Phishing for sale: the Telegram threat to business email safety

Researchers have discovered that cybercriminals are leveraging Instant Messaging (IM) platform Telegram to sell their skills including phishing kits and campaigns.

As a newer IM platform, Telegram’s growth is impressive, increasing from 550 million to 700 million in 2022, a user pool that phishers have deemed lucrative in the trading of their skills.

The IM platform has been described as a ‘thriving hub’ for cybercrime, where aspiring phishers can now purchase phishing kits and even get their hands on customized phishing campaigns. It’s a cybercriminal’s dream and an email security nightmare, putting more businesses at risk of falling victim to the phishing attacks these experienced cybercrooks are educating their audiences on.

In a recent report related to the Telegram phishing marketplace, Kaspersky Web Content Analyst Olga Svistunova stated that phishers are creating Telegram channels through which they teach audiences, sell ‘goods’ and grab subscriber attention with polls like, “What type of personal data do you prefer?”.

According to Svistunova, there are various free and paid services on offer, including:

  • Automated phishing with Telegram bots.

  • Free phishing kits and users’ personal data.

  • Paid phishing and scam pages.

  • Personal user data for sale.

  • Phishing as a Service (PhaaS) subscriptions with customer support included.

This makes it all too easy for phishers to use the skills they’ve gained through Telegram to impersonate your business and use fake emails to gain access to whatever they’re after, be it data or funds, ultimately damaging your business’s reputation and hindering its success.

To add to the current list of concerns regarding business email security; it’s estimated that around 3.4 billion malicious emails are sent daily and a new phishing website is created every 11 seconds. Here’s how you can help protect your business from falling prey to phishers and their fraudulent emails:

  1. Educate your employees: Phishers don’t discriminate in their efforts and can target anyone from a receptionist to a CEO. Ensure to train your employees on the red flags that expose fake emails. They should know to look out for things like dodgy spelling and grammar, questionable links, and urgent calls to action that they weren’t expecting.

  2. Make reporting suspicious emails compulsory: You need visibility of any sinister emails received by your employees, so ensure that they know how to report these, and add this reporting step to your IT policy. Better yet, take measures to have these reports delivered to your inbox automatically by ensuring that your domain is DMARC-compliant. Domain-based Message Authentication Reporting and Conformance (DMARC) allows you to control what happens to illegitimate emails sent using your domain.

  3. Level up your security layers: Cybercrime evolves fast, so you need to evolve your business’s security layers faster to stay ahead of phishers. One way is to ensure that security layers like firewalls and passwords are updated at least every 60 days. Another is to invest in extra layers of security. DMARC adoption prevents unauthorized use of your domain name, extending protection against being tricked by fraudulent emails to your staff and any other stakeholder receiving emails from your domain.

  4. Secure your emails with professional help: Seek professional assistance to ensure that you don’t leave your business vulnerable to phishers. Using a cybersecurity software provider like Sendmarc helps protect your business from the reputational damage and financial losses caused by phishing. Sendmarc ensures that every email received from your domain is the real thing.

The use of Telegram by malicious actors highlights that anyone who has a will to phish can find a way, making it critical to ensure that your business is protected from email-related security threats. Contact us today to find out how we can prevent your business from becoming a victim of email phishing.

This article is originally published on Sendmarc. Click here to read the original article.
Previous
Previous

10.5 trillion reasons why anti-spam is not enough

Next
Next

Maximizing DMARC reporting: an IT professional’s email security gamechanger