, it’s vital to know HOW they’re planning to invade your wallet. As a result, here are a few examples of the most popular tactics you might have already encountered, along with a few covert tactics they’ve been hiding in the shadows. 

What types of phishing methods are threat actors using to steal your data these days? 

Most common phishing examples: 

Malware 

Malware requires malicious software to run on an unsuspecting victim’s computer. Usually, hackers send you an email with an embedded link inside of an email that they try to present as legitimate and safe. Once you click on the link, the malware starts installing on your computer. Links and downloadable files are the most common entry points for malware. So, be sure to remain wary of senders you don’t know and odd requests from the senders you do. When in doubt, ask, send to your IT department or vendor, or delete. 

Ransomware 

Ransomware denies access to servers, devices, and files until a ransom has been paid. A user is tricked into clicking on a link or downloading an attachment. This then downloads malware onto a workstation and vital information is held hostage until the malicious actor receives a ransom payment. Unfortunately, ransomware tends to be long-game attacks meaning that hackers break into your system anywhere from 3-12 months BEFORE you even know they’re there. During this time, they run reconnaissance while disabling or reconfiguring important safety features including your admin permissions and access, data backups, and more. It’s critical that you have a monitoring and altering system as part of your cybersecurity program. The earlier the detection, the more protected you’ll be. 

Social media phishing is gaining popularity over email for phishing assaults. This is because social media’s ease of access makes it a breeding ground for impersonators. Also, most people are in a different frame of mind on social media—they’re more open and trusting because the purpose is to connect. However, this makes users more vulnerable to scams. Alarmingly, research suggests that up to half of all social media user logins are fraudulent. 

Here are the phishing techniques you probably haven’t heard of: 

Executive impersonation  phishing involves a threat actor posing as a CEO or another leader within an organization. The goal is to extract sensitive information from other employees. This approach gained lots of traction during COVID. Incidentally, fewer executive team members are conducting face-to-face meetings these days and instead rely on remote administration. This leaves the door wide open to imitators. In fact, data suggests that executive impersonation attacks have skyrocketed since the beginning of the global pandemic with a 131% increase between the first quarter of 2020 and the first quarter of 2021. With this new awareness, make sure that when you’re interacting with your boss or executive team, you know without a doubt that it’s them. 

Search engine phishing directs the user towards product sites, offering merchandise and services at basement, bargain prices. The unlucky victim buys a product from a site and in doing so, provides their credit card details to the phishing site. An example of one of these sites is a fake bank website offering low interest credit cards and loans. Some words of advice that are well worn but worth remembering is that if it looks too good to be true, it probably is. So, do your research before you spend with new merchants offering unbelievable prices. 

Smishing (SMS Phishing) is phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A bad actor will send a smishing text to lure an unsuspecting victim into revealing personal information via a link to a phishing website. Remain alert to this possibility when responding to texts.  

Vishing requires a phisher to call a user and ask the unsuspecting caller to dial a number. The purpose of the scam is to collect personal bank account information on the phone call. Additionally, malicious actors will typically use a fake caller id to execute this scam. When anyone asks you to do something out of the norm, even if it seems harmless, just say no until you have concrete evidence of their true intentions. 

Whaling attackshave also been on the rise. These phishing attempts are the inverse of executive impersonation. Instead of an attacker posing as an executive to dupe employees, the bad actor poses as an executive to trick another executive, typically a CEO or CFO, into providing sensitive data or sending funds to the attacker’s account. Data reveals that nearly two-thirds of organizations report an executive being targeted by a whaling attack, and 50% of organizations say their executive fell victim to the attack. It’s worth reminding executives that they are a coveted target because of the information and access to their company’s data. Stay alert and verify your executive colleague’s identity before divulging information virtually.  

In reality, there’s always a slim chance of you becoming collateral damage in a strategic phishing strike. We hope this never happens, but if it ever does, we’ve got you covered. In our recent phishing blog, we shared some best practices for dealing with phishing scams: 

If you ever receive a phishing email, here’s a few tips to protect your workstation: 

  • Test the authenticity of the email sender and email links. Drag your cursor over the email sender, as well as any links in the email. If the links are malicious, they will not match up with the email or link description.  
  • Question the validity of an email by directly calling or emailing the sender. Keep in mind that sometimes a sender’s email or social media accounts were hacked so it might be best to call or text the sender directly.  
  • Report the message (See links below). 
  • Delete the email. 

What to do if you think you’ve been successfully phished 

If you feel you have inadvertently fallen for a phishing attack, Microsoft has provided a few final tips to help you through this. 

  1. While it’s fresh in your mind, write down as many details of the attack as you can recall. In particular, try to note any information such as usernames, account numbers, or passwords you may have shared. 
  1. Immediately change the passwords on those affected accounts, and anywhere else that you might use the same password. While you’re changing passwords you should read this article for guidance and create unique passwords for each account. 
  1. Confirm that you have multifactor authentication (also known as two-step verification) turned on for every account you can. Learn more here: What is: Multifactor authentication
  1. If this attack occurred at work or school, immediately notify the IT support staff of this incident.  
  1. If you shared confidential banking information, contact your bank to alert them to fraud. 
  1. If you’ve lost money, or been the victim of identity theft, report it to local law enforcement. The details in step 1 will be extremely helpful to them. 

How to report a phishing scam, spam, or deceptive practices: 

It can feel frustrating being on the receiving end of a phishing scam. It’s time-consuming and a drain on your day. Not to mention, being duped can cause you to spiral out in shame and try to hide it. Please know you’re not alone. These hackers are very skilled. The best thing to do is to report any and all incidents immediately. This helps mitigate any potential damage and it helps keep the world a safer place as a whole.  

If you are the victim of a phishing scam, here’s some helpful links to save you time in locating the proper reporting and support channels. 

Consumer protection 

Office software & products 

Search engines 

Social media 

If you’re interested in learning how we can help protect you against the latest phishing attacks, click here.

Posted in