If you didn’t know, October is Cybersecurity Awareness Month in the US. This year’s theme is “Do Your Part. #BeCyberSmart.” The goal is to encourage organizations and employees to take ownership of protecting their part of cyberspace, stressing accountability and proactive actions that enhance security.

In the payments and point of sale world, PCI DSS and related standards create a framework that, when followed, do an admirable job of protecting merchants from cyber criminals. Unfortunately, even the most robust security measures can be thwarted by one employee clicking on an email link they shouldn’t. These cyber criminals have caught on to this effective attack vector, known as phishing. Recognizing that phishing has become a serious threat, we wanted to share some details regarding these attacks as well as actions you and your customers can take.

Phishing basics

Phishing is an attack whereby a bad actor sends emails or messages that look authentic to the user(s) receiving it. The message typically plays on a sense of urgency (e.g. subject lines like "URGENT: Billing Information Audit") and appears to be from a trusted source.

The real goal of the email is to gain access to IT assets or to steal information. Common motives of phishing attacks include:

  • Conducting financial crimes, such as convincing someone to wire transfer money
  • Gaining access to accounts (such as email, company, or gateway accounts)
  • Accessing and stealing emails (also called email harvesting) to use for other advanced phishing campaigns on parties that may trust you.

Identifying phishing attacks

While phishing tactics continue to evolve, here are some common indicators:

  • Displayed Name vs. Sender/Reply-to email address

Always look at the full email address of the sender in addition to its displayed name. The displayed name can be easily changed by attackers to show whatever they desire, so ensure that the return/reply-to email address and display names match what you expect

  • Encrypted file with a password in body

Extra scrutiny should be placed on any email that includes an unsolicited attachment, especially if the file is encrypted or hidden within compression (i.e., .ZIP files) and there is a password included in the email body. Encrypting attachments is a common way to bypass email anti-virus scanners

  • Double-check any links

Before clicking any links, make sure to hover mouse over the link until the full address is shown. Check that the domain of the link is owned by someone that is expected

Thwarting phishing attacks

From an outsider’s perspective, phishing appears to be a threat that’s no threat at all. Aren’t phishing emails obvious? Won’t employees and customers be wise enough to identify these threats? Unfortunately, phishing has gained popularity among criminals because it works. Therefore, it’s good to share this information and help raise awareness among email users. If you suspect something is off about an email:

  • Make the safe choice and check its authenticity.
  • Don’t open any attachments or click any links. Instead, visit the authoritative website you know that is attached to that requested process.
  • Contact the sender by an alternative method. Reach out to the sender using an existing contact method. If they included a contact phone number in the email, don’t trust it until you can independently verify the number.
  • Report the email in accordance with internal security policies. Security professionals can investigate the email contents more closely.

Turn on Two-Factor Authentication

Despite your best efforts and earnest attempts at following best practices by your users, criminals are relentless and, frankly, talented at getting access to credentials. In these instances, you can strengthen security by adding another step to the authentication process. Called multi-factor authentication (MFA) or two-factor authentication (2FA), the security strategy adds the need for an additional piece of information (or token) beyond a username and password. In the event a password and username are stolen, the 2FA token, which is randomly generated and changed frequently, will protect the account from being accessed.

Many IT solutions and software include the option for 2FA/MFA, but it’s not always enabled by default. 2FA is an available security feature on all NMI accounts. If you have any questions or require assistance implementing 2FA, please contact NMI Gateway Support.

Security isn’t a destination, but rather a perpetual journal. Following these best practices is just one aspect of a holistic security strategy that must be followed strictly. While Cybersecurity Awareness Month lasts only 31 days, the task of securing IT assets and information never ends.

Talk to Our Team

Fill out the form and a member of our team will get in touch with you to go over any questions you have.

Subscription Payments 101: The Top 4 Subscription Models
NMI Insights

Subscription Payments 101: The Top 4 Subscription Models

The subscription commerce model can be an excellent source of revenue for merchants (and their payment providers). It allows consumers to opt-... Learn More
Subscription Payments 101: What Are Subscription Payments?
NMI Insights

Subscription Payments 101: What Are Subscription Payments?

Before the widescale digitization of our lives, most things—media rentals, groceries, video games and software—were regular one-time purchases... Learn More
What Drives Consumer Payment Preferences?
NMI Insights

What Drives Consumer Payment Preferences?

For a long time, payments weren’t something merchants had to put much thought into. Today that isn’t the case.  The payments industry, along ... Learn More
Preparing for Black Friday: Why Merchants Need Reliable Payments
NMI Insights

Preparing for Black Friday: Why Merchants Need Reliable Payments

Black Friday, Cyber Monday and the surrounding sales days are some of the busiest days for merchants in the U.S. (and, increasingly, around th... Learn More
Cybersecurity Awareness Month: The Advantages of Advanced Payment Systems
NMI Insights

Cybersecurity Awareness Month: The Advantages of Advanced Payment Systems

In the final part of our Cybersecurity Awareness Month series, we’re going to look at what a complete merchant security offering looks like an... Learn More
Merchant PCI Compliance Demystified: Simplifying Security
NMI Insights

Merchant PCI Compliance Demystified: Simplifying Security

In part two of our Cybersecurity Month blog series, we looked at the evolution of cybersecurity threats and why they’re becoming a bigger conc... Learn More
Small Merchants Can Enhance Payment Experiences with ISVs
NMI Insights

Small Merchants Can Enhance Payment Experiences with ISVs

In a recent guest post for The Green Sheet, NMI Chief Growth and Marketing Officer Peter Galvin examined the critical role seamless payment ex... Learn More
Why Small Merchants Rely on Payment Providers for Cybersecurity
NMI Insights

Why Small Merchants Rely on Payment Providers for Cybersecurity

Part two of our Cybersecurity Month 2023 series examines an increasingly concerning trend in cybercrime – targeting small businesses.  60% of... Learn More
Prime Day Sets a Strong Example for Small Merchant Ecommerce
NMI Insights

Prime Day Sets a Strong Example for Small Merchant Ecommerce

Twice a year, Amazon holds Prime Day—a massive two-day sale event available exclusively to Amazon Prime members. Prime Day benefits Amazon in ... Learn More
Cybersecurity and Payments: An Evolving Industry Challenge
NMI Insights

Cybersecurity and Payments: An Evolving Industry Challenge

The first day of October marks the start of Cybersecurity Month. This year, we will publish a series of articles throughout October to help yo... Learn More