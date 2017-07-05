Investigation by Home Depot, in cooperation with law enforcement and third-party IT security experts, found that hackers had used a third-party vendor’s username and password to enter Home Depot’s computer network. Once inside the network, the hackers installed custom-built malware on Home Depot’s self-checkout systems in the U.S. and Canada. In addition to the stolen personal and credit card data, separate files containing about 53 million email addresses were stolen.

While Home Depot was able to bounce back, in part by offering customers free identity protection services and a year of credit monitoring, breaches like these show just how vulnerable organizations, businesses, and individuals have become to online phishing scams. Just as disturbingly, scams like these demonstrate just how sophisticated and clever hackers have become.

Online Phishing: What You Need to Know

Phishing is a complex form of social engineering that attempts to get sensitive information—such as usernames, passwords, credit card information, and social security numbers—for malicious purposes.

Phishers pretend to be trustworthy entities, such as government agencies, banks, retailers, social media sites, auction sites, IT administrators, and online payment processors. They communicate with their targets through electronic forms of communication such as email, phone calls, and instant messaging. Moreover, the goal of phishing attacks is to access and compromise systems by using the stolen usernames, passwords, and account/financial data.

Phishers most frequently accomplish their attacks through email. The attacker poses as a trustworthy entity and sends carefully crafted emails to targets. The email includes a link to the “official” website, though this is really a fake website operated by the attacker.

Once the target visits the fake site, he may be asked to enter account and personal information such as his username and password, credit card details, and bank account numbers. The target may also be exposed to malware by the bogus site, and a Trojan horse may be installed in his computer. When done successfully, phishing attacks can capture the target’s sensitive information without him knowing it.

As devious as hackers have become, there are ways for individuals and organizations to protect themselves from phishing scams.

For Organizations

1. Use a dedicated system for payment requests and approval processes.

To prevent phishers from accessing and compromising systems used for payment processing, organizations should consider using dedicated systems for payment requests and approval processes. Any email access to these dedicated systems should be disabled.

2. Use strong authentication mechanisms on all payment processing systems.

Strong authentication mechanisms on all payment processing systems should replace or enhance existing username/password combinations. Strong authentication mechanisms include hardware tokens and PINs, and biometrics such as fingerprint readers and face recognition systems. These strong authentication mechanisms cannot be copied or reused by phishers.

3. Use anti-virus and anti-malware software.

Protect your organization’s systems with anti-virus and anti-malware software. The anti-virus’ signature files and scanning engines should be updated regularly. While most of the malware used in phishing scams are not detected by standard anti-virus software, some of it can be detected. Individuals should also safeguard all their personal computers with such software.

4. Use reputation-based website, IP address, and URL filters.

Reputation-based website, IP address, and URL filters identify and block malicious URLs, which in turn stops phishing attacks more quickly and effectively. Cisco Web Reputation Technology is a great filter that protects systems and their users from a broad range of URL-based threats. You can enhance protection further by allowing only “white-list” access, which limits access to addresses that have been recognized as “good” URLs.

5. Limit access to payment processing systems from unsecured sources.

Consider limiting access to payment processing systems from mobile devices, computers, and systems based in home offices and other unsecured sources. These distributed systems are often more vulnerable to threats.

For Individuals

1. Use people search websites to monitor your personal information online.

Reputable people search websites like MyLife.com compile publicly available information about individuals—including government records, financial information, social media posts, employment information, and personal information.

These people search websites allow users to identify the sites that expose their private information and remove the information right from the websites that publish them. You’ll also receive alerts if your private information is stolen in data breaches. By subscribing to such services, you can avoid phishing attacks and other forms of online fraud.

2. Be wary of emails containing links.

As a general rule, never open attachments or links in unsolicited emails, and be very suspicious of all emails containing links. If you receive an email with a link for you to click, do not click it. You may navigate independently to the destination site by typing the URL into a new browser window. You can then find the referenced location without using the email’s link.

3. Avoid unsecured computers and computer networks.

Unsecured computers and computer networks (such as cyber cafes and public Wi-Fi networks) are a favorite target of cyber criminals who intercept the data being sent through these networks. Always use your own secure Internet connection or invest in a reputable virtual private network (VPN) provider.

Photo: Pixabay