Email Scams

Anti-Phishing Training Data Show Why an Advanced Spam Filter is Essential

by G Hunt | February 14, 2017 | Email Scams

Anti-phishing training can help an organization improve its security posture. However, even with training on phishing email identification, employees still fail to spot many email scams. Anti-phishing training alone is insufficient to prevent successful phishing attacks.

The Threat from Phishing is Growing

Your business is likely to be bombarded with phishing emails, especially at this time of year. Tax season sees millions of emails sent to businesses by cybercriminals who want access to employees’ W-2 Forms. However, phishing is a year-round problem. It has been estimated that an astonishing 156 million phishing emails are now being sent every single day.

As we have already seen this year, phishing scams can be highly convincing. Many businesses have discovered employees have responded to these scams in the belief that the email requests are genuine. The cost of those phishing attacks can be considerable for businesses, their customers and their employees.

Anti-Phishing Training Alone will Not Prevent Successful Phishing Attacks

To ensure employees are prepared, many businesses provide employees with anti-phishing training. They teach staff members how to identify phishing scams and the tell-tale signs that email requests are not genuine.

How effective is anti-phishing training? A recent analysis by Diligent showed that the average score on its phishing test was 76%. That means employees are failing to identify phishing scams 24% of the time and all it takes is one response to a phishing email for an employee’s email account to be compromised, a network login to be handed to cybercriminals, or the W-2 Forms of an entire workforce to be emailed to tax fraudsters.

Fortunately, as PhishMe’s data shows, with practice, employees get much better at identifying phishing emails. Providing training and conducting follow up tests using dummy phishing emails helps to show where training has failed. This allows organizations to provide further training to employees whose phishing email identification skills are poor. However, even with training and testing it will never be possible to ensure that 100% of employees identify 100% of phishing emails 100% of the time.

The Best Phishing Defense is to Prevent Phishing Emails from Being Delivered

Training should be provided and employees’ anti-phishing skills should be tested with dummy phishing exercises, but organizations should ensure that phishing emails are not delivered to end users’ inboxes. That means an advanced, powerful spam filtering solution is required.

SpamTitan blocks 99.97% of spam emails from being delivered. SpamTitan also includes a powerful anti-phishing component to block phishing attacks. However, blocking potentially malicious emails is only part of the story. It is also important to choose a solution that does not prevent genuine emails from being delivered.

Independent tests by VB Bulletin confirm SpamTitan has a consistently low false positive rate. Only 0.03% of genuine emails trigger SpamTitan’s anti-spam filters. The excellent catch rates and low false positives have seen SpamTitan win 36 consecutive VB Bulletin Anti-Spam Awards.

SpamTitan is available as a gateway appliance or a cloud-based solution, with both requiring minimal IT support. To suit the needs of service providers, the cloud-based version is available in a private cloud and is supplied in white-label format ready for rebranding.

The cost-effective solution is easy to implement, use and maintain and can be used to protect a limitless number of email accounts.

If you want to keep your employees’ inboxes free from phishing emails, malware, and ransomware, call the TitanHQ Sales Team today and say a fond farewell to email spam.

School Phishing Email Attack Highlights Need for Powerful Anti-Spam Solution

by G Hunt | February 14, 2017 | Email Scams

Another school phishing email attack has resulted in the W-2 Form data of school employees being emailed to tax fraudsters. This time, it was employees of Mercer County Schools in West Virginia whose data have been compromised.

The FBI has been called in to investigate the W-2 phishing scam and the IRS has been notified of the incident, while affected employees have been offered services to help them protect their identities.

The school phishing email attack is just one of many such attacks that have occurred this year. While businesses have been extensively targeted in the past, phishing attacks on schools are now commonplace. The problem has become so severe that the IRS recently issued a warning to schools of the risk of phishing email attacks, saying “This is one of the most dangerous email phishing scams we’ve seen in a long time.”

The Mercer County School District phishing attack was almost a carbon copy of many other tax season attacks this year. Already, there have been more than 29,000 victims of these attacks and there is still two months of tax season remaining.

The school phishing email attack involved the sending of an email to an employee in the HR/payroll department requesting a copy of W-2 Forms for all employees that worked in the previous fiscal year. The email was sent from an email account that was very similar to that used by the chief supervisor.

The email contained a slight variation from the genuine email address, which was enough to fool the recipient into thinking the email had been sent from the supervisor’s account. The employee then sent the W-2 forms of 1,800 staff members to the attackers as requested.

Databreaches.net has been tracking this year’s W-2 phishing scams and is maintaining a list of all organizations that have been scammed into revealing W-2 Form data. The list shows that school districts are being extensively targeted.  Successful W-2 phishing attacks have been reported by the following schools and school districts in the past 6 weeks:

• Argyle School District, TX
• Belton Independent School District, TX
• Bloomington Public Schools, MN
• College of Southern Idaho, ID
• Davidson County Schools, NC
• Dracut Schools, MA
• Lexington School District 2, SC
• Manatee County School District, FL
• Mohave Community College, AZ
• Morton School District, IL
• Odessa School District, WA
• Tipton County Schools, TN

The Manatee County School District phishing attack resulted in the W-2 Form data of 7,900 employees being emailed to the scammers: The biggest school phishing email attack of the year to date. The Bloomington Public Schools attack also resulted in thousands of employees’ W-2 Forms being disclosed.

There are a number of measures that can be taken to reduce the risk of phishing attacks such as these. Training should be provided to HR and payroll staff and they should be instructed to carefully check senders’ email addresses to ensure the correct account has been used. Policies should also be developed requiring any W-2 Form requests to be verified with the sender via the telephone, using previously confirmed contact details.

It is also essential to implement a spam filtering solution with a powerful anti-phishing component. This will help to ensure that the emails are not delivered to inboxes. A spam filtering solution will also block malware and ransomware emails from being delivered. The latter types of malicious emails have also been a major problem for school districts over the past year.

An often forgotten anti-phishing measure is a web filter. Web filters block the web-based component of phishing attacks. If a link is clicked in a phishing email, the web filter will prevent the website from being accessed where credentials are harvested.

For more information on improving your defenses against phishing, give the TitanHQ team a call. The team will talk you through your options and will be able to help get you started with a free trial of SpamTitan Email Security and the WebTitan Web Filtering solution.

University Phishing Scams on the Rise

by G Hunt | February 7, 2017 | Email Scams

University phishing scams targeting students have increased in recent months. Targeting some of the most well educated individuals may not appear to be the most rewarding strategy for scammers, but students are falling for these university phishing scams in their droves.

University Phishing Scams are Becoming Difficult to Identify

Awareness of phishing tactics has certainly improved thanks to educational programs, email warnings, and media coverage of phishing attacks, but in response, cybercriminals have got better at scamming. Today, phishing emails can be difficult to identify. In fact, in many cases, it is virtually impossible to tell a genuine email from a scam.

While students may be aware of the risks of clicking links in emails from unknown senders, the same cannot be said when the emails are sent from a contact. Emails from university IT departments, professors and colleagues are likely to be opened. Students’ guard is let down when the sender of the email is known.

When a convincing request is included, students often respond and have no idea that they have been scammed into revealing their login credentials or disclosing other sensitive information. All it takes is for one email account of a student to be compromised to start the process. Emails are then sent to that individual’s email address book. A number of those contacts respond. The same happens with their contacts and so on. Given that there are supposedly six degrees of separation between all individuals on the planet, it is easy to see how fast malware infections can spread and how multiple email accounts can be compromised rapidly.

University phishing scams have been increasing for some time, although the past few months have seen even more scams emails sent.  Recently, the University of Connecticut sent warnings out to students following a spate of phishing scams. Some of those scams involved the impersonation of the University president. Students at the University of Georgia have also been targeted.

In the case of the latter, one student’s email account was compromised after she responded to a phishing email sent from UGA associate. The email did not arouse any suspicions because the contact was known. In the email the student was told that it was important for her to change her password. Failure to do so would result in her being locked out of her email account. She responded by clicking the link and changing her password. However, what she had done was disclose her old password and her new one to the attacker.

The attacker then used those credentials to set up a mail forwarder on the email account. The student only found out after querying why she was no longer receiving emails with the IT help desk. After investigating, the mail forwarder was discovered.

Other students were similarly targeted and their emails accounts were used to send out huge volumes of spam emails. It was only when spamming complaints were received about the compromised accounts that the problem was identified.

These university phishing scams are conducted for a wide range of nefarious purposes. Spamming and mail forwarders may cause limited harm, but that may not always be the case. Malware infections can result in serious financial harm to students and universities. Ransomware installations can occur after students respond to phishing campaigns, and those attacks can cost tens of thousands of dollars to resolve.

How to Protect Students and Networks from the Scammers

Since these phishing scams are now so hard to identify, training on email and cybersecurity best practices is no longer as effective as it once was. Technological solutions are therefore required to prevent emails from being delivered and to stop end users from being directed to malicious websites.

SpamTitan is an ideal spam filtering solution for universities. SpamTitan blocks 99.97% of spam emails and 100% of known malware. The solution is cost effective to install, easy to administer, and no additional hardware is required or any software updates necessary.

When used in conjunction with WebTitan – TitanHQ’s powerful web filtering solution –all attempts to visit malicious links and known phishing websites can be blocked.

Both solutions are available on a 30-day no obligation free trial. If you want to ensure your students and university networks are properly protected, contact the TitanHQ sales team today to register for the trials and discover the difference that each solution can make.

Schools Targeted with W-2 Form Phishing Scam

by G Hunt | February 3, 2017 | Email Scams

A W-2 Form phishing scam that has been extensively used to con businesses out of the tax information of their employees is now being used on educational institutions. School districts need to be on high alert as cybercriminals have them fixed in their cross-hairs.

Over the past few weeks, many school districts have fallen victim to the scammers and have disclosed the W-2 Form data of employees. Teachers, teaching assistants, and other members of school staff have had their Social Security numbers and earnings information sent to fraudsters. The data are used to file fraudulent tax returns in victims’ names.

At face value, the W-2 Form phishing scam is one of the simplest con-tricks used by cybercriminals. It involves sending an email to a member of the HR or payroll team asking for the W-2 Forms of all employees to be sent via email. Why would any employee send this highly sensitive data? Because the email appears to have been sent from individuals within the school district who have a genuine need for the information. This is why the W-2 Form phishing scam is so effective. In many cases, suspicions are not aroused for a number of days after the emails have been sent. By that time, fraudulent tax returns may have been filed in the names of all of the victims.

It is unknown how many school districts have been targeted to date with this W-2 Form phishing scam, although 10 school districts in the United States have announced that their employees have fallen for the scam this year and have emailed W-2 Form data to the attackers. In total, 23 organizations have announced that an employee has fallen for a W-2 Form phishing scam in 2017, and at least 145 organizations fell for similar scams last year.

Due to the number of attacks, the IRS issued a warning in early 2016 to alert all organizations to the threat. The increase in attacks in 2017 has prompted the IRS to issue a warning once again.  While corporations are at risk, the IRS has issued a warning specifically mentioning school districts, as well as non-profits and tribal organizations.

The IRS warning explains how cybercriminals have started even earlier this year. While the W-2 Form phishing scam emerged last year, many attacks occurred relatively late in the tax season. Cybercriminals are attempting to get the data sooner this year. The sooner a fake tax return is filed, the greater the chance that a refund will be issued.

A variety of spoofing techniques are employed to make the email appear like it has come from the email account of an executive or other individual high up in the organization. In some cases, criminals have first compromised the email account of a board member, making the scam harder to identify.

This year has also seen a new twist to the scam with victims targeted twice. In addition to the W-2 Form scam, the victims are also subjected to a wire transfer scam. After W-2 Forms have been sent, a wire transfer request is made to the payroll department. Some organizations have been hit with both scams and have disclosed employees’ tax information and then made a wire transfer of several thousand dollars to the same attackers.

Protecting against these scams requires a combination of technology, training and policy/procedural updates. The first step for all organizations – including school districts – is to send an email to all HR and payroll staff warning them about these phishing scams. Staff must be made aware of the scam and told to be vigilant.

Policies and procedures should be updated requiring payroll and HR staff to authenticate any email request for W-2 Form data by telephone prior to sending the information.

An advanced spam filter – such as SpamTitan – can also greatly reduce the risk of W-2 Form scam emails being delivered to end users’ inboxes. Blocking suspicious emails will reduce reliance on training and user awareness of these scams. The spam filter will also be effective at blocking further scams and other malicious emails from being delivered.

New Locky Variant Discovered: Osiris Ransomware

by G Hunt | January 31, 2017 | Email Scams

Osiris ransomware is the latest variant of Locky. As with other versions of the ransomware, there is no free way of unlocking encrypted files if a viable backup of data does not exist.

Cybercriminals use a variety of techniques and attack vectors to spread malicious files such as ransomware and malware. Exploit kits are popular as they can be hidden on websites and used to silently probe visitors’ browsers for vulnerabilities in plugins such as Adobe Flash, Microsoft Silverlight, and Oracle Java. Those vulnerabilities are leveraged to download malware. Malvertising – malicious web adverts – are often used to direct users to these malicious webpages; however, all too often, links to these websites are sent via spam email.

The rise in malware and ransomware attacks over the past few years has prompted many organizations to start providing security awareness training to staff members. Employees are instructed never to click on a link contained in an email unless they are sure that it is genuine.

However, even with security awareness training, a great many employees inadvertently infect their computers with malware or accidentally download ransomware. One of the biggest problems is not malicious links in spam email but malicious attachments. Cybercriminals have increased the use of malicious file attachments in the last year, especially to infect end users with ransomware.

One of the biggest ransomware threats in the past 12 months has been Locky. Locky has been spread via exploit kits in the past, although spam email is now primarily used to infect users.

Office Macros Used to Infect Computers with Osiris Ransomware

The gang behind Locky frequently updates the ransomware, as well as the methods used to fool end users into installing the malicious file-encryptor. The latest Locky variant – Osiris ransomware – encrypts files and adds the .osiris extension to encrypted files.

Locky is commonly spread via malicious macros in Word documents. Typically, the malicious Word documents claim to be invoices, purchase orders, or notifications of missed parcel deliveries.

However, a recent campaign used to distribute the Osiris ransomware variant switches from .DOC files to Excel spreadsheets (.XLS). Recipients of the emails are told the Excel spreadsheet is an invoice. Opening the attached Excel spreadsheet will not automatically result in an Osiris ransomware infection if macros have not been set to run automatically. The user will be presented with a blank spreadsheet and a prompt to enable macros to view the content of the file.

Clicking on ‘Enable Content’ will launch a VBA script that downloads a Dynamic Link Library (DLL) file, which is automatically executed using the Windows file Rundll32.exe. That DLL file is used to download Osiris ransomware. Osiris ransomware encrypts a wide range of file types and deletes Windows Shadow Volume Copies, preventing the user from restoring the computer to the configuration before the ransomware was installed. The only option for recovery from an Osiris ransomware infection is to pay the ransom demand or to wipe the system and restore files from backups.

Protecting Networks From E-Mail-Based Ransomware and Malware Attacks

An advanced spam filtering solution such as SpamTitan can be used to block the vast majority of email-borne threats. SpamTitan performs a wide range of front line tests to rapidly identify spam email and prevent it from being delivered, including RBL, SPF, Greylisting and SMTP controls.

SpamTitan uses two enterprise-class anti-virus engines to scan for malicious attachments – Bitdefender and ClamAV – to maximize detection rates.

SpamTitan can also be configured to block specific files attachments commonly used by cybercriminals to infect end users: EXE files and JavaScript files for example. The contents of compressed files are also automatically scanned by SpamTitan.

Host-based tests are performed to examine mail headers, while the contents of messages are subjected to a Bayesian analysis to identify common spam signatures and spam-like content. Messages are also scanned for malicious links.

These extensive tests ensure SpamTitan blocks 99.97% of spam emails, preventing malicious messages from being delivered to end users. SpamTitan has also been independently tested and shown to have an exceptionally low false positive rate of just 0.03%.

If you want to keep your network protected from malicious spam emails and reduce reliance on employees’ spam detection abilities, contact the TitanHQ team today. SpamTitan is available on a 30-day free trial, allowing you to fully test the product and discover the difference SpamTitan makes at your organization before committing to a purchase.

W2 Phishing Scams Aplenty as Tax Season Commences

by G Hunt | January 25, 2017 | Email Scams

Its tax season in the United States, which means the start of scamming season. W2 phishing scams and other tax-related email and telephone scams are rife at this time of year. Businesses need to be particularly careful. There have already been a number of victims of W2 phishing scams and the year has barely started.

2016 Saw a 400% Rise in Tax Season Phishing and Malware Incidents

Tax season in the United States runs from the start of January to April 15. It is the time of year when Americans calculate how much tax they need to pay from the previous financial year. It is also a busy time for cybercriminals. They will not be filing their own tax returns however. Instead they are concentrating on filing tax returns on behalf of their victims.

In order for tax refunds to be fraudulently filed, cybercriminals need information about their victims. Given the number of data breaches that have resulted in the theft of Social Security numbers in the past 12 months, 2017 could well be a record year for tax scams.

However, while past data breaches can provide cybercriminals with the information they need to file fraudulent tax returns, tax season usually sees a massive increase in phishing scams. The sole purpose of these scams is to get victims to reveal their Social Security numbers and the other personal information necessary to file tax returns.

Since the IRS started allowing Americans to e-file their tax returns, scammers had a new option for filing fraudulent tax returns. Phishing emails claiming to have been sent by the IRS request the recipients update their IRS e-file. A link is included in the emails for this purpose. Clicking on the link in the emails will not direct the recipient to the IRS website, but a spoofed version of the site. The information entered online is then used to e-file on behalf of the victims and the scammers pocket the tax refunds.

In 2016, the IRS reported a massive increase in phishing and malware incidents. These scams and malware infections increased by an incredible 400%. The massive rise in scams prompted the IRS to issue a warning to Americans about the scams, with the IRS confirming that it does not initiate contact with taxpayers by email to request personal or financial information.

2017 is likely to be no different. Until April 15, tax-related scams are likely to be rife. All Americans should therefore be wary and must exercise caution.

Tax Season Sees a Massive Rise in W2 Phishing Scams

While consumers are at risk. Businesses in the United States are also extensively targeted at this time of year. The scammers impersonate CEOs, CFOs, and other individuals with authority and make requests for W2 data and other financial information about employees. The requests can be highly convincing and each year many employees fall for these types of scams. The scammers are well aware that some employees would be nervous about questioning a request that has been emailed from their SEO or CFO.

It is difficult to determine how many attempted W2 phishing scams took place last year, but in the first quarter of 2016, at least 41 U.S companies reported that they were the victims of successful W2 phishing scams. Employees were sent email requests to send W2 data by return and they responded. By doing so, employees’ tax information was sent directly to the scammers’ inboxes.

2017 is not yet a month old, yet already W2 phishing scams have been reported. The week, the Tipton County Schools District in western Tennessee reported that it had fallen victim to one of these W2 phishing scams. The attacker had posed as the director of the schools and had requested W2 tax data on all employees. W2 form data were then emailed to the attacker by an employee.

A similar email phishing scam was reported to have been used to attack 8 school districts in Missouri, according to a report by the Missouri Department of Elementary and Secondary Education. In this case, only one of the eight school districts responded to the scam: An employee from the Odessa School District was fooled and send the tax details of the district’s employees to the attackers.

It is not only schools that are being targeted. A hospital in Campbell County, Wyoming was attacked this week. According to a Campbell County Health news release, a hospital executive was impersonated in this attack. A 66-year old hospital worker fell for the scam and emailed W-2 information about employees as requested.

Preventing successful W2 phishing scams requires a combination of technological solutions, employee training, and updates to policies and procedures.  All employees with access to sensitive data must be advised of the risk and told to exercise caution. Policies should be introduced that require all email requests for employees’ tax information to be authenticated via telephone or other means. Organizations should also implement a robust spam filtering solution to prevent the scam emails from being delivered to employees’ inboxes.

However, if nothing is done to mitigate risk, 2017 is likely to be another record breaking year for the scammers.

Satan Ransomware: A Particularly Worrying New RaaS

by G Hunt | January 24, 2017 | Email Scams

You have no doubt heard of Locky and Cryptolocker, but what about Satan ransomware? Unfortunately, you may soon be introduced to this new ransomware variant. No matter where your organization is based, if you do not have a host of cybersecurity defenses to block ransomware attacks, this nasty file-encryptor may be installed on your network.

Satan Ransomware is being offered to any would-be hacker or cybercriminal free of charge via an affiliate model known as ransomware-as-a-service or RaaS. The idea behind RaaS is simple. Developers of ransomware can infect more computers and networks if they get an army of helpers to distribute their malicious software. Anyone willing to commit a little time to distributing the ransomware will receive a cut of any profits.

Ransomware authors commonly charge a nominal fee for individuals to participate in these RaaS schemes, in addition to taking a percentage of any ransomware payments that are generated. In the case of Satan ransomware, the developers offer RaaS totally free of charge. Anyone who wants to distribute the malicious software is free to do so. In exchange for their efforts they get to keep 70% of the ransom payments they generate. The remaining 30% goes to the ransomware authors. The gang behind the RaaS also offers higher percentages as infections increase as a reward for effort. All that is required to get started is to create a username and password. Access to the ransomware kit can then be gained.

What is alarming is how easy it is to participate in this RaaS scheme and custom-craft the malware. The gang behind the campaign has developed an affiliate console that allows the malware to be tweaked. The ransom amount can be easily set, as can the time frame for making payments and how much the ransom will increase if the payment deadline is exceeded.

Help is also offered with the distribution of the malware. Assistance is provided to make droppers that install the malware on victims’ systems. Help is offered to create malicious Word macros and CHM installers that can be used in spam email campaigns. Help is also offered to encrypt the ransomware to avoid detection. Even multi-language support is provided. Any would-be attacker can craft ransom demands in multiple languages via the RaaS affiliate console.

Satan ransomware performs a check to determine if it is running on a virtual machine. If it is, the ransomware will terminate. If not, it will run and will search for over 350 different file types. Those files will be locked with powerful encryption. File extensions are changed to. stn and the file names are scrambled to make it harder for victims to identify individual files. The ransomware will also wipe all free space on the hard drive before the ransom demand is dropped onto the desktop.

There is no decryptor for Satan ransomware. Recovery without paying the ransom will depend on organizations being able to restore files from backups. Since the ransomware also encrypts backup files, those backups will have to be in the cloud or on isolated devices.

RaaS is nothing new, but what is so worrying about Satan ransomware is how easy it has been made for affiliates. Next to no skill is required to run a ransomware campaign and that is likely to see many individuals take part in the RaaS program.

Risk of Spear Phishing Attacks Must Not be Ignored

by G Hunt | January 5, 2017 | Email Scams

Research conducted by the anti-phishing training company PhishMe has shown a worrying increase in phishing attacks in 2016 and has highlighted the importance of taking steps to reduce the risk of spear phishing attacks.

Unfortunately, cybercriminals are becoming much more adept at crafting highly convincing spear phishing campaigns. A wide range of social engineering techniques are used to fool employees into responding to the emails and the campaigns are becoming much harder to identify.

Unfortunately responding to these emails can result in email and network credentials being compromised, malware and ransomware being installed on corporate networks, and sensitive data being emailed to the attackers.

The study of phishing attacks in 2016 showed attacks increased by 55% year on year. PhishMe research shows that out of the successful data breaches in 2016, 90% started with a spear phishing email.

In 2016, business email compromise attacks rose by an incredible 1300%, while ransomware attacks increased 400%. Cybercriminals are attacking companies with a vigor never before seen and unfortunately many of those attacks have been successful.

The figures from the U.S. Department of Health and Human Services’ Office for Civil Rights – which tracks U.S. healthcare data breaches – show that 2016 was the worst ever year on record for healthcare data breaches. At least 323 breaches of more than 500 records occurred in 2016. Undoubtedly many more breaches have yet to be discovered.

Cybercriminals and hackers have employees firmly in their crosshairs. Unfortunately, employees are easy targets. A recent survey conducted by cybersecurity firm Avecto showed that 65% of employees are now wary about clicking on links emailed to them by strangers. Alarmingly, that means 35% are not.

The same survey showed that 68% of respondents have no concerns about clicking on links sent by their friends and colleagues. Given the extent to which email addresses and passwords have been compromised in the last year, this is incredibly worrying. 1 billion Yahoo accounts were breached and 117 million email addresses were compromised as a result of the LinkedIn breach. Gaining access to email accounts is not a problem for cybercriminals. If those accounts are used to send spear-phishing emails, the chance of links being clicked are very high.  Unfortunately, all it takes is for one email account to be compromised for access to a network to be gained.

The risk of spear phishing attacks was clearly demonstrated in 2015 when the largest ever healthcare data breach was discovered. 78.8-million health plan members’ records were stolen from Anthem Inc. That breach occurred as a result of an employee of one of the insurer’s subsidiaries responding to a spear phishing email.

Anthem Inc., is the second largest health insurer in the United States and the company spends many tens of millions of highly complex cybersecurity defenses. Those multi-million dollar defenses were undone with a single email.

Organizations must take steps to reduce the risk of speak phishing attacks. Unfortunately, there is no single solution to eradicate risk. A multi-layered defense strategy is required.

An advanced anti-spam solution is essential to prevent the vast majority of spam and phishing emails from being delivered to end users. SpamTitan for example, blocks 99.97% of spam email and 100% of known malware.

Employees must be trained and their training must be tested with phishing exercises. Practice really does make perfect when it comes to identifying email scams. Endpoint defenses should also be employed, along with anti-virus and antimalware software.

The risk of spear phishing attacks will increase again in 2017. Doing nothing to improve cybersecurity defenses and combat the spear phishing risk could prove to be a very costly mistake.

Malicious Email Spam Volume Hits 2-Year High, Says Kaspersky Lab

by G Hunt | November 18, 2016 | Email Scams

Malicious email spam volume has increased again. According to the latest figures from Kaspersky Lab, malicious email spam volume in Q3, 2016 reached a two-year high.

In Q3 alone, Kaspersky Lab’s antivirus products identified 73,066,751 malicious email attachments which represents a 37% increase from the previous quarter. Malicious spam email volume has not been at the level seen in Q3 since the start of 2014. Kaspersky Lab’s figures show that six out of ten emails (59.19%) are spam; a rise of around 2% from Q2, 2016. September was the worst month of the year to date, with 61.25% of emails classified as unsolicited spam.

Spam includes a wide range of unsolicited emails including advertising and marketing by genuine companies, although cybercriminals extensively use email to distribute malware such as banking Trojans, keyloggers, and ransomware. The use of the latter has increased considerably throughout the year. In Q3, the majority of malicious emails contained either ransomware or downloaders that are used to install ransomware on personal computers and business networks.

Ransomware is a form of malware that locks files on a computer with powerful encryption, preventing the victim from gaining access to their data. Many ransomware variants are capable of spreading laterally and can encrypt files on other networked computers. All it takes is for one individual in a company to open an infected email attachment or click on a malicious link in an email for ransomware to be downloaded.

Spammers often use major news stories to trick people into opening the messages. The release of the iPhone 7 in Q3 saw spammers take advantage. Spam campaigns attempted to convince people that they had won an iPhone 7. Others offered the latest iPhone at rock bottom prices or offered an iPhone 7 for free in exchange for agreeing to test the device. Regardless of the scam, the purpose of the emails is the same. To infect computers with malware.

There was an increase in malicious email spam volume from India in Q3. India is now the largest source of spam, accounting for 14.02% of spam email volume. Vietnam was second with 11.01%, with the United States in third place, accounting for 8.88% of spam emails sent in the quarter.

Phishing emails also increased considerably in Q3, 2016. Kaspersky Lab identified 37,515,531 phishing emails in the quarter; a 15% increase compared to the Q2.

Business email compromise (BEC) attacks and CEO fraud are on the rise. These scams involve impersonating a CEO or executive and convincing workers in the accounts department to make fraudulent bank transfers or email sensitive data such as employee tax information. Some employees have been fooled into revealing login credentials for corporate bank accounts. Cybercriminals use a range of social engineering techniques to fool end users into opening emails and revealing sensitive information to attackers.

Security awareness training is important to ensure all individuals – from the CEO down – are aware of email-borne threats; although all it takes is for one individual to be fooled by a malicious email for a network to be infected or a fraudulent bank transfer to be made.

The rise in malicious email spam volume in Q3, 2016 shows just how important it is to install an effective spam filter such as SpamTitan.

SpamTitan has been independently tested by VB Bulletin and shown to block 99.97% of spam emails. SpamTitan has also been verified as having a low false positive rate of just 0.03%. Dual antivirus engines (Bitdefender and ClamAV) make SpamTitan highly effective at identifying malicious emails and preventing them from being delivered to end users.

If your end users are still receiving spam emails you should consider switching antispam providers. To find out the difference that SpamTitan can make, contact the Sales Team today and register for a free, no obligation 30-day trial.

Holiday Season Scams Aplenty as Black Friday Draws Closer

by G Hunt | October 31, 2016 | Email Scams

Thanksgiving weekend sees Americans head on line in the tens of millions to start online Christmas shopping in earnest and this year the holiday season scams have already started.

Black Friday and Cyber Monday are the busiest online shopping days, but some retailers are kickstarting their promotions early this year and have already started offering Black Friday deals. Amazon.com for example launches its first Black Friday offers tomorrow, well ahead of the big day on 25th November.

It is no surprise that retailers are trying to get ahead. 41% of shoppers start their holiday shopping in October according to a recent National Retail Federation survey. 41% of shoppers wait until November. 82% of shoppers like to make an early start, and this year so are the scammers.

A popular tactic used by cybercriminals is typosquatting – the registration of fake domains that closely match the brand names of well-known websites. Phishers use this tactic to obtain login credentials and credit card numbers. In recent weeks, there has been an increase in typosquatting activity targeting banks and retailers.

A fake domain is registered that closely matches that of the targeted website. For instance, the Amaz0n.com domain could be purchased, with the ‘o’ replaced with a zero. Alternatively, two letters could be transposed to catch out careless typists. A website is then created on that domain that closely matches the targeted website. Branding is copied and the layout of the genuine site is replicated.

There is another way that scammers can take advantage of careless typists. Each country has its own unique top level domain. Websites in the United States have .com. Whereas, websites registered in the Middle Eastern country of Oman have the .om domain. Scammers have been buying up the .om domains and using them to catch out careless typists. In the rush to get a holiday season bargain, many users may not notice they have typed zappos.om instead of zappos.com.

Visitors to these scam websites enter their login credentials as normal, yet all they are doing is giving them to the attackers. The scammers don’t even need to spoof an entire website. When the login fails, the site can simply redirect the user to the genuine site. Users then login as normal and complete their purchases. However, the scammers will have their login credentials and will be able to do the same.

However, many websites now have additional security features to prevent the use of stolen login credentials. If a login attempt is made from an unrecognized IP address, this may trigger additional security features. The user may have to answer a security question for example.

Some scammers have got around this problem. When a user attempts to login on a scam site, a login session is automatically opened on the genuine website. The information entered on the scam site is then used by the attackers on the genuine site. When the unusual IP address triggers an additional security element, this is then mirrored on the scam site with the same question forwarded to the user. The question is answered, and an error message is generated saying the login was unsuccessful. The user is then redirected to the genuine site and repeats the process and gains access. Chances are they will be unaware their account details have been compromised. Hours later, the scammers will login to the genuine site using the same credentials.

Businesses must also exercise caution at this time of year and should take steps to reduce the risk of employees falling for holiday season scams. Employees keen to get the latest bargains will undoubtedly complete some of their purchases at work.

Email scams increase at this time of year and business email accounts can be flooded with scam emails. Offers of discounts and special deals are likely to flood inboxes again this year. Email holiday season scams may not be about stealing login credentials. Given the increase in malware and ransomware infections in 2016, this holiday season is likely to see many holiday season scams infect businesses this year. A careless employee looking for an online bargain could all too easily click a link that results in a malware download or ransomware infection.

As holiday season fast approaches, the scammers will be out in force. It is therefore important for both businesses and consumers to take extra care. If you want to find out how you can protect your business from malware and ransomware, contact the TitanHQ team today and find out more about our security solutions.

Yahoo Inc Data Breach: 500 Million Users Affected

by G Hunt | September 23, 2016 | Email Scams

In July, news started to break about a massive Yahoo Inc data breach. It has taken some time, but the Yahoo Inc data breach has now been confirmed. And it was huge.

The Yahoo Inc data breach beats the massive cyberattack on Heartland Payment Systems in 2009 (130 million records), the LinkedIn cyberattack discovered this summer (117 million records), and the 2011 Sony data breach (100 million records). In fact, the Yahoo Inc data breach is the largest ever reported. More records were stolen in the cyberattack than those three breaches combined. More than 500 million accounts were compromised, according to Yahoo.

Yahoo Inc Data Breach Worse than Initially Thought

The Yahoo Inc data breach came to light when a hacker added a listing to the Darknet marketplace, theRealDeal. The credentials of 280 million account holders were offered for sale by a hacker called ‘Peace’. To anyone who follows Internet security news, the name of the hacker selling the data should be familiar. Peace recently listed the data from the LinkedIn hack for sale.

The 280 million Yahoo records were listed for a paltry $1,800. That payment would buy a cybercriminal names, usernames, easily crackable passwords, backup email addresses, and dates of birth. While the data were listed for sale 2 months ago, Yahoo has only just announced the breach.

After being alerted to the listing, Yahoo initiated an internal investigation. The investigation allegedly did not uncover any evidence to suggest that the claims made by “Peace” were genuine. However, the internal investigation did reveal that someone else had hacked Yahoo’s systems. Yahoo claims the hack was performed by a state-sponsored hacker.

Yahoo issued a statement saying “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.” While that is undoubtedly good news, the bad news is that access is no longer required because user’s data have already been stolen.

The stolen data include names, email addresses, dates of birth, telephone numbers, security questions and answers, and hashed passwords. According to Yahoo, users’ bank account information and payment card details do not appear to have been stolen. Those credentials were stored in a separate system.

What is most concerning about the Yahoo Inc data breach is not the fact that its systems were compromised, but how it has taken so long for Yahoo to discover the cyberattack. The breach did not occur over the summer. The hack took place in 2014.

The results of the Yahoo Inc data breach investigation will have come as a nasty shock to Verizon. The company agreed to buy Yahoo’s core web business, including Yahoo email, in the summer for $4.8bn. It is possible that Verizon may now be having second thoughts about that deal. Whether the hack will have an impact on the purchase remains to be seen, but for Yahoo the timing could not be much worse.

Yahoo Account Holders Advised to Change Passwords and Security Q&As

Yahoo account holders are unlikely to be concerned about any potential sale of their email accounts to Verizon. They will however be concerned about the sale of their credentials to cybercriminal gangs. Even if the data that were listed for sale by Peace are not genuine, someone somewhere does have their data. Most likely, their data are in the hands of multiple criminals. Those data can – and will – be used in a variety of malicious ways.

Yahoo has now placed a notice on its website alerting users to the breach of their data. Yahoo has also sent out emails to affected users urging them to login to their accounts and change their passwords and security questions. The old security questions and answers have now been invalidated and Yahoo has told users to check their accounts for any suspicious activity, albeit out of “an abundance of caution”.

Fortunately for account holders, the majority of passwords were encrypted with bcrypt – a relatively secure form of encryption. However, that does not mean that the passwords cannot be cracked nor that email account holders are not at risk as a result of the Yahoo Inc data breach.

Yahoo Users at Risk of Phishing Attacks

Cybercriminals may not be able to crack the passwords and gain access to user accounts, but they have all the data they need to conduct phishing campaigns.

Yahoo has already emailed users alerting them to the breach, but the emails contained links that can be used to change passwords and security questions. Any cybercriminal in possession of the stolen data is likely to copy the official emails sent by Yahoo. However, instead of links to Yahoo’s website, the emails will contain links to phishing sites.

Those sites are likely to look exactly the same as the official Yahoo site. However, any user entering a new password or security question, would simply be disclosing that information to the attacker. Emails are also likely to be sent that direct users to websites containing exploit kits. Clicking the links will result in malware and ransomware downloads.

If the criminals behind the attack – or those in possession of the data – do manage to crack the passwords, it is not only Yahoo email accounts that could be compromised. Any individual who has used the same password on other websites faces a high risk of other accounts being compromised. Bank accounts, social media accounts, other email accounts, E-bay and Amazon.com accounts could all be at risk.

The data could also be used for social engineering scams, via email or telephone. Criminals will be looking to obtain the extra data they need to commit identity theft and other types of fraud.

How to Minimize Risk and Protect Yourself

• Never click on any links contained in emails. Even if an email looks official and contains a link to help.yahoo.com or login.yahoo.com, do not click on the links. Instead, login to your account in the usual way by entering the web address directly into your browser and change your password and security questions.
• Use a strong password containing letters (capitals, and lower case), numbers, and special characters.
• If you have used the same password for multiple websites, change those passwords immediately. Each website requires a different password. Use a password manager – either a free or paid service – to remember all your passwords.
• Use Yahoo Account Key, which will eliminate the need for a password altogether
• Never respond to any email request for personal information
• Never open any attachments sent via email unless you are certain of their genuineness

New Fake Invoice Email Scam Targets Apple Device Users

by G Hunt | August 25, 2016 | Email Scams

Users of Apple devices have been warned about a new fake invoice email scam that attempts to get them to provide attackers with their bank details.

Another Email Scam Targets Apple Device Users

Criminals are sending spam emails in the millions in the hope that they will be received by owners of Apple devices. The spam emails contain a bogus invoice which indicates the user’s iTunes account has been used to download a number of videos, games, singles, and albums.

The fake invoice includes Apple logos and details of the amounts charged for each purchase. The email is intended to scare iTunes account holders into thinking their account has been compromised and used to make fraudulent purchases.

At the bottom of the invoice is a link for users to click if they did not authorize the purchases. The email recipient is told that they have 14 days to query purchases and receive refunds. However, clicking the “manage my refunds” link will not take the user to the Apple App Store website, but to a spoof site where they are asked to enter in their bank account information. The attackers claim that a refund will be given; however, divulging bank account details will enable the attackers to make fraudulent charges to the users’ accounts.

Both Apple and the FBI are investigating the latest fake invoice email scam. While Apple has not released a statement about this fake invoice email scam, after previous email spam campaigns Apple has told customers that they would not be asked to reveal sensitive information such as bank account details, passwords, and credit card numbers in emails.

When bank account information is required, such as to set up an iTunes account, the web address will be a subdomain of apple.com: store.apple.com for example. Apple advises customer never to reveal their sensitive information on any non-Apple website.

Fake Invoice Email Scam Targets Netflix Users

Criminals often spoof popular websites and attempt to phish for sensitive information such as credit card numbers and bank account details. Netflix it another popular target for scammers due to the number of subscribers to the service. A similar fake invoice email scam is also being used to fool Netflix account holders into disclosing their bank account information.

The spam emails contain an invoice for a subscription to Netflix claiming the user’s account will be charged to renew their subscription. The funds will be automatically taken from users’ accounts unless action is taken to change their auto-renew settings.

As with the Apple scam, a link is provided on the invoice which allows the email recipient to manage their subscription settings. The email appears to have been sent from Netflix, but clicking the link in the email will similarly take the user to a scam site. They are then taken through a series of steps to manage their subscription, which involves confirming their bank account details.

How to Avoid Becoming a Victim of Email Scams

These fake invoice email scam are designed to catch out the unwary and scare people into revealing sensitive information. However, by adopting some email security best practices it is easy to avoid scams such as these.

If you are sent an invoice in an email that claims to be from a web service, never click on the links in the email, no matter how realistic the email appears to be. Instead visit the official website and check account details or account charges directly on that website.

Cybercriminals often include links to spoofed websites in an attempt to obtain sensitive information, although the links can also direct the email recipient to a website hosting an exploit kit. Exploit kits probe for vulnerabilities in browsers and plugins that can be exploited to automatically download malware.

It is safest to assume that all attachments sent via email could be malicious. Never open an email attachment contained in an email unless you are 100% sure that it is genuine. Cybercriminals use email attachments to transmit malware and ransomware. Opening an attachment can potentially result in a malware infection.

Small business owners should use software solutions to prevent the downloading of malware. While anti-virus and anti-malware software can prevent malware from being installed, cybercriminals are developing highly sophisticated malware which is not detected by anti-virus software. By installing a spam filtering solution such as SpamTitan, small businesses can prevent these malicious emails from being delivered to end users’ inboxes. This reduces reliance of employees’ ability to identify phishing and scam emails.

Version française de cet article.

Latest PayPal Email Scam Appears to Use Genuine PayPal Email Account

by G Hunt | July 30, 2016 | Email Scams

A highly sophisticated PayPal email scam has been uncovered that is being used to deliver banking malware. Rather than promise the email recipient a sum of money or the opportunity to claim an inheritance from a long lost relative, this PayPal email scam claims a payment has been made to the victims account and that the money needs to be refunded.

The scam emails say that $100 has been fraudulently sent to the victims account and a refund is requested. The emails contain PayPal logos and appear to have been sent directly from PayPal. The emails appear to have been sent from the members@paypal.com email account. The message contains the subject line “You’ve got a money request”.

It is not clear how the attacker has managed to spoof the PayPal email account, or how the email manages to bypass the spam filter of Gmail.

If the victim responds to the email and makes the payment they will have lost $100; however, that is not all. The victim will also have malware loaded onto their computer. The malware will be loaded automatically regardless of whether the payment is made.

A link is contained in the email which the user must click to find out more about the transaction. The link contains a shortened URL and directs to a document detailing the transaction. The document has a goo.gl address and the link appears to be a jpeg image of the transaction details.

However, clicking the link will result in a javascript (.js) file being downloaded onto the victim’s computer. The script will download a flash executable file, which will install the malware if it is run.

Chthonic Banking Malware Delivered via PayPal Email Scam

The malware that is installed is a variant of the infamous Zeus banking malware – Chthonic. This malware has been programmed to inject its own code and images into banking websites. When the victim visits their online banking website the malware captures login names, passwords, PIN numbers, and answers to security questions. Many banking malware variants target a small number of financial institutions; however, Chthonic is capable of recording information entered into more than 150 different banking websites. Victims are primarily in the UK, US, Russia, Japan, and Italy.

Chthonic isn’t the only malware delivered. Researchers at Proofpoint have determined that an additional previously unknown malware variant called AZORult is also installed onto victims’ computers. Little is known about this new malware variant.

Beware of These Rio Olympics Email Scams

by G Hunt | July 28, 2016 | Email Scams

As the sports spectacular fast approaches it is time to be on high alert for Rio Olympics email scams. The Olympics have not yet started, but the scammers have certainly been active. Many new Rio Olympics email scams have been spotted in recent weeks and the number will certainly increase as the opening ceremony draws closer.

Any large sporting event that attracts massive global media interest is a good opportunity for scammers. With sports fans hungry for news of the latest events, information about competitors, or the latest betting odds, it is all too easy for the guard to be let down. A scramble for last minute tickets sees scammers rake in hundreds of thousands of dollars.

Many scammers feel that the Olympics is shooting fish in a barrel season. Which sadly it is.

Kaspersky Lab has reported that the first Rio Olympics email scams were uncovered as early as 2015; however, as the opening ceremony draws closer activity has increased by several orders of magnitude. In the UK, Action Fraud – the National fraud reporting body – has already received reports of 47 cases of fraud relating to the Rio Olympics, which has resulted in attackers gaining more than £300,000 ($392,800) in funds.

Watch out for these Rio Olympics Email Scams

The Rio Olympics email scams are as diverse as the events being competed over the 17-day competition. It is therefore a time to be particularly cautious.

Criminals are after bank details for fraudulent transfers, credit card details to make purchases, personal data for identity theft, and login credentials for all manner of nefarious activities. It is a time for everyone to be on their guard. Be prepared for a barrage of Rio Olympics email scams over the next few weeks and keep your wits about you online.

Fake Tickets Scams

The price of a ticket to the opening ceremony will cost anywhere between $60 to $1,400, although touts are offering tickets at vastly inflated prices. Ticket prices to see the most popular events can cost several thousand dollars. If a scammer can get a victim to part with their hard earned cash it could potentially be a big payday. If you are still planning on attending and you haven’t yet purchased a ticket, only buy from official sellers.

Scammers have already registered a host of official-looking domain names to fool the unwary into purchasing tickets and parting with their credit card numbers. The websites use official logos that have been lifted from the Internet and appear genuine. Fake or cheap SSL certificates are also purchased making the connections appear secure, yet checks may not have been performed on the company. A SSL (website starting with https) does not guarantee it is genuine. Before parting with your money, at least perform a WHOIS search on the domain owner. Fake domains have usually been purchased in the past few weeks or months. Also perform some online checks to make sure the website is genuine.

Be aware that just because a website ranks highly in the search engines it doesn’t mean it is legitimate. Many scammers use search engine poisoning to increase the rank and position of their websites. They may even appear above those of official ticket vendors.

Many Rio Olympics email scams direct sports fans to unofficial ticket sellers and scam websites. You will at best pay over the odds for a ticket, but most likely you will just be giving your money to a scammer and no tickets will ever arrive in the post.

Congratulations! You Have Won!

If you receive an email informing you that you have won (insert amazing prize here), chances are it is a scam. If it sounds too good to be true, it most probably is. While many Rio Olympics email scams attempt to get individuals to disclose bank details and credit card information, a great deal attempt to obtain money by other means.

Many Rio Olympics email scams direct users to official looking scam websites. Be very careful about disclosing any information on any website during the Olympics.

Emails are sent with fake attachments which, if opened, will infect the email recipients’ computer with malware or ransomware. Malware can log keystrokes and obtain login credentials. Ransomware will encrypt files and a ransom must be paid in order to obtain decryption keys. Links contained in websites often direct users to malicious websites where drive-by malware downloads take place.

Olympics and Zika News

If you are a sports fan and you want to follow the latest news, search for sports sites online and bookmark the pages. Do not click links contained in emails that are delivered to your inbox or spam folder. Many people click on any links contained in emails that seem interesting. Doing so could prove very costly. Scammers are sending out fake news emails or links to legitimate stories. Those links do not direct the recipient to news websites, but to sites loaded with exploit kits which download malware and ransomware onto users’ computers.

Fake Prize Draws

Social media is awash with offers to enter prize draws to win tickets to the Olympics. Be exceptionally careful about disclosing any personal information on social media sites. Scammers often use fake prize draws to obtain sensitive personal data. Those data can be used for future email scams, or to gain access to online accounts. Phishing campaigns are rife during the Olympics.

Fake lottery scams are also commonplace. Emails are sent out in the millions telling recipients they have won a prize draw or lottery. To claim the winnings, it is necessary to pay an admin fee and disclose credit card details or provide bank details for the transfer along with other sensitive information. The golden rule is: If you have not entered the draw, you cannot have won it. If you are asked to make a payment in order to receive winnings it is likely a scam.

If in any doubt as to the legitimacy of an email, delete it. Chances are you have not won a competition you have not entered and you are not lucky enough to have won an all-expenses paid trip to Rio to see the Olympics. It is likely to be one of the many Rio Olympics email scams currently circulating cyberspace.

Protecting Employees and Networks from Attack

Businesses need to take care to protect their networks and prevent their employees from inadvertently downloading malware or giving attackers a foothold in their network. There are plenty of malicious actors that will be using the frenzy surrounding the Rio Olympics to conduct their nefarious activities.

One of the best defenses against Rio Olympics email scams – and other malicious email spam in general – is to use a robust email spam filter such as SpamTitan. SpamTitan blocks 99.97% of email spam, preventing malicious emails from being delivered to end users.

To find out how SpamTitan can help you improve your security posture and prevent malware, ransomware, and phishing emails from being delivered to your employees, give the TitanHQ sales team a call today.

New Game of Thrones Phishing Scam Uncovered

by G Hunt | July 11, 2016 | Email Scams

A new, sophisticated Game of Thrones phishing scam has been uncovered which is targeting individuals who illegally download pirated copies of the HBO series. Game of Thrones is the most pirated TV show in history, with many individuals choosing to illegally download the latest episodes to get their GOT fix. This has not escaped the attention of scammers.

Game of Thrones Phishing Scam Emails Sent via ISPs

The scammers have used an innovative trick to make their scam more realistic. The emails claim to have been sent by IP-Echelon, the company that is used by HBO and other entertainment companies to enforce copyright claims. IP-Echelon has already sent many copyright infringement emails to illegal downloaders of movies and TV shows on behalf of a number of companies.

The Latest Game of Thrones phishing scam uses emails that appear to have been generated by IP-Echelon. The emails are extremely well written and contain the same language that is used by the organization when sending out legitimate notices to ISPs.

The ISPs, believing the copyright infringement notices to be genuine, then forward the emails to customers. Since the notice is sent by the ISP, the Game of Thrones phishing scam appears to be genuine.

The customer is told that they must settle the case promptly – within 72 hours – in order to avoid legal action. To settle the case, the customer must visit a link to review the settlement offer and make payment. Failure to do so will see that settlement offer withdrawn. The email says that the settlement about will increase as a result.

The scam has been run in the United States, although there have been a number of reports of individuals in Canada, Europe, and Australia also having been targeted with the same email scam.

A Convincing Phishing Scam That Has Fooled Many ISPs

It is unclear at this point whether the scammers are specifically targeting individuals who have accessed torrent sites and have downloaded torrent files, or whether the emails are being sent out randomly. Some individuals have taken to Internet forums to claim that they have not performed any illegal downloads, while others have been using torrent sites to illegally download TV shows and movies.

HBO has previously taken action over illegal downloaders and has used IP-Echelon to send out notices very similar to those being used by the scammers. Since the Game of Thrones phishing scam appears to be so realistic, many illegal downloaders may be fooled into making the payment. However, that payment will go directly to the scammers.

As is the case with all email requests such as this, the recipient should take steps to verify the authenticity of the email prior to taking any action. Contacting the company that sent the message – using the contact telephone number on the company’s official website – is the best way to confirm authenticity. Email recipients should never use any contact information that is sent in the email body.

Some ISPs have taken steps to confirm the authenticity of the emails and have discovered they are a scam, but not all. Many have been forwarded on by ISPs who believed the scam emails to be legitimate.

Blurred Image Phishing Scam Used to Steal Business Login Credentials

by G Hunt | July 7, 2016 | Email Scams

A new phishing scam has been discovered that is being used to steal the login credentials and phone numbers of employees. The new scam uses blurred images of invoices to lure victims into revealing sensitive information. In order to view the document or spreadsheet in higher resolution, the victim must supply their email address and password. It is not clear whether this blurred image phishing scam is being used for targeted attacks on businesses or whether the emails are being sent out randomly.

The Blurred Image Phishing Scam

A number of different versions of the same scam have been discovered by the Internet Storm Center, each of which uses a different document.

The initial email appears to have been sent from a legitimate company – a well-known company likely to be very familiar to most business users. HSBC for example. The emails contain corporate logos and are well written. They contain a link that must be clicked to view a purchase order or invoice.

Clicking the link will take the email recipient to a webpage where they are presented with what appears to be a legitimate document. The attackers use a screenshot of an excel spreadsheet (or word document) which appears blurred. The screenshot was taken on a low resolution yet is displayed in high resolution to ensure it cannot be read, although it is clear what the document is.

In order to view the file, the victim is required to enter their email and password in a popup box to confirm their identity. The popup asks for the victim’s email account credentials. The attackers use a JavaScript file to validate the email address.

The login credentials are harvested and sent to the attacker along with the victim’s location and IP address. Users are subsequently directed to a fake Google authentication portal where they are asked to supply their phone number. If the victim enters their details and clicks to view the document, a PDF file will open.

This blurred image phishing scam may not be particularly sophisticated – it uses simple JavaScript, HTML and PHP – but it is still likely to be effective. The blurred images and corporate images may be enough to fool many users into believing the emails are legitimate.

Spate of Facebook Phishing Attacks Reported

by G Hunt | July 4, 2016 | Email Scams

Facebook phishing attacks are fairly common. The website has 1.65 billion active monthly users, a considerable number of which access the social media platform on a daily basis. With such a huge number of users, it is understandable that criminals often target users of the platform.

However, the latest phishing scam to target Facebook users is notable for the speed and scale of the attacks. Kaspersky Lab reports that the latest Facebook phishing attacks have been claiming a new victim every 20 seconds.

The Facebook phishing attacks took place over a period of two days, during which time more than 10,000 Facebook users had their computers infected with malware.

The phishing scam involves site users being sent a message from their ‘friends’. The messages say the user has been mentioned in a comment on a Facebook post. However, when they respond to the message they download a Trojan onto their computers and inadvertently install a malicious Chrome browser extension. In the second phase of the attack, the Trojan and the browser extension are enabled.

When the victim next logs into Facebook the login details are captured and sent to the attacker. This gave the attackers full control of the victims’ Facebook accounts. This allows them to make changes to the privacy settings, steal data, and send their own messages to all of the victims’ contacts on Facebook. The attacks were also used to register fraudulent likes and shares.

The attackers took steps to prevent the infections from being detected. The malware was capable of blocking access to certain websites which could potentially result in the victims discovering the malware infection. The websites of a number of cybersecurity sites were blocked, for instance.

The phishing attack mostly affected Facebook users on Windows computers, although Kaspersky Lab noted that Windows mobile phones were also compromised in the attacks. Individuals who accessed Facebook via Android and Apple phones were immune.

The attacks concentrated on users in South America, with Brazil the worst hit, registering 37% of the Facebook phishing attacks. Columbia, Ecuador, Mexico, Peru, and Venezuela were also heavily targeted. Attacks in Europe were mostly conducted on users in Poland, Greece, and Portugal, with Germany and Israel also hit hard.

The malware used in the latest Facebook phishing attacks is not new. It was first identified about a year ago. Kaspersky Lab reports that the attackers are most likely of Turkish origin, or at least Turkish-speaking.

What sets this phishing scam apart from the many others is the speed at which users were infected. However, the response to the attacks was also rapid. Users who discovered infections spread the news on Facebook, while the media response helped to raise awareness of the scam. Google has also taken action and has now blocked the malicious Chrome extension.

Eir Phishing Scam Prompts Customer Warning

by G Hunt | June 24, 2016 | Email Scams

A new Eir phishing scam has been uncovered which has prompted the Irish communications company to issue a warning to customers. Hundreds of customers received emails offering them a refund yesterday. To claim the refund, the email recipients have been instructed to login to their My Eir account. A fake link is supplied in the email which must be clicked to claim the refund.

Eir Phishing Scam Captures Credit Card Details of Customers

That link directs the email recipient to a fake webpage. The malicious website has been designed to look identical to the Eir website. Users are required to confirm their credit card details in order to obtain the refund. Those credentials are logged by the website and are sent to the criminals running the Eir phishing scam.

Eir has warned customers to be on the lookout for the fraudulent email messages and to delete them if they are received. Any individual who has fallen for the Eir phishing scam and has provided credit card details via the malicious website faces a high risk of credit/debit card fraud.

Phishing email campaigns such as this are commonplace. Attackers use a variety of social engineering techniques to get users to reveal sensitive information such as credit and debit card numbers, which are used by the attackers to make online purchases and rack up huge debts in the victims’ names.

The malicious emails can be extremely convincing. Criminals use legitimate imagery in the phishing emails to fool email recipients into believing the emails are genuine. The malicious spam messages usually contain a link that directs to victims to malicious websites where personal information must be disclosed in order to receive a refund, free gift, or to view important documents. The websites can look identical to the legitimate sites.

Spam Email Poses a Considerable Risk to Businesses

Email scams often direct victims to malicious websites containing exploit kits which probe for weaknesses in browsers and plugins and leverage those vulnerabilities to download malware.

The malware poses a considerable risk for businesses. Malware is used to gain a foothold in a computer network, which can be used to launch cyberattacks to steal valuable data or to gain access to corporate email and bank accounts.

To protect against such attacks, employees should be instructed never to use links sent in emails and to login to websites directly via their browsers. Employees should be provided with training to help them identify phishing emails and email and web spam.

Businesses should also use an anti-spam service such as SpamTitan to capture spam and phishing emails. Preventing the messages from being delivered to end users is the best form of defense against such attacks, and reduces reliance of employees to identify phishing scams.

FBI Releases New Business Email Compromise Scam Data

by G Hunt | June 17, 2016 | Email Scams

The FBI issued a new public service announcement which includes new business email compromise scam data. The new data indicates U.S. businesses have lost almost $960 million to business email compromise scams in the past three years, and the total losses from these scams is now almost $3.1 billion.

What is a Business Email Compromise Scam?

A business email compromise scam is a sophisticated attack on a company by scammers that attempt to trick individuals into wiring funds from corporate accounts to the bank accounts of the attackers. Businesses most commonly targeted are those that frequently make foreign transfers to international companies. The attackers must first gain access the email account of the CEO or another high level executive. Then an email is sent from that account to an individual in the accounts department requesting a bank transfer be made. Occasionally the scammer asks for checks to be sent, depending on which method the targeted organization most commonly uses to make payments.

A business email compromise scam does not necessarily require access to a corporate email account to be gained. Attackers can purchase an almost identical domain to that used by the targeted company. They then set up an email account in the name of the CEO using the same format as that used by the company. This can be enough to fool accounts department workers into making the transfer. Business email compromise scams use a variety of social engineering techniques to convince the targeted accounts department employee to make the transfer.

Business Email Compromise Scams are a Growing Problem

The FBI has previously warned businesses of the growing risk of business email compromise scams. In April this year, the FBI Phoenix Office issued a warning about a dramatic rise in BEC attacks. The data showed that between October 2013 and February 2016 there had been at least 17,642 victims of BEC attacks in the United States, and the losses had reached $2.3 billion.

New data from the FBI suggest that the problem is far worse. The FBI has now incorporated business email compromise scam data from the Internet Crime Complaint Center (IC3). 22,143 reports have now been received from business email compromise scam victims, which correspond to losses of $3,086,250,090.

Between October 2013 and May 2016, there have been 15,668 domestic and international victims, and losses of $1,053,849,635 have been reported. In the U.S. alone, there have been 14,032 victims. Since January 2015, there has been a 1,300% increase in losses as a result of BEC attacks. The majority of the funds have been wired to Asian bank accounts in China and Hong Kong.

The FBI warns of five scenarios that are used by criminals to commit fraud using BEC scams:

1. Requests for W-2s or PII from the HR department – The data are used to file fraudulent tax returns in the names of employees
2. Requests from foreign suppliers to wire money to new accounts – Attackers discover the name of a regular foreign supplier and send an email request for payment, including new bank details (their own).
3. Request from the CEO for a new transfer – The CEO’s (or other executive) email account is compromised and a request for a new bank transfer is sent to an individual in the accounts department who is responsible for making bank transfers
4. A personal email account of an employee of a business is compromised – That account is used to send payment requests to multiple vendors who have been identified from the employee’s contact list
5. Impersonation of an attorney – Emails are sent from attackers claiming to be attorneys, or representatives of law firms, requesting urgent transfers of funds to pay for time-sensitive matters

To protect against BEC attacks, businesses are advised to use 2-factor authentication on all business bank transfers, in particular those that require payments to be sent overseas.  Organizations should treat all bank transfer requests with suspicion if a request is sent via email and pressure is placed on an individual to act quickly and make the transfer.

The FBI recommends that businesses never use free web-based email accounts for business purposes. Organizations should also be careful about the information posted to social media accounts, in particular company information, job descriptions and duties, out of office details, and hierarchical information about the company.

Surge in Ransomware Emails In March 2016

by G Hunt | June 2, 2016 | Email Scams

A new report by anti-phishing training company PhishMe shows a marked rise in the volume of ransomware emails in March. The report shows that spam emails are now predominantly being used to deliver ransomware to unsuspecting victims. The spike in ransomware emails highlights how important it is to conduct anti-phishing training and to use anti-spam solutions to prevent the malicious file-encrypting software from being delivered to employee’s inboxes.

Spike in Ransomware Emails as Criminals Seek Easy Cash

Ransomware has been around for about a decade, yet it has not been favored by cybercriminals until recently. Throughout 2015, under 10% of phishing emails were being used to transmit ransomware. However, in December there was a major spike in ransomware emails, which accounted for 56% of all phishing emails in December. The upward trend has continued in 2016 and by March, 93% of phishing emails contained ransomware – or were used to infect users by directing them to malicious websites where drive-by downloads of the malicious software occurred.

Spam email volume has been in general decline, in no small part to the shutting down of major botnets in recent years. However, that does not mean that the threat of cyberattacks via email can be ignored. In fact, PhishMe’s figures show there has been a surge in the number of phishing emails being sent. In the first quarter of 2016, the number of detected phishing emails soared to 6.3 million, which represents a 789% increase from the volume captured in the last quarter of 2015.

Ransomware is increasingly being used by cybercriminals for a number of reasons. Ransomware is now easy to obtain and send out. Many ransomware authors offer ransomware-as-a-service to any criminal looking to make a quick buck. Not only can the ransomware be hired for next to nothing, instructions are supplied on how to use it and criminals are allowed to set their own ransoms and timescales for payment. All they need to do is pay a percentage of the ransoms they obtain to the authors.

What makes the use of ransomware even more attractive is the speed at which criminals can get paid. Time limits for paying ransoms are usually very short. Demands for payment within 48 hours are not uncommon. While phishing emails have commonly been used to obtain credit card details from victims, which then need to be sold on, criminals can run a ransomware campaign and rake in Bitcoin payments in just a few days.

The ransoms being demanded are also relatively low. This means that many individuals can afford to pay the ransom to obtain the decryption keys to unlock their files, and businesses are also likely to pay. The cost of recovering data and restoring systems, together with the lost revenue from the time that computer systems are down, is often less than the ransom being demanded.

Ransomware Is Becoming Much More Sophisticated

The latest forms of ransomware now being used – Locky, CryptXXX, TeslaCrypt, and Samas (Samsam) – are capable of spreading laterally. Not only can the ransomware infect files on a single computer, other networked computers can also be infected, as can network drives, servers, portable storage devices, and backup drives. Some forms are also capable of deleting Windows shadow copies and preventing the restoration of files from backups.

All that the criminals need is for one business computer to be infected in order to encrypt files throughout the network. That means only one end user needs to be fooled into opening an infected attachment or visiting a malicious webpage.

Ransomware emails often contain personal information to increase the likelihood of an individual clicking a malicious link or opening an infected attachment. Word files are now commonly being used to infect users. Embedded macros contain code that downloads the malicious payload.

The malicious software is sent out in spear phishing campaigns targeting one or two users in a company, such as accounts and billing department executives. Personal information is often used in the emails – names, addresses, and job titles for example – to increase the likelihood of attachments being opened and links being clicked.

As criminals get better at crafting phishing emails and the ransomware becomes more sophisticated, it is more important than ever to use anti-spam solutions such as SpamTitan to trap ransomware emails and prevent them from being delivered. SpamTitan traps 99.9% of spam emails, helping organizations protect their networks from ransomware attacks.

Ransomware Now One of the Main UK Cybersecurity Threats

by G Hunt | May 9, 2016 | Email Scams

File-encrypting ransomware is now one of the main UK cybersecurity threats. Rather than stealing sensitive corporate data, criminals have taken to locking it with powerful encryption to prevent businesses from performing day to day functions. Without access to data, business often grinds to a halt.

Ransomware is nothing new, but over the past few years it has become much more popular with cybercriminals who are increasingly targeting businesses. If criminals can succeed in breaching businesses’ security defenses and locking critical files, a ransom can be demanded in order to supply security keys to unlock the encryption. If no viable backup copy exists, businesses may be left with no alternative but to give in to attackers’ demands. Those demands include sizable payments in Bitcoin – A virtually anonymous currency.

Ransomware attacks in the United States have attracted the headlines, but across the pond, ransomware attacks on UK businesses have also been increasing. According to the latest research from ESET, ransomware is now one of the main UK cybersecurity threats accounting for more than a quarter of threats. In the week of April 19 to 26, 26.16% of threats involved ransomware.

How to Block Ransomware Infections

Unfortunately, there is no single method of blocking ransomware infections that is 100% effective, although by using a multi-layered approach, small to medium-sized businesses can greatly reduce the probability of ransomware being installed on their computers and networks.

Ransomware is installed via a number of different methods, although one of the most common methods of ransomware delivery is spam email. Spam email is used to send out malicious attachments that install malware, which in turn installs ransomware on computers. One of the most common methods of infection is Word documents containing malicious macros.

Attackers also use emails containing malicious links. End users are enticed to click those links using social engineering techniques. One click is often all that is required to install ransomware. While it is possible to train employees to be more security aware, all it takes is for one member of staff to install malware for a network to be encrypted. The latest strains of ransomware are capable of encrypting files on single computers, connected USB drives, and network drives. It is important to provide staff training, but a software solution should also be used to block spam emails and prevent them from being delivered.

SpamTitan can keep an organization well protected from malware and ransomware infections. SpamTitan uses two leading anti-virus engines – Bitdefender and ClamAV – to block the vast majority of spam email. SpamTitan detects and blocks 99.98% of spam email, which prevents end users’ spam and phishing email detection skills from being put to the test.

SpamTitan blocks malicious emails, infected email attachments, and links to phishing websites and sites where drive-by downloads of malware take place. This single software solution can help organization mitigate the risk from many of the main UK cybersecurity threats.

If you want to block ransomware and malware and reduce the time your employees spend sifting through spam email, contact the sales team today for further information or sign up for a free SpamTitan trial.

Personalized Phishing Scam Uses Names and Addresses to Fool Victims into Installing Malware

by G Hunt | April 29, 2016 | Email Scams

Businesses have been put on alert following the discovery of a new personalized phishing scam that attempts to trick users into installing malware on their company’s computers. These new personalized phishing scam emails are primarily being used to spread CryptoWall ransomware, although that is far from the only payload delivered.

New Personalized Phishing Scam Delivers Wide Range of Malware

The new scam is also being used to deliver the Arsnif/RecoLoad POS reconnaissance Trojan to organizations in the retail and hospitality industries, as well as the Ursnif ISFB banking Trojan.

The current attack does not target all employees. Instead it is used to try to install malware on the computers of users with elevated network privileges such as senior executives, CFO’s, senior vice presidents, CEO’s, heads of finance, and company directors. These individuals not only have access to a far greater range of data, they are also likely to have access to corporate bank accounts.

If the payload is delivered it can result in POS systems being infected, access to bank accounts being gained, as well as widespread data encryption with ransomware. Once single email could cause a considerable amount of damage. The emails are currently being used to target organizations in the financial services, although the retail, manufacturing, healthcare, education, business services, technology, insurance, and energy sectors have also received large volumes of these emails.

What makes this particular phishing campaign stand out is the fact that the emails have not been delivered to random individuals. Many spammers send out phishing emails in the millions in the hope that some individuals will respond. However, this is a personalized phishing scam targeting specific individuals. Those individuals have been researched and the emails include data specific to the target.

Each email refers to the recipient by name and includes their job title, address, and phone number in the body of the email. The subject is specific, the email crafted for a particular industry, and the attached files and links have been named to make them appear genuine. The emails have also been well written and do not contain the spelling and grammar mistakes typical of spam email.

A personalized phishing scam such as this is not usually conducted on such a large scale. Spear phishing emails are usually send to just a handful of individuals, but this personalized phishing scam is being sent to many thousands of people, in particular those in the Unites States, United Kingdom, and Australia.

The data used in the email body could have been harvested from a social media site such as LinkedIn, although the scale of the attack suggests data has been obtained from elsewhere, such as a previous cyberattack on another company such as a supplier or an Internet site. Companies that do not use a robust spam filter such as SpamTitan are particularly at risk.

Business Email Compromise Scams Have Cost U.S Businesses $2.3 Billion

by G Hunt | April 15, 2016 | Email Scams

Over the past three years business email compromise scams have been conducted with increasing regularity. However, over the past year the number of business email compromise scams reported to the Federal Bureau of Investigation (FBI) have increased dramatically.

Since January 2015, the FBI reports there has been a 270% increase in BEC attacks. FBI figures suggest the total losses from business email compromise scams since October 2013 has risen to $2.3 billion. Reports of successful BEC scams have been sent to the FBI from over 79 different countries around the world, which have affected more than 17,642 businesses.

Business email compromise scams involve the attacker gaining access to a corporate email account, such as that of the CEO, and requesting a bank transfer be made to their account. An email is sent from the CEO’s account to an accounts department employee, and all too often the transfer is made without question.

Unfortunately for U.S Businesses, BEC attacks are likely to increase as more cybercriminals get in on the act. Security experts have warned that the situation is likely to get a lot worse before it gets better. With the average fraudulent bank transfer between $25,000 and $75,000 and considerable potential to obtain much higher sums, criminals are more than willing to conduct the attacks.

A recent report from Dell SecureWorks indicates some hackers are selling their services on underground marketplaces and are offering access to corporate email accounts for just $250. Since cybercriminals could buy access to corporate email accounts, even relatively unskilled criminals could pull off a BEC scam and potentially have a million dollar+ payday. A number of large corporations have been fooled by these scams and have recorded losses of well over $1 million.

Business Email Compromise Scams Can Be Highly Convincing

BEC scams are convincing because even with security training, staff members tend to assume attacks will come from outside their organization. Employees are suspicious about emails that request the disclosure of login credentials, and a request to make a bank transfer that has not come from within an organization is likely to be immediately flagged as a scam.

However, when the CEO sends an email to a member of the accounts department requesting a bank transfer, many employees would not think to question the request. The person arranging the transfer would be unlikely to call the CEO to confirm payment. The transfer may go unnoticed for a number of days, by which time the funds would have been withdrawn from the attackers account and would be impossible to recover.

To conduct this type of attack the attacker would need to gain access to the email account of the CEO or an executive in the company who usually sends bank transfer requests to the accounts department. Once access has been gained, the attacker can read emails and learn the terminology typically used by that member of staff.

An email can then be written in the same language used by that individual. This ensures that the email does not rouse suspicions. Attackers research the transfer requests that are typically made and set the dollar amounts accordingly.

Since the account transfers are made to bank accounts outside the United States, the companies most frequently targeted are those that often make International payments. To the targeted accounts department employee, the request would seem perfectly normal.

How to Reduce the Risk of Employees Falling for BEC Scams

There are a number of ways that organizations can reduce the risk of employees falling for business email compromise scams. SpamTitan could not block a request sent from a compromised email account, but oftentimes attackers spoof email addresses. They purchase a domain that looks very similar to the targeted company, often transposing two letters. Oftentimes a domain is purchased replacing a letter “i” or an “L” with a “1”. If the email address of the sender is not carefully checked, this could well go unnoticed. SpamTitan can be configured to automatically block these spoofed email addresses to prevent these emails from being delivered.

To prevent employees from falling for business email compromise scams sent from compromised email accounts, policies and procedures should be introduced that require all account transfers to be verified by two individuals. Large transfers should also, where possible, be confirmed by some means other than email. A quick call to sender of the email for instance.

Organizations that choose to do nothing could regret failing to take precautions. Take the Austrian Airline parts company FACC for example. It reportedly lost approximately $55 million to such a scam.

Brazilian Criminals Use Malicious PNG File to Deliver Trojan

by G Hunt | March 25, 2016 | Email Scams

It is getting harder for cybercriminals to deliver malware via email, so attack methods have had to become more sophisticated; the latest attempt uses a malicious PNG file to deliver a banking Trojan.

Simply sending malware as an attachment in a spam email is certain to result in some unsuspecting users’ computers being infected, but cybercriminals are now having to use more advanced techniques to evade detection and get past spam filters and antivirus software. The latest attack method is an example of how attackers are using much more sophisticated methods to evading detection.

Malicious PNG File Used to Infect Windows, OS X, and Linux Machines

A new campaign has been discovered by SecureList which is being used, at present, to attack computers in Brazil. However, while the majority of victims are located in Brazil, the malware is also being used to attack users in Spain, Portugal, the United States and beyond.

To evade detection, the attackers have encrypted a malicious payload in a malicious PNG file – a common image format many people do not usually associate with malware.

The image file is not attached to an email and sent in a spam message, instead the initial attack takes place using a PDF file containing a malicious link. The PDF file is sent out in spam emails which use social engineering techniques to fool users into opening the attachment. The PDF file does not contain any malicious code, instead it uses a link to infect users. Clicking the link in the PDF file initiates the infection process.

The link is used to get users to download a malicious Java JAR file, which in turn downloads an infected ZIP file. The zip file contains a number of other files, including a malicious PNG file, or file with a PNG header. Researchers analyzed the binary file and determined that the PNG file size was much larger than it should be for the size of the image.

Further analysis showed how the malicious PNG file was loaded to the memory – using a technique called RunPE which is used by hackers to hide malicious code behind a legitimate process. In this case that process is iexplore.exe.

The malicious PNG file cannot infect a user on its own, as a launcher is required to decrypt the contents of the file. The attackers send the PDF file to start the infection process. Since the zip file contains the PDF extension, users downloading the file are likely to double click to open, thus infecting their systems. Since the malicious code in the PDF file is encrypted, it is not picked up by antivirus software. However, SecureList points out that the malicious files used in this attack are picked up by Kaspersky Lab products.

Nemucod Malware Used to Deliver Ransomware in New Email Spam Campaign

by G Hunt | March 16, 2016 | Email Scams

A new wave of spam email has prompted antivirus companies to issue a warning about emails infected with Nemucod malware. The emails are rapidly spreading around the globe, with Japan currently the worst hit; however, the prevalence of infected spam email is also particularly high in Europe, Australia, Canada, and the United States.

Nemucod Malware Used to Infect Devices with Teslacrypt and Locky Ransomware

Nemucod malware is a Trojan downloader that is used to install a payload of ransomware. Currently Nemucod malware is being spread via spam email and is being used to download Locky and Teslacrypt ransomware onto the devices of anyone who opens the infected email attachments.

Nemucod malware (JSTrojan/Downloader.Nemucod) is a JavaScript downloader. The malware is being distributed as a ZIP file and will run when opened and will download a payload of file-locking ransomware. The ransomware will lock numerous files and a ransom will be demanded by the attackers. Only if that ransom is paid will a security key be supplied to unlock data.

In contrast to many malware-infected emails which contain numerous grammatical and spelling mistakes, the emails being used to spread this nasty malware are well written and convincing. The emails claim the attachment is an invoice or an official document such as a notice requiring the target to appear in court.

As we have previously reported, Teslacrypt and Locky ransomware are particularly nasty ransomware. On download they search the user’s computer for a wide variety of file types and lock all of those files with powerful encryption. They will also search for files on attached portable storage devices, virtual devices, and network drives. Locky is also capable of removing volume shadow copies (VSS) making it impossible for infected users to restore their devices to a point before the ransomware infection.

Documents, images, spreadsheets, system files, and data backups are all encrypted. Locky has been programmed to encrypts hundreds of file types. Fortunately, there are a number of steps that can be taken to prevent malware and ransomware infections.

How to Prevent a Ransomware Infection

Steps can be taken to reduce the risk of ransomware being installed, but even the best defenses can be breached. It is therefore also essential to ensure that all critical data files are backed up regularly. If a daily backup is performed, at worst, an organization should only lose a maximum of 24 hours of data.

It is essential that once backups are made, the drive uses to store the backup files is disconnected. Some ransomware variants are capable of scanning network drives and can encrypt backup files on connected backup devices.

Simply receiving a malicious spam email that has been infected with malware will not result in a device being infected. A device will only be infected if an end user opens the infected attachment.

The best way to defend against ransomware is never to open email attachments that have been sent from unknown individuals. While this is straightforward for individual users, for businesses it is harder to ensure that no member of staff will be fooled into opening an infected email attachment.

It is therefore essential to provide all members of staff with security training to ensure they are aware about best practices to adopt to reduce the risk of installing ransomware. However, all it takes is for one member of staff to open a malicious email attachment for the network to be infected. For peace of mind, a robust spam filtering solution for businesses should be implemented. SpamTitan blocks 99.9% of all spam email, drastically reducing the risk of ransomware and other malicious emails from being delivered to end users.

New Tax Season Scams: HR and Payroll Staff Being Targeted

by G Hunt | March 4, 2016 | Email Scams

A number of new tax season scams have been uncovered in recent weeks, with one in particular causing concern due to the sheer number of victims it has already claimed. Over the past three weeks, four healthcare providers in the United States have been added to the list of victims. The four healthcare providers have recently announced members of staff have fallen for a W-2 phishing scams and have emailed lists of employees to scammers. Names, Social Security numbers and details of employee earnings have been disclosed.

Healthcare Providers Targeted by New Tax Season Scams

Healthcare HR and payroll staff are being targeted by scammers attempting to gain access to the names, contact details, and Social Security numbers of hospital employees with a view to using the data to commit tax fraud. The latest tax season scams are convincing. The scammers find out the names of staff working in the HR and payroll departments who are likely to have access to employee W-2 forms. A spear phishing email is then sent to the employees requesting a list of W2 copies of employee wage and tax statements for the previous year. They are instructed to compile the lists and enter them in a spreadsheet or PDF and email them as soon as possible.

What makes the scams convincing, and employees likely to respond, is the requests appear to come from within the organization and appear to have been sent by either the CEO or a senior executive. The emails appear to have been sent from the correct email address of the CEO or executive, leading the employees to believe the requests are genuine.

The “From” email address is usually masked so that it appears genuine; although it is not. A reply to the email will be sent outside of the company to an email account being monitored by the scammers.  In some cases, domains have been purchased that are very similar to those of the target organizations. Usually two letters have been transposed making the domains appear genuine. An email account is then set up with the same format as used by the company. A quick glance at the email address may not rouse any suspicion.

It may take days or weeks before these tax season scams are detected. By that time, fake tax returns are likely to have been filed in the names of the victims.

HR and payroll staff must be particularly vigilant at this time of year as tax season scams are rife. However, the rise in number of successful phishing attacks suggests that payroll and HR staff have not received refresher training on the dangers of phishing. With attacks still taking place, now is a good time to issue an email bulletin to all staff with access to employee data to warn them of the risk, and to advise them to exercise extreme caution and not send any employee data without checking and double checking the validity of the email request.

IRS Issues New Warning About W-2 Phishing Scams

At the start of February, the IRS issued a warning about the sharp rise in tax season scams this year. Just over a month into tax season and record number of phishing scams and tax season-related malware had been discovered. In January, 1,026 reports of tax-related incidents had been reported, which is an increase of 254 over the previous year.

The incidents continued to increase throughout February, with last year’s total of 1,361 already having been exceeded in the first two weeks of the month. The high volume of tax season scams reported in February prompted the IRS to issue another warning on February 29, with the W-2 phishing scams causing particular concern. So far this tax season, reported tax-related malware and phishing attacks have increased 400% year on year.

Zika Virus Email Scam Used to Deliver Malware

by G Hunt | February 23, 2016 | Email Scams

Last week a healthcare provider had its electronic health record system locked by ransomware; now a Zika virus email scam has been uncovered, showing the depths that some hackers and cybercriminals will stoop to in order to make a quick buck.

The latest email scam takes advantage of the public interest in the Zika virus epidemic in Brazil. Since April last year, the number of reported cases of Zika fever has grown. Zika fever is caused by the transmission of the Zika virus by Aedes mosquitos. Zika fever produces similar symptoms to Dengue fever, although the symptoms are often milder.

Scientists have also been alerted to a rise in the number of cases of microcephaly reported in Brazil. Microcephaly is a birth defect resulting in babies being born with a smaller than average head as well as other poor pregnancy outcomes. The rise in microcephaly has been linked to the increase in cases of Zika virus.

While no concrete evidence has been uncovered to suggest that pregnant women contracting Zika are likely to give birth to babies with microcephaly, there is concern that Zika can cause the birth defect. The World Health Organization (WHO) reports the virus has now spread to 23 countries. People are naturally worried. Women in Brazil and Columbia have been told to avoid becoming pregnant and hold off having children, while the government in El Salvador has told women not to get pregnant until 2018.

A potentially global health issue such as Zika is naturally a worry for any woman looking to start a family, and understandably the latest news about the virus is likely to be read. Scammers have been quick to take advantage of the media interest, and a scam has been developed to take advantage and infect computers with malware

Zika Virus Email Scam Delivers JS.Downloader Malware

The Zika virus email scam is currently doing the rounds in Brazil and is being sent in Portuguese. The Zika virus email scam appears to have been sent from Saúde Curiosa (Curious Health), which is a legitimate health and wellness website in Brazil. The email contains an attachment infected with JS.Downloader. JS. Downloader is a malware that is used to download malicious malware to infected users’ devices.

The subject line of the email is “ZIKA VIRUS! ISSO MESMO, MATANDO COM ÁGUA!” which translates as Zika Virus! That’s Right, killing it with water!” The email tells the recipient to click on the link contained in the email to find out how to kill the mosquitos that carry the virus, although the email also contains a file attachment which the email recipient is urged to open. Doing so will install the malware onto the user’s device. The link directs the user to Dropbox with the same outcome.

Anyone receiving an unsolicited email with advice about the Zika virus, regardless of the language it is written in, should treat the email with suspicion. This is unlikely to be the only Zika virus email scam sent by cybercriminals this year. With the Olympics taking place in Brazil in the summer, criminals are likely to use topics such as the Zika virus to spread malware.

If you want information about Zika, check the WHO website. If you receive an Zika virus email, delete it and do not click on any links in the email or open any attachments.

Healthcare Ransomware Attack Sees Hospital Pay $17K Ransom to Unlock EHR

by G Hunt | February 18, 2016 | Email Scams

Over the past 12 months, cybercriminals have used ransomware with increasing frequency to extort money out of businesses, leading some security experts to predict that healthcare ransomware infections would become a major problem in 2016.

Would cybercriminals stoop so low and attack the providers of critical medical care? The answer is yes. This week a U.S. hospital has taken the decision to pay a ransom to obtain the security keys necessary to unlock data that had been encrypted by ransomware. The attack does not appear to have been targeted, but the ransom still needed to be paid to unlock the hospital’s electronic medical record system.

Last year, Cryptowall infections were regularly reported that required individuals to pay a ransom of around $500 to get the security key to recover files. However, when businesses accidentally install ransomware the ransom demand is usually far higher. Cybercriminals can name their price and it is usually well in excess of $500.

Healthcare Ransomware Infection Results in Hospital Paying $16,664 to Unlock EHR

While businesses have been targeted by cybercriminal gangs and have had their critical data locked by ransomware, it is rare for healthcare providers to be attacked. The latest healthcare ransomware infection does not appear to have been targeted, instead a member of staff inadvertently installed malware which locked the hospital’s enterprise-wide electronic health record system (EHR): The system that houses patient health records and critical medical files.

The EHR of Southern California’s Hollywood Presbyterian Medical Center was locked on February 5, 2016., with physicians and other members of the hospital staff unable to access the EHR to view and log patient health information. An investigation into the IT issue was immediately launched and it soon became apparent that the database had been locked by ransomware.

No one wants to have to pay cybercriminals for security keys, and the hospital took steps to try to recover without having to give in to ransom demands. The Police and FBI were contacted and started an investigation. Computer experts were also brought in to help restore the computer system but all to no avail.

The news of the healthcare ransomware attack broke late last week, with early reports suggesting the hospital had received a ransom demand of 9,000 Bitcoin, or around $3.4 million. The EHR was taken out of action for more than a week while the hospital attempted to recover and unlock its files.

Eventually, the decision had to be taken to pay the ransom. While it may have been possible for patient health data to be restored from backups, the time it would take, the resources required to do that, and the disruption it would likely cause was not deemed to be worth it. Allen Stefanek, CEO of Hollywood Presbyterian Medical Center, took the decision to pay the ransom to obtain the security key to unlock the data.

In a statement posted on the company’s website he confirmed that the reports of a ransom demand of 9,000 Bitcoin were untrue. The attackers were asking for 40 Bitcoin, or $16,664, to release the security key to unlock the hospital’s data.

Stefanek said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Fortunately, healthcare ransomware attacks are relatively rare, as many healthcare providers in the United States already have controls in place to reduce the likelihood of an attack being successful. Staff are trained to be vigilant and not to install software on healthcare devices or open suspicious email attachments. Many use a spam filter to quarantine suspect emails. The latter being an essential protection against healthcare ransomware attacks.

The Importance of a Robust Spam Filter to Prevent Healthcare Ransomware Attacks

A healthcare ransomware attack does not just have a financial impact; it has potential to cause actual harm to patients. The delivery of healthcare services is slowed as a result of the inability to access and share healthcare data, and not being able to view patient health records could delay the delivery of critical patient care or result in incorrect medications being prescribed. That could be a life or death matter. Preventing healthcare ransomware attacks is therefore essential. A technological solution should be employed for maximum protection.

TitanHQ’s SpamTitan software has been developed to keep businesses protected from malware and ransomware attacks. SpamTitan uses two anti-malware engines to maximize the probability of spam emails and malicious attachments being caught and prevented from being delivered to end user inboxes. SpamTitan catches 99.9% of Spam email and quarantines emails with suspicious attachments to prevent them from being delivered.

If you want to reduce the risk of a suffering a ransomware attack and having to pay cybercriminals to unlock critical data, using a robust, powerful anti-spam solution such as SpamTitan is the best way to protect computers and networks from attack. Along with staff training to improve understanding of healthcare ransomware and other malware, it is possible to prevent attacks from being successful.

For further information on SpamTitan anti-spam solutions, contact the TitanHQ team today:

US Sales +1 813 304 2544

UK/EU Sales +44 203 808 5467

IRL +353 91 54 55 00

Or email sales@spamtitan.com

Penalties for Spamming: 27 Months Jail Time for Indianapolis Spammer

by G Hunt | February 5, 2016 | Email Scams

What are the penalties for spamming? A man from Indianapolis has just discovered the penalties for sending spam can be severe, having been recently sentenced to serve over 2 years in jail.

Indianapolis man discovers the penalties for spamming can be severe

Phillip Fleitz, 31, of Indianapolis was recently sentenced to 27 months in a federal penitentiary after violating the CAN-SPAM Act of 2003: A law introduced to make the spamming of cell phones and email accounts illegal. The law was introduced by George W. Bush to protect U.S. citizens from unwanted marketing messages and pornography. Under the CAN-SPAM Act of 2003, the penalties for spamming include lengthy jail terms and hefty fines.

US District Judge Maurice Cohill Jr. passed sentence in a Philadelphia court earlier this month. The judge said the spam campaign orchestrated by Fleitz was “sophisticated and serious,” and resulted in millions of spam messages being sent to U.S. citizens. Fleitz, along with two other individuals involved in the massive spamming campaign, were raking in between $2,000 and $3000 per week. They were paid for the clicks they managed to generate by sending users to marketing websites.

The marketing websites gathered contact details from visitors, a practice which is legal. What is not legal, and contravenes the CAN-SPAM Act of 2003, is using spam marketing to generate traffic to those websites.

Fleitz was the only individual from the trio to receive a jail term as he was the architect of the scheme. “It was his idea. He was the first to do it,” said prosecuting US attorney Jimmy Kitchen. Last year, Fleitz pled guilty to using a protected computer to relay or retransmit multiple commercial electronic mail messages with the intent to deceive or mislead recipients, with the sentence only just being passed.

Spammer arrested after Darkode website takedown

Flietz was arrested as part of an FBI investigation into Darkode, a website used by hackers and cybercriminals to market illegal computer skills. The taking down of the website resulted in 12 individuals being charged for computer crimes.

The two other individuals involved in the spam campaign, Naveed Ahmed, 27, wrote the program that allowed the scheme to operate. He received 2-years’ probation and was sentenced last year. Dewayne Watts, wrote the spam messages which were designed to fool users into responding. He received 2-months’ probation, including a period of 6 months of being confined to his house.

The spamming campaign was run via servers based in China between September 2011 and February 2013. Fleitz recruited Ahmed to write a computer program that enabled the spammers to send millions of spam text messages and emails to mobile phones and computers. Ahmed’s program mined cellphone numbers and matched them up with carriers.  The messages written by Watts advised the recipients they had won gift cards that could be claimed by clicking the links contained in the messages.

The penalties for spamming under the CAN-SPAM Act of 2003 can be severe. While Fleitz only received 27 months in jail, he could potentially have been sentenced to a maximum of 60 months of jail time and fined up to $250,000. When determining the penalties for spamming, judges take prior history into consideration as well as the severity of the offences.

TitanHQ.fr a cet article en français.

FAQ

Who is in charge of enforcing the CAN-SPAM Act?

The CAN-SPAM Act is enforced primarily by the Federal Trade Commission, which can seek civil penalties of up to $16,000 per violation. In certain circumstances the Act is enforced by various other federal agencies such as the Federal Communications Commission, state attorneys general, and Internet Service Providers. There is no private right of action.

Who can I complain to about spam and phishing emails?

It depends on the nature of the email and whether or not you have responded to it. For example, complaints about emails advertising financial investments should be sent to the Securities and Exchange Commission, while those relating to miracle medical cures should be sent to the Food and Drug Administration. You will find the full list of who to complain to on the Department of Justice website.

Has the CAN-SPAM Act been updated since it was first enacted?

In 2017, the Federal Trade Commission sought public comment on the CAN-SPAM Act ahead of a review. After receiving 92 comments “overwhelmingly” in favor of keeping the rules as they are, in 2019 the Commission concluded the Act still benefits businesses and consumers without imposing substantial economic burdens on genuine email marketing and the rules were kept the same.

How can I prevent my business receiving spam and phishing emails?

Speak with us about our email filtering service which can detect up to 99.97% of spam emails and significantly reduce the likelihood of a phishing email being delivered. Our team will be happy to organization a no-obligation demonstration of our service in action and give you the opportunity to take advantage of a free trial in order to evaluate our service in your own environment.

Dangerous New WhatsApp Scam Email Identified

by G Hunt | January 15, 2016 | Email Scams

If you receive an email alerting you to a new WhatsApp voicemail message that you have received, it could well be the latest WhatsApp scam email that is currently doing the rounds. This new scam is particularly nasty.

Malicious WhatsApp scam email discovered

The WhatsApp scam email is being used as part of an attack on businesses and consumers, and will result in Nivdort malware being loaded onto the device used to open the email.

Security researchers at Comodo discovered the WhatsApp scam email and have warned that the malware contained in the email attachment has been developed to affect users of Android phones, iPhones, as well Mac and PC users.

The WhatsApp scam email looks like it has been sent by WhatsApp, although there are a number of tell-tale signs that the WhatsApp scam email is not legitimate. For a start, WhatsApp will not send messages to a user’s email account, but will only inform users of a missed call or voicemail message through the app itself. However, many of the 900 million users of the chat software program will not be aware of that.

The email contains the imagery typically associated with the Facebook-owned messaging platform, but a check of the sender’s address will reveal that this email has not been sent from WhatsApp. The email also contains a zipfile attachment. Opening the zip file will result in malware being installed onto the device used to open the attachment.

The attackers are sending out multiple variants of the email with different subject lines. Each subject line also contains a string of three, four, or five randomly generated characters after the message, such as “xgod” or “Ydkpda”

The subject lines in some of the scam emails have been detailed below:

If you receive any email from WhatsApp you should treat it as suspicious. You should never open any email attachment from any person you do not known, and must be particularly caution with .zip files. If in doubt, delete the email and remove it from your deleted email folder.

Malware Delivered by the WhatsApp scam email campaign

Nivdort is a family of Trojans that collect data from the computers on which they are installed. In order to avoid being detected the malware is loaded into the Windows folder. The latest variant is loaded to multiple system folders and also the registry. Even if detected by anti-virus software it is possible that not all traces of the malware will be removed. The malware may still be able to receive commands and exfiltrate data from the infected device.

IRS Tax Refund Spam Resurfaces in Time for Tax Season

by G Hunt | December 30, 2015 | Email Scams

In the United States, tax season starts on January 1 and Americans are required to complete their annual tax returns before the April 15, deadline. As is customary at this time of year, new IRS tax refund spam email campaigns have been launched by cybercriminals.

During the first quarter of the year employees must get their tax documents from their employers and collect and collate all paperwork relating to their earnings over the year. Many dread having to pay out thousands of dollars in tax, but for some there is some good news.

The IRS has been sending emails to millions of Americans telling them that their previous tax returns have been assessed and they are due for a tax refund. The notifications have arrived by email and details of the refund are contained in an email attachment. All the recipient needs to do is to open the attached file to find out how much money they are due to have refunded.

Unfortunately, the email notifications are bogus and have not been sent from the IRS. This is just the latest IRS tax refund spam campaign to be launched by cybercriminals. The email is anything but good news. The IRS tax refund spam email contains a zip file, but instead of details of a refund, the file contains a rather nasty selection of malware and ransomware. Worse still, the batch of malware is sophisticated and capable of evading detection. The malware remains resident in the memory of the device used to open the email attachment. The mail recipient is unlikely to discover their device has been infected until it is too late.

If anti-spam solutions have been installed the IRS tax refund spam emails should be caught and quarantined. Even if not, some users will have to try hard to infect their devices. If security software has been installed on the device, opening the attachment should result in warnings being issued. The user will need to ignore those warnings before proceeding. Many do just that. The attraction of a tax refund after overspending at Christmas is too difficult to resist.

For many users the latest strains of malware included in the zip file will not trigger AV engines and even some anti-malware software programs will not identify the files as being malicious. The threat to businesses is therefore serious. If the attachment is opened and run, the malware will be installed and granted the same network and device privileges as the user.

IRS tax refund spam contains CoreBot and the Kovter Trojan

Opening the email attachment will deliver the latest strain of the Kovter Trojan. Kovter is not installed on the computer’s hard drive as commonly occurs with malware. This makes it much more difficult to detect. Instead, malicious code is run with the malware residing in the memory. Memory resident malware does not tend to persist. Once the infected computer is rebooted, the malware doesn’t reload. However, in the case of Kovter it does. Kovter is reloaded via the registry each and every time the computer is booted. Kovter is fileless malware that runs commands via Powershell in a similar fashion to Poweliks. If a computer does not have Powershell installed, the user is not protected. Kovter will just download it and install it on the device.

Kovter is not new of course. It was first identified two years ago, but it has since evolved to evade detection. In addition to being used to deliver ransomware, which locks the computer until a ransom is paid, it is also being used to perform click-fraud and generate revenue for the hackers via CPC campaigns.

Kovter is known to be used on an affiliate basis. Any individual who signs up is paid based on the number of devices they are able to infect. Cybercriminals have been spreading infections via a range of exploit kits such as Angler, Neutrino, and Fiesta. The IRS tax refund spam attack is a new way of getting the malware installed on devices.

The zip file also installs CoreBot; a particularly nasty malware that poses even bigger problems for businesses. If employees are fooled by the IRS tax refund spam and open the zip file, CoreBot can prove particularly problematic to detect, and can potentially cause a lot more damage. CoreBot is a modular malware that can have additional functions added by hackers as and when they desire. It has previously been used as a data stealer, although recently it has been used for man-in-the-middle-attacks on financial applications and web services. The malware is capable of stealing banking credentials and login information. It can also be used to exploit new zero-day vulnerabilities.

It security professionals should be wary and should warn their company’s employees of the tax refund spam, and instruct them not to open any zip file attachments, or any email attachments that have been sent from unknown senders. The IRS will not notify individuals of a tax refund in this manner. Any IRS email with a file attachment is likely to be spam and contain malware.

Healthcare Industry Phishing Report: Greater Email Security Required

by G Hunt | December 10, 2015 | Email Scams

In the United States, healthcare industry phishing campaigns have been responsible for exposing the protected health records of well over 90 million Americans over the course of the past 12 months. That’s over 28% of the population of the United States.

This week, another case of healthcare industry phishing has come to light with the announcement of Connecticut’s Middlesex Hospital data breach. The hospital discovered four of its employees responded to a phishing email, resulting in their email account logins being sent to a hacker’s command and control center. In this case the damage caused by the phishing attack was limited, and only 946 patients had their data exposed. Other healthcare organizations have not been nearly so lucky.

Largest ever healthcare industry phishing attack suffered in 2015

In February, Anthem Inc., the second largest health insurance company in the United States, discovered it had suffered the mother of all healthcare data breaches. Approximately 78.8 million health insurance subscriber records were obtained by criminals in the attack. The breach did not occur in February, but months previously, with the hackers being allowed plenty of time to exfiltrate data.

Another U.S. health insurance company discovered it too had been hacked just a couple of weeks later. Premera Blue Cross similarly found out that hackers had gained access to its systems many months previously and had potentially obtained the records of over 11 million insurance subscribers.

Both security breaches were highly sophisticated in nature, but were discovered to have their roots in healthcare industry phishing campaigns. Employees had responded to phishing emails which ultimately allowed hackers to gain access to huge volumes of highly confidential healthcare data.

In 2014, Community Health Systems suffered a data breach that exposed the PHI of 4.5 million individuals in what was then the second largest healthcare data breach reported. That data breach had its roots in a phishing campaign sent to its employees.

Healthcare industry phishing attacks occurring with alarming frequency

In just 12 months, many healthcare providers and health plans have suffered at the hands of phishers. Some of the healthcare industry phishing attacks have been summarized in the table below:

Successful U.S. Healthcare Industry Phishing Attacks in 2015

Cybercriminals attracted by easy targets and big rewards

In the United States, healthcare organizations and their business associates are covered by legislation which requires robust protections to be put in place to keep computer networks secure and patient health data safeguarded from attack. The Health Insurance Portability and Accountability Act (HIPAA) requires administrative, technical, and physical controls to be used to keep the Protected Health Information (PHI) of patients secure at all times.

Even though the industry is heavily regulated, the industry lags behind others when it comes to data security. Hackers often see healthcare organizations as an easy target. Their networks are complex and difficult to protect, and IT security budgets are insufficient to ensure that all of the appropriate protections are put in place to keep data secure.

On top of that, healthcare providers and health insurers store an extraordinary volume of highly sensitive data on patients and subscribers. Those data are much more valuable to thieves than credit card numbers. Health data, Social Security numbers, and personal information can be used to commit identity theft, medical fraud, insurance fraud, credit card fraud, and tax fraud. One set of patient data can allow criminals to fraudulently obtain tens of thousands of dollars, and the data can typically be used for much longer than credit card numbers before fraud is detected.

It is therefore no surprise that healthcare providers are such a big target. There are potentially big rewards to be gained and little effort is required. Healthcare industry phishing is therefore rife, and spear phishing campaigns are now increasingly being used to get busy healthcare employees to reveal their login credentials. Many of those campaigns are proving to be successful.

Industry reports suggest that the healthcare industry in the United States does not have sufficient controls in place to prevent against phishing attacks. A KMPG study conducted earlier this year showed that 81% of U.S. healthcare organizations had suffered cyberattacks, botnet, and malware infections. Other research conducted by Raytheon/Websense suggested that the healthcare industry in the United States suffered 340% more data breaches than other industries.

Healthcare industry phishing emails are not always easy to identify

Just a few years ago, a phishing email could be identified from a mile away. They contained numerous spelling mistakes and grammatical errors. Nigerian 419 scams were commonly seen and easily spotted. Malicious email attachments were sent, yet they could be easily identified as they were rarely masked. It is easy to train staff never to open an executable file sent via email.

Today, it’s a different story. Healthcare industry phishing emails are not always easy to identify. Malicious emails are crafted with a high level of skill, spell checks are used, subjects are researched, as are the targets. Links are sent to phishing websites that cybercriminals have spent a lot of time, money, and resources developing. Even a trained eye can have trouble identifying a fake site from a real one. The threat landscape has changed considerably in just a few years.

Sometimes healthcare industry phishing emails are so convincing that many members of staff are fooled into responding. Franciscan Health System is a good example. In 2014, a phishing campaign was sent to the healthcare provider via email. The scam was straightforward. Workers were sent an email containing a link and a good reason to click it. They clicked through to a website which required them to enter their login credentials. 19 workers reportedly fell for the campaign and revealed their email account login names and passwords. Contained in their email accounts were patient data. As many as 12,000 patients were affected.

What can be done to reduce the risk of phishing attacks?

There are a number of controls and safeguards that can be implemented to reduce the risk of healthcare industry phishing campaigns being successful, and multi-layered defenses are key to reducing risk.

Conduct Regular Staff Training

All members of staff should be trained on email and internet security, and told how to identify phishing emails and phishing websites. They must be issued with a list of best practices, and their knowledge should be tested. The sending of dummy phishing emails is a good way to check to see if they have taken onboard the information provided in training sessions.

Use Powerful Anti-Virus and Anti-Malware Software

Separate anti-virus and anti-malware solutions should be used and virus/malware definitions updated automatically. Regular scans of the network and individual devices should be scheduled at times of low network activity.

Employ Spam Filtering Software

Spam filtering solutions are essential. One of the best ways of preventing end users from falling for phishing emails is to make sure they never receive them. Powerful anti-spam solutions will block and quarantine malicious email attachments and prevent phishing emails from being delivered to end users.

Implement Web Filtering Solutions

Not all phishing campaigns come via email. Social media websites are often used as an attack vector and malicious website adverts can direct users to phishing websites. Implementing a web filter to limit the types of websites that users are permitted to visit can significantly reduce the risk of users falling for a phishing campaign. Web filtering solutions will also block access to known phishing websites.