Ransomware – a form of malware that encrypts users’ computer files until they pay a bitcoin fee for a decryption key – is enjoying something of a boom at the moment, mostly because it’s a very quick and easy means for cyber criminals to make money. Now, a new threat is doing the rounds, spread via a phishing email that looks more legitimate than your average scam message: it contains the recipient’s address, most likely sourced from a stolen database.
As I mentioned in last week’s podcast, BBC Radio 4’s consumer programme You and Yours reported that thousands of people have already received phishing emails that purportedly come from a debt collection agency working on behalf of legitimate UK firms – including waxed cotton manufacturer British Millerain Co Ltd and Manchester shelving firm Greenoaks. The emails state that money is owed, and include the recipients’ home addresses to further lend legitimacy to their claim. Clicking on the enclosed link, however, installs ransomware.
Now, the BBC confirms that the strain of ransomware in question is not in fact CryptoLocker, as it first thought, but Maktub. Why does this make a difference to you, the victim? Maktub doesn’t just demand a ransom – it increases the fee as time elapses. The longer you wait, considering your options, the higher the fee you have to pay to regain access to your systems. Faced with such a decision, most people feel compelled to pay up, encouraging the ransomers to keep at it.
Can you trust your staff not to fall for this scam?
Whatever your line of business, phishing is a threat you need to take seriously: if one of your employees mistakenly opens a phishing email and installs ransomware on your systems, your entire corporate network could be put at risk.
This is why it is so important to ensure that your staff understand the threat that phishing poses and can recognise phishing emails.
IT Governance’s Phishing StaffAwareness Course educates staff on the risks of spoof emails, helping your team understand how phishing works, what tactics cyber criminals employ, and how to spot and avoid phishing campaigns.
Combine this with our Simulated Phishing Attack, which enables you to identify potential vulnerabilities among your employees and provides recommendations to improve your security.