Is Phishing Illegal & How Can it Affect Businesses?

·

Is Phishing Illegal & How Can it Affect Businesses?

When an email attempts to trick recipients into believing an email is from your company and acts on a lure, it’s called phishing.
Phishing is a problem for not only the recipient but also your company!

The FTC has long advised consumers about steps to avoid phishing scams.

But what should your business do if customers contact your company, upset that they responded to a phishing email from a scammer impersonating your legitimate business?

What types of phishing attacks can occur?

Phishing is an insidious cyberattack that may not only involve email messages but also your website or web application:

On the other hand, phishing attacks can also take other forms:

The mix of messaging platforms, the shape-shifting, and the masking of the attacker’s methods, make phishing attacks hard to defend against.

State of phish in 2020/2021
State of phish in 2020/2021

How does phishing affect a business?

Phishing has resulted in damage to companies that include and accumulate to:

So the damage from phishing can harm, and even lead to putting the organization out of business.

Phishing of your good name and reputation is a critical business attack that you need to take seriously to prevent and act on immediately.

Is phishing illegal?

If consumers fall victim to phishing schemes that falsely invoke your company name, they may look to you for guidance on the next steps to take.

Offering immediate advice and support can help you keep the goodwill you’ve worked to develop.

How should your business react to being impersonated?

Here are a list of action you can do to minimize the damages of phishing:

  1. Immediately check your email authentication records and web server SSL certificates
  2. Contact law enforcement directly
  3. Notify customers
  4. Educate customers
  5. Request affected customers to forward phishing email samples
  6. If identity theft is involved, provide resource information
  7. Update your security practices

1. Immediately check your email authentication records and web server SSL certificates

Check to ensure that all your email servers use SPF, DKIM, and DMARC email authentication. Be sure all your web servers have current SSL certificates.

2. Contact law enforcement directly

If you become aware of a phishing scam impersonating your business, report the fraud immediately to the FBI’s Internet Crime Complaint Center and the FTC Anti Fraud Reporting Center or law enforcement in your country. 

3. Notify customers

If you are alerted to a phishing scam where cyber criminals impersonate your business, inform your customers as soon as possible to ignore suspicious emails, text messages, or phone calls pretending to be from your company.

4. Educate customers

Remind your customers that legitimate businesses like yours never solicit personal information from them through insecure channels, like email or text messages.

When you know that customers have been affected, you need to share how they can protect themselves online and avoid phishing attacks.

Ask them to visit FTC resources on recommended computer security practices on the FTC’s consumer information site, or create a web page for customers to see. 

5. Request affected customers to forward phishing email samples

Request affected customers who have received a phish to forward any phishing emails impersonating your business to Abusix and the Anti Phishing Working Group.

6. If identity theft is involved, provide resource information

If consumers believe they may be victims of identity theft because of the phishing scam impersonating your business, direct them to the FTC’s Identity Theft site.

There, they can report and get the FTC’s help in recovering from identity theft

7. Update your security practices

Data security isn’t just a quick checklist. Since threats are constantly growing, your security needs to strengthen. 

Best practices to prevent phishing

  1. Properly configure your mail server
  2. Add SPF, DKIM, and DMARC to all your mail servers.
  3. Apply SSL Certificates to all your web servers.
  4. Apply Two Factor Authentication (2FA) on all web applications
  5. Install a Web Application Firewall (WAF).
  6. Install an Applications Delivery Platform (ADP)

1. Properly configure your mail server

Spam, and its targeted mission to phish are active and cause havoc still in 2022. Are your domains and email server secure? Are you counting each employee and customer as a vulnerability?

Take a look at the article below for more details on configuring your mail server:

The more Filters, the Better! – Abusix

2. Add SPF, DKIM, and DMARC to all your mail servers

Secure your email domain from unauthorized access using email authentication protocols like SPF, DKIM, and DMARC to ensure that email addresses from your company are genuinely originating from your mail platform, not someone spoofing your identity.

3. Apply SSL Certificates to all your web servers

An SSL certificate is installed on your webserver to ensure that when a web browser attempts to see your website, the SSL certificate enables a secure encrypted connection between the web browser and your web server.

4. Apply Two Factor Authentication (2FA) on all web applications

2FA is a login process that requires two steps to verify a user.

Rather than just asking for a single piece of information to verify a user, an additional step, such as using a temporary identity token (good for only a few minutes) vs. a forever password (sent to a cell phone or from an authenticator) is required to access an account.

5. Install a Web Application Firewall (WAF)

WAFs, provide web applications with security by applying rules to an HTTP session. Since applications are online, they often need to keep specific ports open to the internet.

WAFs detect distributed denial of service (DDoS) attacks in their early stages and absorb traffic volume, making it more difficult for the attacker to try different website attacks against the application and database.

6. Install an Applications Delivery Platform (ADP)

If you host a web application, you likely experience attacks via malformed SSL requests.

Attackers using SSL will tunnel their HTTP attacks to the server.

Inspecting SSL encryption packets is resource-intensive, and traffic during an attack can vary widely. Therefore, if you have a web-based business, consider offloading web traffic to an ADP and inspecting the traffic for signs of attacks or policy violations.

After examination, the ADP will simply re-encrypt the traffic and loop back to the origin.

A phishing attack can be expensive for your business

Businesses pay hundreds of millions of dollars because of phishing attacks.

Facebook & Google paid $100 million each in 2013 and 2015. A Lithuanian targeted them in an impersonation attack of the company, Quanta Computer. All the phish was a fake invoice from a company they both use.

Hundreds of millions of dollars are paid out in ransomware attacks, which always start with a phishing attack.

These numbers are rising rapidly, occurring across many industries, and getting more expensive. No organization is safe.

Banks experienced a 520% increase in phishing and ransomware attempts between March and June 2020. (American Banker, 2020). The average ransom fee requested increased from $5,000 in 2018 to around $200,000 in 2020. (National Security Institute, 2021). The average ransomware attack cost in the higher education industry is $447,000. (BlueVoyant, 2021)


So, phishing isn’t always about compromising a user’s email account.

In the end, phishing results from your company leaving a door or window open or unlocked, resulting in the cybercriminal simply walking in.

Secure your company’s identity, install web application firewalls, monitor and train your employees on how to recognize and react to phishing.

Don’t be sloppy because you could be next and out of business.

Read More

·

I’ve been running the Abusix Mail Intelligence blocklists for over 4 years now, and I’ve seen a lot of repeated...

·

Internet Service Providers have the enormous task of protecting their systems from regular network infringement. Without a security plan in...

·

Imagine you are next in line to enter a club and finally start to party. Woohoo! 🥳But a big muscled...