At times, it feels as if we could start every week with this sentence:
“There’s a new tactic being used by cybercriminals to trick unsuspecting victims.”
And the sophistication level of the new tactics is off the charts. So, what are we dealing with as of late? Well, where should we start…
Hidden text is now becoming more commonplace as a tactic to bypass email security platforms. If you haven’t heard of this, here is a quick explanation:
Hidden Text: Also known as zero font, allows a malicious email to bypass email security platforms by using invisible characters in between the letters of an email; they are often used to establish legitimacy.
The hacker now has established your trust with this seemingly legitimate email address, because you don’t see the hidden text, and you believe the sender is who they seem to be. In a recent attack that was uncovered by Cofense, messages are being sent that appear to be from your company’s technical support team and ultimately their email service. An explanation follows about messages being unprocessed and in need of review. To put a sense of urgency on reviewing them, there is a time limit established. “They appear to be legitimate but will be deleted if not reviewed within three days” – or some version of that.
As an employee, who may even be working remotely, you know the importance of doing your job well despite the circumstances, so you aren’t going to jeopardize anything by being careless. If you get a link from what appears to be an individual or department within your company, you click so you can get your job done. And you don’t stop there. You continue to click and enter your credentials on what appears to be your company page. But it isn’t. It is a page that has been created to replicate your company’s page nearly identically. And even has a fake login page that will continue to allow you to log in and navigate throughout the site which STILL contains additional false fronts.
How can you beat this system? Training. Ongoing training is the top way to keep your team educated on how to know safe cyber practices. In this case, hovering over the links of the email address might not have worked – BUT, hovering over the link that was there to ‘verify the messages’ would have indicated a false page. Imagine walking into a hotel room. You flip on every single switch to see what it does, what it turns on. You can think of email links in the same way. Hover over every single one to ensure it is legitimate and where it is coming from.
We can’t emphasize it enough. Training, training, training. Hover, hover, hover. There are many ways that you can protect your business from cybercrime, but this is a good place to start. If you want to ensure you have COMPLETE protection, let’s get together for a discussion and review of what you have in place, and how we might be able to help.
Leave a Reply