Phishing is a form of fraud where an attacker masquerades as a trustworthy entity to gain personal information from the victim. This information can include data like passwords, logon credentials, social security numbers, credit card numbers and other sensitive, private information. Phishing attacks often occur through email or by leading victims to fake, spoofed websites that often look authentic to the user.
Phishing scams have been around for years, however, over the past 3 years we have seen an explosion of this type of fraud. According to the 2016 Verizon Data Breach Investigations Report phishing is again and by a great margin, the number one attack tactic.
Phishing includes fraudulent e-mails that include malicious attachments that contain malware that once downloaded search your computer for sensitive information and communicate that information to a command and control server. Phishing also includes fake communication from banks, hospitals and other institutions who encourage users to go to a fake or spoofed site to fill out forms requesting sensitive information which is downloaded and sold on the black market or Dark Web.
Generally, most phishing attacks want the victim to do one of the following:
Many enterprise (and home based) email scanning or antivirus programs screen out such emails, or at least mark them as junk, however, many phishing attacks circumvent prevention technology and result in substantial costs both for individuals and companies.
There are a few indicators that an email might be phishing for your information. Phishing attacks are becoming very commonplace and are a huge concern for many enterprise environments, especially those that house customer or employee information. Many of these traditional phishing emails have spelling mistakes, branding errors, or simply don’t make sense in terms of language and instructions.
Spear Phishing is similar to traditional phishing attempts, but many of these attack emails are personalized to individuals or companies. Attackers often gather information about their targets using a variety of methods including Linkedin, Facebook, Twitter or other social media sites and utilize that information to personalize an email, rather than just sending it blindly to an email address. This personalization dramatically increases the success of a phishing attack.
Whaling emails are a form of spear phishing emails that usually involve someone masquerading as a senior level executive like a CEO, CSO or COO asking another employee, in the finance department for example, to transfer money to a vendor, partner or outside 3rd party entity. The reason they are called “Whaling” is that, like a sales environment, these types of scams often involve large transactions. Many perpetrators of “Whaling” work in teams, gather large amounts of intel from their target, engage in social engineering, take their time, and build relationships.
Whaling emails are not as easy to identify as large tech companies like Ubiquiti Networks and Mattel, the toy maker in the US have fallen victim. The targeted e-mails are meticulously crafted, often contain information relevant to either the recipient or the perpetrated sender, and are often followed up by subsequent emails. Perpetrators of these types of emails often gather information from company websites as well as social media sites to include in the emails. In the last two years, this form of phishing has cost businesses over $2 billion according to SC Magazine and has also cost many a CEO their job.
Recent reports show that that over 97 percent of phishing emails are associated to ransomware like Locky which encrypts or locks the victim’s data when the attachment or link is clicked. The number of phishing emails used to spread ransomware has increased annually and with the availability of the ransomware and the ease of collecting data on victims, spear phishing attacks using Locky and other ransomware has exploded.
Related post: How to Fight Ransomware: Prevention, Response and Recovery
Criminals are gathering intelligence from the web to determine which companies do business with each other, and who to directly target at a company, and then use that information to generate targeted spear phishing emails using automated tools. Like other automated sales processes, criminals are automating the gathering of information and phishing email campaign generation.
Many of us have a Pavlovian response when it comes to our emails. The second we hear the “ping” from our phone, or see an email pop up on our screen, we instantly want to open it.
Criminals know this. And they also know that if they add more pressure often by using the words URGENT, IMMEDIATELY, or CRUCIAL, you will be more likely not only to open an email, but potentially open an attachment or respond following orders, especially if it is coming from your CEO.
The 2016 Verizon Data Breach report shows that even waiting an hour before opening an email dramatically reduces your chances of being a victim. Waiting even longer reduces your chance of being infected significantly more.
Before opening an email, and especially before opening any attachments or clicking links contained in the email, take a closer look and think about these 4 aspects.
If so, be a little cautious
Does the email have a signature? Often whaling attacks are disguised as an email coming from a CEO’s mobile device that often do not have official company signatures attached to the name.
Just because an email says that you need to “verify” something, doesn’t mean that you have to click on the link in order to follow the instructions. You can simply plug in your destination in your favorite Map app and lower your risk even further.
Guess what? Just by reading this post, you are less likely to be a victim of these types of phishing attempts. Education on cyber protection best practices has been shown to dramatically decrease rates of phishing victimization. Share these cyber protection best practices with co-workers and friends and the data suggest that your chance of being a victim of fraud will be reduced substantially. I often get emails from a family member which contain links to very odd looking websites, or contain attachments which are often used to spread malware (zip files). This family member recently sent an email to many people in my family. I replied to everyone and gave a brief “education moment” on these types of emails and the risks of opening them.
It is often best to get confirmation before running an executable or opening suspicious documents or files that you are not expecting. This is especially important before making any sort of money transfer. Kick it old school and pick up a phone….or even better....talk to someone if you can before following the instructions in an email.
Ryan Duquette is Former Digital Investigator with the Peel Region Police, and Founder of Hexigent Consulting. You can listen to Ryan on the Amber Mac show discussing phishing scams.