Spam and Phishing how to protect yourself!

Two very scary SPAM / Phishing facts to consider when trying to protect your company or yourself.

    1. The daily average number of emails sent in July 2020 was about 410 BILLION!  Of all of these emails, only about 15% or about 62 billion are legitimate emails.  The rest (about 348 BILLION) are SPAM. This represents about 2.4 trillion spam emails are being sent every week. (source: Cisco Talos intelligence – July 2020 report).
    2. According to RSA’s Quarterly Fraud Report for Q1,  66% of the world phishing attacks are aimed at Canada. Phishing is an attack that attempts to steal your money, or your identity, by getting you to reveal personal information.  This represents about 1.5 trillion phishing attacks being aimed at Canadians every week.  The next closest country being attacked is the United States with only 7% of the world phishing attacks.

Phishing remains the go-to weapon of choice for fraudsters, accounting for nearly 55 per cent of all cyberattacks observed by the Dell Technologies – RSA subsidiary. The United States continues to be the top hosting country for the source of phishing attacks, accounting for almost 60 per cent of ISPs hosting these types of attacks, according to the report.  US citizens represents about 10% of the global criminals spammers sending spam followed by Australia, Japan, France, Germany, China and Canada coming in at 8.5% of the global spam originators. (together these countries represent 61% of all spam) Countries such as China, Iran, North Korea and Russia are putting out some of the most sophisticated attacks with many of those attacks being government sponsored.

Why are Canadians the number one choice for attacks. It may be because of our close proximity to the US and the sharing of the English language which makes it easy to write a phishing email. Our close proximity also makes it easier to make us  think that an e-mail is legit since it is coming from the US. But probably the number one reason is Canada is a rich country.  We are in the top 10 richest nations on a per-capita basis.  We also have a very large number of small and medium size businesses which typically have their guard down, making it a perfect target for criminals. Also we are known to be a trusting nation, rule following nation with a big heart making “sob stories” or “quick open this invoice” type spam easy.

Covid-19 also has not helped.  Protecting at-home workers is proving more difficult and Canada’s research in possible Covid-19 solution is a prime target for criminals these days. it will be interesting to see how these attacks evolve over time.

The other attack vector that is showing growth is Mobile Devices.  We are seeing an up-tick in new mobile apps that are fraudulent or taking over the Brand of a company to seem legit.  These type of attacks have doubled from 2019 and represent 16% of all mobile phishing attacks.

You can significantly reduce the chance of falling victim to phishing attacks by being sensible and smart while browsing online and checking your emails. here are some simple rules to lower your chance of becoming a statistic.

Do Not interact with unsolicited e-mails!
Be wary of emails asking for confidential information – especially if it asks for personal details or banking information. Legitimate organizations, including Revenue Canada and especially your bank, will never request sensitive information via email.

Watch out for shortened links!
You should pay particularly close attention to shortened links, especially on social media (Facebook, SMS-Text messages, etc.) Cybercriminals often use these – from Bitly, Tinyurl and other shortening services – to trick you into thinking you are clicking a legitimate link, when in fact you’re being inadvertently directed to a fake site. (they may look like:   Cybercriminals may use these ‘fake’ sites to steal your entered personal details or to carry out a drive-by-download attack, thus infesting your device with malware.

Does that email look suspicious? Read it again before opening it.
Plenty of phishing emails are fairly obvious. They will be punctuated with plenty of typos, words in capitals and exclamation marks. They may also have an impersonal greeting – think of those ‘Dear Customer’ or ‘Dear Sir/Madam’ salutations – or feature implausible and generally surprising content. Cybercriminals will often make mistakes in these emails … sometimes even intentionally to get past spam filters, improve responses and weed out the ‘smart’ recipients who won’t fall for the con. Indeed, it has been rumored that China’s infamous PLA Unit 61398 spends time seeing just how many people would open and interact with their worst phishing emails.

Be wary of threats and urgent deadlines!
Police and Revenue Canada will not call you to warn you that they are coming to pick you up. Revenue Canada will not send you an email to say you owe them money! Therefore do not fall for these obvious scare tactics. Sometimes a reputable company does need you to do something urgently. For example, in 2014, eBay asked its customers to change their passwords quickly after its data breach. However, this is an exception to the rule; usually, threats and urgency – especially if coming from what claims to be a legitimate company – are a sign of phishing. Some of these threats may include notices about a fine, or advising you to do something to stop your account from being closed. Ignore the scare tactics and contact the company separately via a known and trusted channel, not the link in the email.

Browse securely with HTTPs
You should always, where possible, use a secure website (indicated by https:// and a security “lock” icon in the browser’s address bar) to browse, and especially when submitting sensitive information online, such as credit card details. You should never use public, unsecured Wi-Fi for banking, shopping or entering personal information online. Public Wi-Fi are always monitored by criminals for easy prey.

Use a different password for each web service.
Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. This is the technique uses on August 14th 2020 to compromise Revenue Canada business and personal accounts. The attackers got a list of stolen username and password and just kept trying them on the Revenue Canada web site until some worked. Getting access to 5,500 accounts takes time but criminals are persistent. Be smart and never use the same username and password for all of the web accounts you have.

Stay safe by being vigilant and if it sound fishy or true good to be true, it is probably somebody that wants to separate you from your money.

There are many more ways to protect yourself and your business.  To better protect your organization  contact Accra Solutions Inc at 1-888-321-0441 ext 200.