We’ve all heard about ransomware, but we don’t talk enough about how it infects a company’s information technology and critical business systems. Ransomware can be deliberately installed after hackers have gained access to a system to take data, IP, and business continuity hostage. Yet threat fatigue has diminished our awareness of perhaps the most pervasive type of cyber-attack. Count the e-mails you immediately delete every week because you know they are phishing attempts and you may be surprised at just how close we come every day to being impacted from a continuous barrage of hacker e-mails trying to install ransomware or steal our passwords, credit cards, and bank details.
Phishing has evolved into a multi-pronged attack coming at us from many angles, including e-mail, text messages, and phone calls. And attempts to trick individuals into giving up personal and business information are becoming more targeted instead of relying on a brute force method of sending bulk spam or robo-dialing an entire area code. For energy companies, these types of threats can cripple an organization, inflict irreversible reputational damage, and result in organizations failing to meet their regulatory and contractual obligations.
To help your team raise awareness and defend against phishing, here are the four ways hackers are attempting to trick you.
Spear Phishing
This type of phishing targets a specific individual or organization. Attackers will often research their targets in advance to gather personal information that they can use to make their emails more believable. For example, they might use the target’s name, job title, or company in the email subject line or body. Spear phishing attacks are often more successful than general phishing attacks because they are more likely to trick the recipient into clicking on a malicious link or opening an attachment.
Whale Hunting
This type of phishing specifically targets high-level executives, such as CEOs, CFOs, and presidents. Whaling attacks are even more sophisticated than spear phishing attacks, and attackers will often go to great lengths to make their emails appear legitimate. For example, they might use a spoofed email address that looks like it belongs to a real person at the target’s company. They might also include personal information about the target in the email, such as their home address or phone number.
Smishing
This type of phishing is carried out via SMS text messages. Smishing attacks are becoming increasingly common, as more and more people use their smartphones for personal and business communication. Smishing attacks often use urgency or scare tactics to trick the recipient into clicking on a malicious link or opening an attachment. Cyber thieves often target new employees by researching job listings and tracking social media posts announcing new staff then send personalized text messages posing as an executive or HR manager demanding the purchase of Apple or Google Pay gift cards for another employee’s work anniversary or birthday. Such cards are easily transferable by sending the codes in a text.
Vishing
This type of phishing is carried out over the phone. Vishing attacks often use urgent or scare tactics to trick the recipient into providing personal information or financial details. For example, a vishing attacker might call and claim to be from the recipient’s bank, saying that there has been suspicious activity on their account. The attacker will then ask the recipient to verify their account information by entering it into a keypad or providing it over the phone.
Looking for a trusted partner to help you navigate today’s evolving and complex cyber threats? With a 100% focus on energy, Stonebridge has a 30-year track record of keeping pace with the rapidly changing digital oilfield, IT/OT, and data security landscape. Contact us today to get started with a cybersecurity health check and business continuity plan.