Fish can be scary as hell.
We wrote about phishing back in April, warning you of an explosion of COVID-related scams. As you may subconsciously recall, I included my preferred reminder that fish are scary. This fish reminds me of the summer I was ten and discovered that the pike in Northern Minnesota have teeth. I kept falling off my water skis (just not my sport), and, thinking of those teeth, swimming after the boat. My friend’s mom, who was also my religion teacher, yelled for me to stay put, and while I could never yell the “HELL NO!” I felt in my bones, I must have embodied it. I don’t know if that experience can be solely credited with my fear of water, but, if you’re like me, don’t google “scary fish” unless blobs with teeth and more teeth, and human teeth won't stop you from ever swimming again.
New phishing techniques are scary, too.
While, yes, COVID phishing continues to proliferate, there are other terrifying changes afoot, too. First, don’t forget that phishing takes lots of forms - smishing, whaling, spearfishing, catphishing. Nine out of 10 security people see phishing (and ransomware, which often results from phishing attacks) as the biggest security threats to their company. Phishing is the most common attack on nonprofits, which have the highest percentage of “phish-prone” employees among large organizations. Phishing will very likely affect our presidential elections this fall.
We typically teach you to look out for mismatched links, i.e., that the hover-over link doesn’t match what’s been typed out and linked to (see below for example). Well, no longer. Hackers started using Google Drive and Microsoft Azure to host documents for their phishing campaigns, effectively disguising their malware even from the “security-savvy,” according to new research. The malware may come via a PowerPoint presentation or login page; it looks legit because the link actually is legit.
Unfortunately, this also makes phishing detection less reliable. First, if a software’s underlying algorithm relies on sets of known phishing URLs, suspicious URLs, or expired security certificates, it inherently can’t detect attacks via legit platforms. Likewise, IT departments will struggle to see when employees fall prey to phishing schemes.
Two things you can do to help you sleep better at night (and not with the fishes!):
Add 2FA to all your accounts: This way, even if your username and password get phished, access to your email, bank, GSuite, and other accounts - which, let's be honest, are your life databases - can not be granted. Twofactorauth.org lists the numerous sites that allow for 2FA, with site-specific set up guides. Two-factor has become much easier to use, but let us know if we can help.
Set up regular backups on all your devices: Nothing allows me to breathe easier than knowing if I drop my phone, smash my backpack, or click on something or just do something else dumb, I’ve got backups of everything waiting to be re-downloaded. There are lots of options for backups depending on the kinds of devices you use, but as an Apple co-dependent, I use iCloud for my phone and SpiderOakONE for my computer. At $3 and $6 a month, respectively, these may be on the high end of some folks' budgets. You can use Google Drive if you are a little more cost-conscious; unfortunately, you still have to trade off Google having access to your data.
If you’re in immediate crisis, obviously don’t bother with these steps until it’s passed. Have a look at our phishing training for your crisis steps; feel free to download and keep it on hand.