Phishing scammers have slapped a big target on your back. Because government data is public and transparently posted in many places, these scammers have additional avenues to go on the attack.
Unfortunately, this target is only getting bigger. According to the pros who monitor and measure this stuff, phishing scams are growing and getting sneakier.
One of the hottest phishing scams right now is fake purchase orders and fee or info requests sent to you via email from what appears to be a person or agency you know and trust.
No One is Safe
Phishing scams are directed these days at practically every company that works for or supplies products and services to government entities.
The agencies that let contracts are trying to help, but solutions from them are lagging.
That means the burden is on you to protect yourself from phishing scams. The good news is you don’t have to become a victim.
We at BidPrime keep our thumbs on the pulse of the dark world of phishing so we can offer your tips for staying safe.
One of the best and easiest safeguards we’ve found worth implementing is to make a practice of verifying the authenticity of any communication that seems to you even mildly suspicious. Contact the agency purporting to be the author of that communication and ask them if they did in fact shoot it off to you.
Don’t use the contact info supplied by the suspicious communication—use contact info from only your personal files or directories.
Or contact us at BidPrime for our opinion about the legitimacy of that communication.
Employees are Most Vulnerable
How bad is the phishing problem?
Seventy-six percent of businesses and agencies surveyed by Wombat Security reported at least one phishing attack last year (emphasis on the words “at least”).
Email is the overwhelming favorite tactic among crooks for conducting a phishing scam, says Barkley Protects Inc.
Phishing is primarily aimed at employees, who often form the weakest link in your data network. According to Symantec Corp., the average employee each month receives 16 malicious emails, more than 15 percent of which come with a fake purchase order, invoice, or fee request.
Verizon Communications Inc. says 4 percent of employees are inevitably suckered by such phishing scams, while Wombat pegs that number at 9 percent.
Barkley reports a trend among phishing scammers to hijack employee email accounts and use them to send bait-laced correspondences. The Oregon Procurement Information Network, for example, recently issued a warning that multiple email phishing attacks have been launched of late by individuals posing as state employees.
To make hijacked emails look even more legitimate, scammers often reply to existing chains they find in the victim employee’s inbox or archive.
Dodging the Bullet
Spoof emails appearing to come from the Defense Logistics Agency prompted that office this past June to alert its vendors to be on the lookout for bogus solicitations containing an invitation to visit non-DLA websites for “important” information about bids.
Indeed, as Barkley notes, phishing emails come disguised in many forms.
We already mentioned fake purchase orders and trick requests for fees or info. But a few other ways phishing scams masquerade as legitimate include:
- A message stating that an email you sent was undeliverable;
- A snail-mail letter from what appears to be your attorney about some criminal matter or pending litigation against you;
- A seemingly serious proposal requiring response on your part.
The good news is that many potential targets of phishing scams are taking proactive measures to dodge the bullet.
One such measure entails getting a tighter handle on user identity and access privileges. By our estimates, this step is being taken 29 percent more often this year than last.
Another protective measure is implementation of multifactor authentication systems, so that the only way to gain access to a system when attempted from a new computer is by logging in with a special code or RSA key. We found evidence that this step was introduced 14 percent more often this year.
And use of phishing simulation solutions appears to be up 37 percent over 2017. (Surprisingly, though, vulnerability/penetration testing is down by 17 percent, our sources tell us.)
A Reminder About Password Safety
A favorite tactic of phishing scammers is to ask you for your account password. We’d like to use this occasion to remind you never to reveal your password to anyone—especially via email. That’s because your password is a gateway to accessing everything a data hacker could possible want.
And if you’ve been sharing your login credentials with colleagues in your company, you should consider asking them to set up individual accounts and get their own personal passwords.
Speaking of passwords, it’s an excellent idea to change all of yours from time to time. Also make sure when you reset passwords that you pick strong ones.
Something else to consider: Verizon recommends you enlist your employees to serve as your first line of defense against phishing. “Get them on board, and teach them how to spot the signs of an attack and how to react,” the company says.
This is vital because Verizon found that only 17 percent of phishing attacks are reported by the employees who fall victim to them. Verizon contends that employees will be inclined to more often report attacks if they can do so without fear of punishment.
We’ll close by repeating our advice to never dismiss anything that looks “phishy.” If you or your employees or colleagues receive an invoice or a request that seems even the teensiest bit off-kilter, quarantine it until you can determine its authenticity. If authenticity can’t be established, toss it. Because, when it comes to phishing scams and the devastation they bring, you can’t be too careful.
For details on related bid requests / RFPs, and bid documentations, call us at 888.808.5356 or visit BidPrime.