Seems like every week there is a new type of phishing attack. Whether it’s the one that looks like it came from your CEO, or the new one where they inform you that you overpaid for services. These new spins on a classic attack all keep phishing relevant and at the forefront of our minds.
Phishing remains one of the most used tools for attackers and social engineers to gain unauthorized access to our networks and accounts. In report after the report, phishing attacks consistently rank at or near the top of lists of favored criminal techniques and are anticipated to remain a persistent threat to individuals and businesses. Why? Because phishing remains inexpensive, easy to produce and easy to send out in mass, with a potentially very big reward from just one person falling victim to the ploy. An attacker can send out thousands of emails and has to hope that only one bites. Coupled with poor training and awareness activities within businesses, the risk/reward approach is too high for cybercriminals not to continue.
There are various types of phishing and off-shoots, however, they follow the same basic methodology and seek to exploit human behavior. At the foundation of each phishing attempt is a hopeful stab by an attacker to gain access to your privileged information for malicious reasons. Phishing in its pure form comes primarily by way of email. And attackers attempt to add instant credibility and legitimacy through these emails by making them appear important or legitimate. Their goal is to give you a plausible reason to follow up. They want to get you to respond, either through clicking on a link within the email, opening an attachment, or responding to their offer.
In order to get you to respond to their request, the attacker seeks to exploit human behavior. They will appeal to our emotional side, or desire to want to help. They will appeal to most people’s desire to want to do good and help those in need. A common tactic is the “African Prince” scheme whereas an unfortunate incident has happened to the rightful heir to a large sum of money and the Prince must somehow find someone able to assist in getting money out of their country. In return, the recipient will get a portion of the money, provided of course they provide banking information and instructions. Hey, it’s all for a good cause!
Variations of this scheme – the helpless widow, the wealthy businessman’s lawyer, the unexpected lottery winner, and many others – all are designed with the same intent. These are designed as ruses to eventually gain access to your bank account information and presumably steal right under your nose, or at least before you can stop it. These schemes get distributed indiscriminately but often hoping to play off the elderly or those that may be in difficult financial situations.
Phishing attempts also attempt tp appeal to the fear of missing out. The goal of any scheme is make it appear as believable as possible. Attackers add in minor details that are irrelevant in the overall scheme but add in to build credibility and to attempt to allay your concerns that the message might be a scam. Criminals might reference current events, but those details will be vague at best. Upon first review, most people will review and identify the email as a scam and dismiss it. However, some will read it again, and they will want to believe the information because if this ruse was true, then they would miss out on it and someone else would be the recipient of all the riches. This is misplaced and irrational fear and it causes the one to want to click even when their instinct knows better.
Finally, phishing attempts try to appeal to your fears. Attackers have become more advanced and have added enhanced graphics and formatting to increase the credibility and the likelihood that individuals will take the bait. These type of attempts will come disguised as trusted organizations or individuals causing the recipient to follow through on what is being provided. This scheme represents Financial Institutions or companies like Pay Pal or Amazon. They will include logos and come from names that represent customer service or company representatives. They will ask you to click on a link or open an attachment to update personal information. This may appear to be legitimate but it really is a ruse to install malware or other types of viruses.
These type of trusted emails may even appear to be from someone you know. We have seen from other type of cyber attacks, individuals will gain access to individuals contacts and create duplicate accounts that are slightly different – gmail vs Hotmail accounts for example. They will then send that contact list an email with a link or attachment designed to invoke a response. This is all a way to load the malware on your computer.
Vigilance remains the most effective way to prevent being a victim of phishing attacks. Specifically there are five areas to focus on.
- Sender’s email address. When you receive an email that looks suspicious, look at the email address. If it’s from a trusted institution, verify that it is the established email address. You can verify this by checking the organization website. If you receive an email from a person, don’t just verify the name, but check the actual address. A lot of attacks originate from Russia, South America, or India, so if you see a .ru or .in address this could be suspicious. It does not mean it’s bad, but it means you may want to do more verification. If it’s an email from Pay Pal or Amazon but it comes from an individual email address then this should be an indicator that something is not right.
- Subject Line. What is the subject line asking you to do? Does it look consistent with other emails you have received from the recipient? The subject line is not the smoking gun with phishing emails, but it does help provide more evidence that something needs to be investigated more.
- Spelling and Grammatical Errors. Phishing emails are produced in mass and in various languages. They are easy to produce and send out; all part of the low risk/low investment but high reward. Often the language will be run through a web translator and while most are good, there are still award sentences and errors. It won’t sound right and more often than not they will be filled with punctuation errors. Some of these are so obvious that it won’t be hard to notice.
- Too Good to Be True. The adage serves its purpose here; if it’s too good to be true, it likely is. But this is attackers trying to play to the FOMO appeal. If you think this might be a scam, but can’t be sure, go online and search it. You will likely find threads about this topic already and appreciate that you didn’t fall for this trick.
- Links and Attachment. A tell-tale sign for phishing attempts. The opening of an attachment or the click of a link activates the malware and your information is as good as gone. You need to ensure that attachments you receive are from trusted senders. If they fail the email address part then they shouldn’t be trusted. It wouldn’t hurt to send a new email to the organization or person with an email address you trust and confirm the document. As for links – “If you have to click, it’s not legit”. No financial institution or business will send you an email asking you to click on a link. They know phishing is out there. Instead, they will send you an email and instruct you to log into your account through their webpage and follow their instructions. And to confirm the links – hover your mouse over the link and see what pops up. If the address is not the institutions official address then do not click. In the example below, you will see that the PayPal Resolution Center is actually a .ru address. This probably isn’t going to get you where you need to be. Undoubtedly, if you click on the link, you will see a fake site that says Pay Pal on it and will allow you to input your information, but it won’t be legitimate and you may be worse for wear afterwards. If you have to click, it’s not legit..