Cybersecurity: Phishing 101

August 8, 2022 · 15mins

Hello and welcome to another podcast regarding cyber liability. I’m one of the hosts, terry O’Connor, with O’Connor insurance Associates here in Charlotte, North Carolina. And today I’m again with Bill Hamilton with CCP Technologies.

And Bill, how are you doing today? Yeah, I’m doing great. Hi, Terry. Great to be with you again. How are you doing today? I’m doing great. It’s been an exciting week. There’s a lot of things going on in the cyber liability world, as you know, and today I think we’re going to get right into it and we’re going to talk about you and I gone fishing.

I mean, maybe not fishing in the sense of line and pole, but some other types of fishing with cyber liability. So there are lots of fishing scams that are going on right now. And what have you been seeing or have you heard of anything that’s been going on in regards to any type of fishing scam that you’ve seen come up lately?

Yeah, it’s the summer of fishing for sure, Terry. I think people are hearing about fishing all the time. They’re hearing about receiving emails. It looks like it’s from the help desk. It looks like it’s from Microsoft.

They’re asking you for your credentials. It seems like fishing is everywhere. There are interesting trends happening right now in fishing, and I want to talk about one of those today because it’s sort of near and dear to my heart, because the CCP, we went through an attack just this last week which was very interesting, and it indicates one of these new trends in phishing.

There’s a rising number of spear phishing attacks that are targeting brand new employees to organizations. And so I want to talk about that here kind of momentarily, but maybe we should set the stage first and just kind of talk about what the different types of fishing artery do you think maybe that’s a good place for us to start?

Yeah, absolutely. So from what I understand right now, in the cyber liability world, there’s about six different types of spirit scams or fishing scams. Excuse me. If we go down the list real quick, we have deceptive fishing.

Spear fishing, whaling, fishing, smishing, and farming. So they’re all plays on words, I think, dealing with the cyber stuff. So I think in your area, Bill, from what I understand, you are more in the spearfishing situation.

So let’s go ahead and talk about that real quick. Yeah, I know they’re all plays on words, but the bottom line is you, me, everybody were the fish hook is being set for us. Our quick story, and I’ve actually seen this among many of our clients as well, but at home with us last week, brand new employees are joining organizations.

They’re doing things like announcing on LinkedIn, hey, hurray, I’m joining this new company. I can’t wait to join CCP technologies. There’s a very common group of scammers out there that are monitoring LinkedIn.

They’re monitoring Facebook. They’re looking for people who are changing companies. And they’re doing a little bit of research to figure out where they’re going, what maybe their email address might be.

And they’re sending that brand new person a welcome email from the CEO of the company, from the president of the company, from somebody, maybe an HR. Hey, welcome. By the way, there’s something to talk to you about before your first day or within your first couple of days.

Can you send me your phone number? I’m going to send you a quick text message. And they establish this connection with this brand new employee in the first day or two. They want to impress the new company, and they’re happy to kind of jump to answer some of these questions.

Yeah, that’s very interesting. I’ve seen this on many of our clients, and we successfully fended off our own attack this last week where an employee literally before their first day of work, they had an email waiting for them from a gmail account, but it said it was from me welcoming this new employee to our company.

Oh, my goodness. You know, and you think about it, you’re a new employee. You just got your new gig. You’re all excited like you said, you know, you announce it to everybody. You want to do the best job you can for your new employer, and here they are, you know, shooting you something, asking you to do something for them.

Hey, I need it right away. And what do you do? And hopefully you have no training yet regarding any type of cyber protection from the organization. You’re just getting started. And it’s brilliant from the fishermen out there who are actually targeting these people because they really are the most susceptible to this type of attack because of the lack of knowledge that they may have and how to handle that specific situation.

So let’s talk about that a little bit before we get into some of these other ones real quick. Bill, when you start with a new organization, let’s say like an organization that hires CCP on, tell us a little bit about the training set up that you might do that you can give these people on how to catch this kind of stuff.

Absolutely, Terry. So training your folks is always the first line of defense. There are a lot of sophisticated tools out there. As you can imagine, a company like mine has those tools in place. Inevitably, these attacks still make it through.

So training is the number one thing you can do. A best practice is that your folks must take their information assurance, awareness training before they get access to any sensitive accounts. Maybe you give them access to email, you don’t give them access to data, you don’t give them access to any client files until they’ve passed the security training.

Security training we give is going to focus very highly on things like phishing attacks. It’s going to focus very highly on being suspicious, knowing how to identify these attacks. And really, if your folks are being vigilant when these things come in and this is what happened in our case, they say this doesn’t seem quite right, they’re that is going to stop the attack in its tracks.

That’s the very great. And I know you’re. Different when it comes to a computer tech company because a lot of computer techs are solo person or maybe one or two people. They know how to come hook up your computers and run a peer to peer network and maybe add some software, but you actually have a whole module and things that you can help these companies train with.

And I think that’s what’s really special. And people that are looking for companies like ourselves should be bringing those types of companies on to help them with these types of things because it’s a really serious matter lately, especially in the insurance world.

We’ve been seeing premiums quadruple from last year to this year because of the number of cyber claims that we’ve been having. And you know, sure you might have insurance to pay for it, but what a mess that you have to deal with anytime you file a claim.

I don’t know if you think about the last time you filed an auto claim and all the stuff you had to go through to get that taken care of from a rental car and get it to the body shop and just the angst of all that, well, it’s the same thing that happens on a cyber attack.

You may not have your computer system, you may not have access to your accounts. There’s all types of things that you’re going to go through and you’re going to have the insurance to maybe handle that and it’s going to be beneficial to have insurance to help you.

But it’s the process and you need to have a good tech company and an insurance agent who can help you understand the process to walk through when something like this does happen and it causes something to shut down.

Wouldn’t you agree, Bill? I would absolutely agree. They say an ounce of protection is worth a pound of cure and that is never more true than in these cases. You want to have someone on your side who’s going to help you be prepared to defend your network, to educate your folks.

You want to have an insurance expert who can tell you what sort of protection you need so you have at your disposal. Experts who can swoop in and help you triage and minimize the damage of an attack.

And you certainly, if you do fall prey to any of these attacks, you want to have the ability to recover as quickly as possible, whether that’s from a technological perspective or from a financial perspective, most likely both.

You want to be able to move quickly. And so having good partners at your side who can advise you on how to do those things quickly, what you should do first, what you should do second, and holding your hands through that process, there’s probably nothing more critical than that if you do suffer an attack.

Yes, sir, I agree. So let’s wrap this up today because we want this to be short and sweet for our people listening. The spearfishing is probably one of the most popular ones on the list. Their bill of different type of phishing scams.

What do you think the next most important one is that you’ve been seeing? Out of the six we kind of mentioned? Yeah, spear fishing certainly seems to be the most kind of trendy attack right now. That’s the type where they’re impersonating you and they’re targeting a specific person.

Beyond that attack, you’re most likely to see those more generalized attacks that it might look like it’s from Ups. Your package has been delivered. Click on this link. We see those every day. When we do training, when we do phishing simulation, we generally train on those types of emails because most likely you’re going to catch three, four of those, maybe 90% of those.

I didn’t order anything from Ups today, but we find that inevitably someone’s going to click on that. You know, I do have a package out for delivery. They’re going to click on that. And so we do see that type of attack quite often as well.

Not quite as popular anymore. Fishing, which is kind of voice based fishing, that’s when someone calls you and says, hey, I’m from your help desk, I need your password. I’ve seen that a little bit less.

But you do need to be wary that generally someone is never going to reach out to you. Asking for your credentials, smashing someone, sending you a text message. Reporting to be someone you may know, asking you to click on a link that is starting to become more prevalent.

The attack there is a little bit harder for the hackers to pull off, but as their technology evolves, I think you can expect to see more of those unwanted text attacks come in. And finally, the kind of the farming trying to get you onto a website that looks like a legit website.

It might look like a place where you normally shop online, but in fact to the attackers hosted website that’s starting to become more and more prevalent as well. So what do you do to protect yourself?

First off, stay educated, stay ahead of it. You got to kind of know how the attacks are coming in in order to fight back against them. Make sure that you slow down a little bit, examine these messages.

If something doesn’t seem right, you want to dig in a little bit closer to the email you received. Often in the case of spear phishing, it might say it’s from your boss, but when you mouse over their name, you might see it’s actually from a Gmail account or something that doesn’t seem right.

That’s a great place to spend some time. Certainly you need to have any virus software in place. It needs to be always updated. If you kind of meet the criteria, you should have an It company who’s helping you maintain and patch all of your systems.

And finally, backing up your systems is of critical importance. Again, the attackers are kind of just playing a numbers game. At some point, the odds of there being a successful attack continue to go up and so having a strong backup in place so that you can recover, you can tell the ransom demand where they can put it and you can recover on your own and not have to deal with that scam moving forward.

Those are the key things. One thing that I think is really cool, and you mentioned this to me, and maybe this is something that we can offer to our viewers here. There’s some good documentation. That’s available that walks through this a little bit more, is that right?

Yes, absolutely. A lot of the time my clients are asking for information about very specific cyber liability type stuff. We have a plethora of information that we can send out, but there’s actually going to be we’ll put a sheet out today with this podcast just dealing with phishing scams that kind of recap, again, kind of what we talked about today, and maybe help you determine whether you need to talk to someone like Bill or myself and helping you with your cyber liability exposure.

The one thing about cyber liability exposures is everybody has one. If you are online, send emails, look at emails, have text, you’ve got an exposure, how big your exposure is. That might be what’s different between company A and company B.

So it’s just a matter of figuring out what is my exposure. How do I cover it from an insurance perspective. And how do I utilize somebody like Bill to help come in and lock down my computers. Make it safer for me to operate as a business without having some type of disruption.

Either a physical disruption with not having access to your computers. Or absolute financial disruption with not getting access and loss of money. Bill, thanks again for your time today. I love doing these calls with you.

We are going to keep moving forward with some of these as time goes by, talking about different topics. But as you know, things change daily in these. So we’re trying to stay as hot as we can on the up and coming things as they happen.

So everybody that’s out there listening today, please stay tuned. Look for our podcast. We’ve been posting them out on all our social media accounts and we’re all both located right here in Charlotte.

If you ever need to reach out to us, please do so. Bill, you have anything to add before we close? No, I’ll just say, you know, it’s a pleasure doing these videos with you, Terry, and we’re happy to be putting the information out in the community.

And if any of our clients, friends, contacts, etc. Have any questions, feel free to put them into the place where we post. Ask us to talk about any particular topics you’re interested in, and we’re happy to oblige you.

Looking forward to hearing from you. Awesome. Well, till next time. I want to say thanks to everybody listening. And you always remember, when fishing, the fish always looks bigger the closer it is to the camera.

Thanks, Terry. All right, have a good one, everybody. Hi, Bill. Thanks. Bye.

Full Video link: https://www.youtube.com/watch?v=6VUgxpbxFKg
To learn more about proper cyber hygiene, contact us.