Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
Phishing attack emails related to COVID-19 increased 667% from March 1 to 23, according to researchers from the cyber-security firm Barracuda. This is alarming, but that still only represents about 2% of phishing attacks. And worse, some emerging phishing tactics are very tricky to detect.
First, a basic definition: Phishing is a method by which cyber-criminals attempt to get one or more victims to divulge login IDs and passwords for critical accounts or IT networks, or to download malware.
Scammers use bogus emails, phone calls, text messages, and other communications to appear legitimate to their victims.
The malware a phishing attack delivers to your computer or mobile device can do a variety of dangerous things, such as recording your keystrokes, harvesting financial data, giving hackers remote control over your device, installing ransomware, and much more.
The big prize that cyber-criminals seek from small businesses – especially those that store clients’ sensitive financial information and conduct electronic funds transfers – is access to your company’s IT network and databases. Mobile devices are a perfect entryway for that.
Phishing attacks target mobile devices
Even if your employees don’t have sensitive company or client data stored directly on their mobile devices, they can probably login to your company’s network via those devices. Hackers can grab that key information through a successful phishing attack.
Unfortunately, mobile devices have two features that make them particularly vulnerable to phishing:
- On smaller mobile device screens, web and email addresses are hidden
Phishing emails often appear to come from colleagues, vendors, or big-name reputable sources because they use similar-looking email addresses. Those emails often include links to fake login pages, which also use a similar-but-fake web address (or “URL”) in the box at the top of the page.
But even if you’re in the habit of checking web and email addresses to spot potential scams, you have to work harder to do that when you’re using a smartphone, because they often require you to scroll up and/or click on a drop-down icon to see the address. As I mentioned in a previous article, not even seasoned cybersecurity experts do that very often.
(For worse news about spotting fake URLs, see “Punycode” section below.)
- Employees run unsecure apps on their devices
According to a report about the state of mobile security in 2020 by the cloud security company, Wandera, 87% of successful mobile phishing attacks take place outside of email. Mobile apps are often the culprit.
The report pointed out that even apps from the two major app outlets, Google Play and the Apple App Store, can no longer be trusted to be free of malicious or easily hackable code.
Also, mainly with Android devices, some of your employees may also “jailbreak” them to install sketchy apps from outside of these mainstream outlets.
If your firm has a mobile device management (MDM) tool, it can probably be configured to combat some of these attacks. If you don’t use MDM, or you’re not sure whether an IT services firm is administering one for you, I recommend looking into it.
Phishing attacks hide behind two emerging tactics
Two relatively new phishing tactics are making it more difficult to spot bogus web and email addresses.
- Punycode hides fake domain names behind legitimate-looking text
“Punycode” is a play on “unicode,” which is the code that determines how text characters are displayed on a web page.
Hackers have learned to monkey with this code so domain names like “amazon.com” look completely real, but the code underlying the characters belongs to a fraudster’s domain.
- Cyber-criminals can get secure domain names, with the padlock icon and “https” addresses
When you’re using a website to sign into an account or make a transaction, look for a padlock symbol and a URL that begins “https” instead of “http.” The “s” stands for secure, meaning the site has been certified to use a specific type of encryption.
However, it’s now possible for domain owners to use free services that issue this certification, which means cyber-thieves can get domain names with the padlock symbol and https at the beginning of their domain’s URL.
The ability for cyber-thieves to certify websites is frightening. Thousands of COVID-19-related domains were registered each day as the pandemic ramped up. Many may be legitimate or at least not harmful – but some have certainly fueled the wave of phishing attacks that exploit pandemic fears.
Protect your reputation: Educate your staff and clients
The worst thing a phishing attack can do to a wealth management firm is wreck your reputation.
With a successful phishing attack on your IT network, hackers can make your firm the platform to launch phishing attacks against your clients, vendors, contractors, and other associates.
Train your employees to recognize phishing attacks, and tell your clients and other key contacts what your firm will and will not ask them to do via email, text, etc., such as:
- We won’t email or text you a link to change your investment portal login ID/password.
- We won’t email you with a request to return the email with any sensitive financial information.
- We won’t email/text instructions for changing the method or account number for transferring funds to our firm.
Encourage clients to follow up on any suspicious communication that appears to be from your firm and get verbal confirmation from their representative. In a remote services world, a quick conversation is phishing’s biggest enemy.
Reid Johnston is founder and CEO of TechGen, a Minneapolis-based managed IT services provider specializing in cybersecurity for small- to medium-sized financial services companies.
Read more articles by Reid Johnston
