Although we maintain controls to help protect our network and computers from these types of attacks, we rely mostly on staff to be our first line of defense. 

Here are some simple things you can do to help HACFM continue to avoid ransomware/malware attacks:

Double-check Before You Click 

The most common way ransomware enters corporate networks is through email. Oftentimes, scammers will include malicious links or attachments in emails that may look harmless. To avoid this trap, please see the following email best practices below: 

• Do not click on links or attachments from senders that you do not recognize. Be especially wary of .zip, .exe, or other compressed or executable file types. 
• Do not provide sensitive personal information (like usernames and passwords) over email. Makes sure to encrypt emails going out with any sensitive data within it.  
• Watch for email senders that use suspicious or misleading domain names like hacfm.com.  Note, we only use hacfm.ORG 
• If you can’t tell if an email is legitimate or not, please let me know and I can assist in identifying. 
• Be especially cautious when opening attachments or clicking links if you receive an email containing a warning banner indicating that it originated from an external source. 
• All external emails sent to HACFM staff will be accompanied by a yellow banner (screenshot below) to help you identify it.  If you receive an email from anyone within HACFM.ORG and it also has this banner,  it will be highly likely, it is a phishing email and you should mark as junk and then delete from your junk box.
  

What does a phishing email scam look like?

Cybercriminals use phishing emails to gain access to sensitive data or a business network by targeting employees.

Phishing emails often appear to be from an authentic source. A familiar display name, such as a business or colleague, may mask a fraudulent email address. The email message may convey urgency or importance to pressure the recipient to act quickly without taking the time to examine the credibility of the email itself. The following are all possible signs of a scam:

• Unfamiliar email domain
• Poor grammar
• Lack of salutations
• Suspicious link or attachment

A new type of phishing emails is also on the rise. Unlike traditional phishing emails, which are sent in mass to a group of people and lack personalization, spear-phishing emails are personalized attacks on a single recipient. This type of phishing email appears to be a friend, associate, or boss and personally addresses the recipient with a message that contains information that presumably only this person would know or request. What employees don’t realize, though, is that social media and internet profiles often give hackers access to this information about them.

How does a phishing scam work?

There are two main ways phishing scams attempt to breach data.

1. Information Collection – phishing email includes a link to a spoofed website that requests the recipient to share personal or confidential information, such as passwords or financial details.

2. Downloadable Malware – phishing email includes an attachment or link, which installs malware onto the user’s device when downloaded. This malware can go unnoticed for months before the hacker carries out their malicious intent or they may immediately take over the system and demand a ransom for restoration.

A common phishing scam appears to come from a financial institution and requests the recipient verifies their banking information due to a recent change. The hackers can then use this information to take money directly from the business.

In a recent scam, phishing emails impersonating the Kentucky State Attorney’s office warned victims that they had 10 days to file a rebuttal. Once the recipient clicked the link in the email, a virus is downloaded which disables the device and demands money to restore it. Attorney General Andy Beshear warned Kentucky residents and businesses that this email was not from the Kentucky Office of the Attorney General and any suspicious emails should be reported to avoid data and financial loss.

How to reduce the risk of a phishing scam on your business

The key defense against phishing is employee education. It is important that your employees are educated on how hackers approach them and how to avoid falling prey through phishing, malware, social engineering, or bad surfing habits.

Simply having policies on data sharing and password management are not enough to protect your business. Employees should be active participants in protecting your business on the front lines – their inboxes. The following are just some of the steps your employees should take to avoid falling prey to a phishing scam:

Stop:

Even if the email seems urgent or important, take time to verify that the “From” email address is legitimate and trustworthy. Also review the message for grammar mistakes or typos, which can be a common sign of a phishing attack.

Think:

Use your common sense. If something seems too good to be true, such as “winning a prize,” or out of the ordinary, such as your bank asking you to verify information unexpectedly, then chances are it’s a scam. Trust your gut, if a link or attachment seems suspicious it’s better to verify their legitimacy before clicking or downloading.

Act:

If you think you’ve received a phishing email, always report it to a supervisor or IT. If the suspicious email appears to be from a business vendor or financial institution, contact them through your normal means of communication to verify the request.