Are you and your merchants protected from phishing attacks?

If you didn’t know, October is Cybersecurity Awareness Month in the US. This year’s theme is “Do Your Part. #BeCyberSmart.” The goal is to encourage organizations and employees to take ownership of protecting their part of cyberspace, stressing accountability and proactive actions that enhance security.

In the payments and point of sale world, PCI DSS and related standards create a framework that, when followed, do an admirable job of protecting merchants from cyber criminals. Unfortunately, even the most robust security measures can be thwarted by one employee clicking on an email link they shouldn’t. These cyber criminals have caught on to this effective attack vector, known as phishing. Recognizing that phishing has become a serious threat, we wanted to share some details regarding these attacks as well as actions you and your customers can take.

Phishing basics

Phishing is an attack whereby a bad actor sends emails or messages that look authentic to the user(s) receiving it. The message typically plays on a sense of urgency (e.g. subject lines like "URGENT: Billing Information Audit") and appears to be from a trusted source.

The real goal of the email is to gain access to IT assets or to steal information. Common motives of phishing attacks include:

• Conducting financial crimes, such as convincing someone to wire transfer money
• Gaining access to accounts (such as email, company, or gateway accounts)
• Accessing and stealing emails (also called email harvesting) to use for other advanced phishing campaigns on parties that may trust you.

Identifying phishing attacks

While phishing tactics continue to evolve, here are some common indicators:

• Displayed Name vs. Sender/Reply-to email address

Always look at the full email address of the sender in addition to its displayed name. The displayed name can be easily changed by attackers to show whatever they desire, so ensure that the return/reply-to email address and display names match what you expect

• Encrypted file with a password in body

Extra scrutiny should be placed on any email that includes an unsolicited attachment, especially if the file is encrypted or hidden within compression (i.e., .ZIP files) and there is a password included in the email body. Encrypting attachments is a common way to bypass email anti-virus scanners

• Double-check any links

Before clicking any links, make sure to hover mouse over the link until the full address is shown. Check that the domain of the link is owned by someone that is expected

Thwarting phishing attacks

From an outsider’s perspective, phishing appears to be a threat that’s no threat at all. Aren’t phishing emails obvious? Won’t employees and customers be wise enough to identify these threats? Unfortunately, phishing has gained popularity among criminals because it works. Therefore, it’s good to share this information and help raise awareness among email users. If you suspect something is off about an email:

• Make the safe choice and check its authenticity.
• Don’t open any attachments or click any links. Instead, visit the authoritative website you know that is attached to that requested process.
• Contact the sender by an alternative method. Reach out to the sender using an existing contact method. If they included a contact phone number in the email, don’t trust it until you can independently verify the number.
• Report the email in accordance with internal security policies. Security professionals can investigate the email contents more closely.

Turn on Two-Factor Authentication

Despite your best efforts and earnest attempts at following best practices by your users, criminals are relentless and, frankly, talented at getting access to credentials. In these instances, you can strengthen security by adding another step to the authentication process. Called multi-factor authentication (MFA) or two-factor authentication (2FA), the security strategy adds the need for an additional piece of information (or token) beyond a username and password. In the event a password and username are stolen, the 2FA token, which is randomly generated and changed frequently, will protect the account from being accessed.

Many IT solutions and software include the option for 2FA/MFA, but it’s not always enabled by default. 2FA is an available security feature on all NMI accounts. If you have any questions or require assistance implementing 2FA, please contact NMI Gateway Support.

Security isn’t a destination, but rather a perpetual journal. Following these best practices is just one aspect of a holistic security strategy that must be followed strictly. While Cybersecurity Awareness Month lasts only 31 days, the task of securing IT assets and information never ends.