Phishing attacks are on the rise. They are getting harder to distinguish and are becoming more successful. The reason being so much more of our lives are online now, hidden behind usernames and passwords. Our banking and entertainment - everything is online, and everything is connected.
What is phishing?
Phishing is a type of cyber attack where a malicious attacker will trick you, usually with an email, to gain sensitive information. Phishing has been around as early as the 1990's, making it one of the oldest forms of cyber attacks. The term "phishing" arose in the mid-90's. It is a homophone of fishing and was used due to the similarity of using bait (like a phishing email) to catch a victim. The "ph" is speculated to have come from the influence of an early form of hacking called "phreaking."
Phishing typically comes in the form of an email or instant message posing to be trustworthy and will often link to a fake website made to look and feel like the genuine article. Usually, the malicious attacker will pose as a social media website or email provider to trick you into giving them your username and password; as a bank, to get your financial information, and often times as a service provider such as phone or tv provider, saying you have an overdue balance and need to pay them the sum.
Another type of phishing attack involves an attachment in an email, likely to pose as a text document (.doc .PDF) or image. The reality is the attachment contains malicious software that can infect your computer. Sometimes executing a ransomware attack where the malicious attacker can lock your computer and will destroy all the data if you don't pay a ransom within a time frame. Others can execute spyware which can record your usernames, passwords and all activity you do on your computer.
There are different types of phishing, like spear phishing, where the attacker will gather personal information about their target to increase their chances of success, this is often done against specific individuals or companies. Spear Phishing has become a rising issue. With more of our personal information being collected, stolen, and then bought and sold by malicious attackers, it has become more common that a phishing email could contain your name, phone number, or birthday to try and convince you the phishing email is real.
The primary method used to execute a successful phishing scam is link manipulation, meaning the link in an email appears to belong to a trustworthy company. The most common method used is a misspelling in the URL ("www.tdcanadetrust.com") or the use of a subdomain ("www.tdcanadatrust.example.com").
One of the reasons for the sudden increase of phishing attacks is the availability of phishing kits - pre-packaged phishing scams that can be bought and exploited by malicious attackers with minimal technical skills. In late 2017, Duo Security analyzed phishing kits. Their research found 3,200 unique phishing kits across 66,000 URLs crowd-sourced lists of known phishing kits (Phishtank and OpenPhish). That means 27 percent of phishing kits were seen on multiple hosts, but that number could be higher as they were measuring based on a single hash. "A single change to just one file in the kit would appear as two separate kits even when they are otherwise identical,” said Jordan Wright, a senior R&D engineer at Duo.
There are common features of phishing emails that can make it easier to recognize a fraudulent email.
1. Too Good To Be True: Often phishing emails will claim you have won a prize, or are entitled to a free product or money. Often they claim you are the beneficiary of a will, or offer bogus cashier checks and donation solicitations. One of the earliest types of this scam involves a Nigerian or West African prince who needs assistance in transferring millions of dollars out of the country. If you send money for the transaction fee, the prince will split his fortune with you.
2. Urgency: Many phishing emails are of an "urgent" or "private" nature. Often the cybercriminals will ask you to act fast as the offer is for a limited time. Others will say your account will be suspended within a time frame if you don't click a link to change your password. If in doubt, don't click a link from within an email and go directly to the source.
3. Attachments: Malicious software such as viruses, spyware and ransomware can lurk on attachments. If you see an attachment in an email you weren't expecting or from somebody you don't know, its necessary to exercise caution.
4. Spelling: Phishing emails are often full of spelling mistakes, some on purpose. A standard practice with phishing emails is to create a website name that looks legitimate and is similar to what it is imitating. It can be as simple to spot as a letter in the wrong place: "Gmial" instead of "Gmail", or more purposeful: "nuvornagazine" instead of "nuvomagazine" (letters like R + N can look like M). When reading the email, look for spelling mistakes, and weird grammar or syntax issues. Phishing emails are getting better but many are not "professional" as an email from a reputable website would be.
What to do
Trust your gut:
If it seems fishy it's probably a phishing scam. Even if an email comes from a known source think about if you were expecting one from that person, and whether it sounds like it was written by them, or if that person rarely communicates by email with you. All are signs their email got hacked and is being used by a scammer to spread phishing attacks. If you receive an email from a source that is unknown, consider the context when you receive the email. It is usually a mailing list or prompted by an action you may have taken.
Always treat attachments as suspicious and avoid opening them if you don't have too. If you receive an email that seems weird from a source you trust, call them. That person might not know they have been hacked. If you receive an email from your bank or service provider, give them a call.
Vishing or Voice Phishing is another technique where a company will call you claiming you owe them money or asking for a donation. They might even claim to be from the bank or insurance company you use and claim you need to send them money. Best thing to do is hang up the phone and call your bank or representative directly, to make sure it is from them.
Make sure you use strong passwords and don't reuse passwords on multiple accounts. Password managers are cheap (some are even free - Dashlane, LastPass, 1Password) and can make adopting strong passwords much more comfortable. Close accounts you don't use anymore, especially those that can hold financial information like eBay, AliExpress, and other online marketplaces. Enable 2FA or multifactor authentication on every account that offers it. A smart way to take control of your security is using a physical security key like a Yubikey (Google has stopped all phishing attempts to its 85,000 employees with the deployment of Yubikeys - Readmore). It may not seem like much, but every step is important. If you do get phished then your precautions will help contain the damage and not spread it to your other accounts.
Some favourite brands used by scammers include:
Microsoft, PayPal, Facebook, Netflix, Dropbox, Apple, Google, and many many more. Vade Secure, an email security solution provider, put together a list of the top brands used in phishing emails. VadeSecure - Phishers favourites
Reply All by Gimlet media did an episode entitled "What kind of idiot gets phished" on May 18, 2017. One of the presenters phished her coworkers at Gimlet. It's worth listening to, as many who fall for the mock attack are tech savvy and take some precautions.
For more information, please contact Next Digital, we have end-user training and solutions to protect your business and employees from cybersecurity threats including phishing attacks.