Cappuccino Chat - Episode 27 - The Dangers of Phishing

welcome back to another episode of cappuccino chat this time we're talking about phishing attacks and how they're dangerous to both you and your business all right so we're talking about phishing attacks today but not the kind i'd like to be talking about so i'm not talking about you know the big fish that got away i'm more talking about fishing as in ph uh as in email attacks so this is where criminals and the like will send you an email trying to get you to give them some kind of information give up some kind of information click a link respond so on and so forth so i'm going to be using today the 2020 fbi report about just some of the different cyber crimes and showing you what they say about phishing attacks and why they're so dangerous and then at the end i'm going to go over a couple things we can do to protect ourselves from these types of attacks okay so here we have the fbi report from 2020 showing the top five crime type comparisons for the last five years now as you can see here's the different colors for the years under over here under phishing vishing schmachin they got all sorts of different words don't worry about these words they're all kind of basically the same some are via email some are via phone call this is the number for 2020 241 342 now one thing to remember these are the reported ones to the fbi so i'm sure none of you have gone out there and reported any of these kinds of crimes to the fbi so if none of us have just imagine how many else out there don't these are just the ones that make it to the fbi 19 000 to 241 000 so from 2016 to 2020 we started at 19465 and we are now up to 241 000. so you'll see we had this big jump from 2018 to 2019 and again from 2019 to 2020. a lot of this was caused because of the pandemic and they're taking advantage of people being at home and um you know falling for these kinds of things now one thing to keep in mind is not only did we have these number of attacks but we also had similar attacks and how are these getting through so let's take a look so on inside the fbi report on page 14 it's more talking about ransomware but this is where they really talk about the email phishing campaigns and they kind of describe it as the cyber criminal sends an email containing a malicious file or link which deploys malware when clicked by a recipient so they're putting this under ransomware because a lot of times that's what they are doing they're getting you to do something to give you give them permission to get onto your computer once they're on your your computer they will steal your data and then eventually release the ransomware things are changing with this a lot from what we're seeing as well so what we're seeing is not only are they taking over your computer they're also getting into your email and going after all your contacts so they're expanding their reach they're they're using all of us to reach more people so when people say i'm too small no one's trying to get my um data or attack me you're correct they're not specifically going to but when they find you they are going to take advantage and try to get you to do something uh for them to be now become one of their attack victims so they're getting in they're releasing this and going from there so this can be very bad one they're getting ahold of your data once they're getting on your machine two they're using you and they may even hijack your email account which is actually i called another acronym and i apologize for that we like to do that in the industry they're called bec attacks and it's business email compromise attacks so this is where they're going to actually take over your email account not just spoof your email address or your name and say it's from you when it's really not from you this is where they're actually going to take over your office 365 or google account and actually send out email from you and then read your email make it so that you don't know that you got new email they're very sneaky that's why two-factor authentication for your email is now a must let me repeat that two-factor authentication for your email is now a must it will stop a lot of these attacks and most of these attacks from happening where they take over your email account and then spread to others now back to fishing what we're gonna see here next is the amount of money involved in taking this over so let's take a look at that next okay so here we're seeing is for fishing vision in 2020 the loss that was reported of just those cases that were reported to the fbi was over 54 million now if we take and add in the bec attacks 1.8 billion so that is a lot of money just through email attacks so it's very important to protect your email again i'm going to repeat it two-factor authentication is a must for your email nowadays it's not enough just to have you know basic antivirus and things on your computer you need to have additional protections now do let me show you another highlight by state so what you can see here is top highlights from states um and unfortunately we're here in california you're going to see that we're at the top tier so for some reason california well and florida in this case are the top states by the number of victims so we had 39 000 plus but as you'll notice only california for the high dollar amount for the losses right so california we there's something about california where we seem to be under attack more than other states um as far as at least that's being reported by the fbi so we need to be careful so let's get into some different things that we can do to protect ourselves all right so to protect ourselves first some of the basic stuff that we can do is just educate so we want to make sure we talk to our employees and just educate them on email etiquette if you will now there are also some very good online training that can be done we offer that to our clients if you're interested please reach out but otherwise some basic education just meeting with your employees periodically to go over and let them know how to spot these different things again let them know hey if you ever get a request for a wire transfer we don't do wire transfers you kind of know it's fake if you get a request for purchasing gift cards or anything like that and sending those out we don't do those kinds of things you're gonna know it's a fake um how to spot a fake email right so hover over the link in your email and at the bottom of the email kind of like in the very bottom ribbon if you will of that email message it'll actually show you what the link points to if it doesn't match what they're doing then it's it's redirecting you somewhere you need to be very careful with those um another thing you can let your employees know is um again be careful when you're clicking on different links kind of spot things from different people so for instance if you get a email from let's say me right so saying hey check out this funny cat video online i thought you'd get a you know kick out of watching it well if you know me you're going to know that i'm not going to send you a funny cat video so anything that seems out of ordinary even the way somebody writes an email or just kind of speaks within the email if it seems out of character it probably is so what i recommend you do in those cases is don't reply to that email one thing you can do is start a new email if you want but if they are a victim of that bec attack so that business email compromise they have control the email so this happened once to a client of ours and i responded by opening a brand new email saying hey is this really something you meant to send me and they replied back yes you just need to open it it is from me which was very out of character for this person that that happened on so i immediately then picked up the phone and called them and lo and behold yes their account was compromised they got in and took over their account so that's the other thing you can do is always pick up the phone and call the person they may not know it yet don't assume that oh it's a fake email i know it's a fake even though it says it's coming from my friend i'm sure somebody else told them always let them know pick up the phone let them know so that they can get that under control before it causes more damage all right so number one was education number two is putting on some additional controls to your email so some filters so we basically all have some kind of basic spam filter built in office 365 has one they're all pretty good they're not the greatest for certain types of attacks you can add on third party or even into for instance microsoft office 365 they call it their advanced threat protection these are some additional layers to kind of search through and watch for different things so that's another piece you can do to protect yourself but the best bang for the buck is educating your employees on how to spot these things and just lay out some ground rules hey i'm never going to ask you to wire transfer any money on behalf of the company i'm never going to ask you to send gift cards don't you know watch out for these kinds of emails and things like that that's the best kind of education you can have is just talking to your employees about stuff we probably all periodically train our employees on different core applications that we use and how to use them and when a new update comes out we get training but how often do we talk to them about cyber security and making sure they understand what they should and shouldn't do don't make the mistake of thinking that your employees are highly intelligent which i'm sure they are but that they'll never fall for any of these kind of scams these scams are getting very good they're these guys are buying up fake domains that look almost identical to the real thing for instance lowe's right the hardware store with a hardware person like home depot spelled with an l o w e s well imagine you can buy the domain name lowes.com but spelled with a 1 instead of an l first glance it's going to look just like that lowercase l if somebody sent the link but now i can get them to come in they designed the website to look identical to the lowe's site and you would not know it's not that site so this is happening for banking websites and the such they're buying fake domains that look almost identical if you were to just glance at it we're all super busy in our day when it comes time for certain things we're just going to be like okay perfect i'm going to click here take care of it or during the holidays if i sent you an amazon email saying hey your package there's an issue with your package it's not going to be delivered in time unless you click here and verify your account middle the holidays everyone's busy stressed out with getting stuff we're going to click that link be careful all right as always if you have any questions on this like more information please feel free to reach out to us