Posts

Phishing is Getting Fishier

If you are like most people, you have undoubtedly received an email that has asked you to click on a link. Did you click it?

If you did, no worries, you are just like 99% of internet users – everyone has clicked a link before, it is pretty normal. But, in some situations, you may have found that the link took you to a new or maybe spoofed website where you might be asked to do “something”, i.e. enter some information or even login to an account. Once you entered your username and password, they have it…

If you have ever done so, you were likely a victim of what is known as a phishing attack, and these attacks are getting fishier all of the time.

A What? Phish? Fish?

It’s called a phishing attack, and yes, it’s a play on words. When you fish, you throw a hook and worm into the water and hope you catch something. Hackers do the same when they phish.

Except, their hook and worm, in this case, is an carefully crafted email – designed to look like something you should get – which hackers hope you are going open…its then, that they can reel you in.

There are a few different types of phishing:

  • Spoofed websites – Hackers phish by using social engineering. Basically, they will send a scam email that leads to a website that looks very familiar. However, it’s actually a spoof, or imitation, that is designed to collect credit card data, usernames and passwords.
  • Phishing “in the middle” – With this type of phishing, a cybercriminal will create a place on the internet that will essentially collect, or capture, the information you are sending to a legitimate website.
  • Phishing by Pharming – With phishing by pharming, the bad guys set up a spoof website, and redirect traffic from other legitimate sites to the spoof site.
  • Phishing leading to a virus – This is probably the worst phish as it can give a criminal full control over your device. The socially engineered phish is designed to get you to click a link to infect your device.

Can You Protect Yourself from Phishing?

Yes, the standard rule is “don’t click links in the body of emails”. That being said, there are emails you can click the link and others you shouldn’t. For example, if I’ve just just signed up for a new website and a confirmation email is then sent to me, I’ll click that link. Or if I’m in ongoing dialog with a trusted colleague who needs me to click a link, I will. Otherwise, I don’t click links in email promotions, ads or even e-statements. I’ll go directly to the website via my password manager or a Google search.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Protect Yourself from Phishing

Everyone has received very obvious “phishing” e-mails: Messages in your in-box that have outrageous subject lines like “Your Account Will Be Suspended,” or, “You Won!”

13DWhile some phishing attacks are obvious, others look harmless, such as those in a person’s workplace in-box, seemingly from their company’s higher-ups.

Researchers point out that an e-mail may appear to come from the company’s HR department, for example. E-mails with an “urgent email password change request” had a 28% click rate, Wombat security reported.

Phishing victims act too quickly.

In the workplace, instead of phoning or texting the HR department about this password reset, or walking over to the HR department (a little exercise never hurts), they quickly click.

So one way, then, to protect yourself from phishing attacks is to stop acting so fast! Take a few breaths. Think. Walk your duff over to the alleged sender of the e-mail for verification it’s legit.

Wombat’s survey reveals that 42% of respondents reported malware infections, thanks to hasty clicking. However, employees were more careful when the e-mail concerned gift card offers and social media.

The report also reveals:

  • 67% were spear phished last year (spear phishing is a targeted phishing attack).
  • E-mails with an employee’s first name had a 19% higher click rate.
  • The industry most duped was telecommunications, with a 24% click rate.
  • Other frequently duped industries were law, consulting and accounting (23%).
  • Government was at 17%.

So as you see, employees continue to be easy game for crooks goin’ phishin.’

And attacks are increased when employees use outdated plug-ins: Adobe PDF, Adobe Flash, Microsoft Silverlight and Java.

The survey also reveals how people guard themselves from phishing attacks:

  • 99% use e-mail spam filters.
  • 56% use outbound proxy protection.
  • 50% rely on advanced malware analysis.
  • 24% use URL wrapping.

These above approaches will not prevent all phishing e-mails from getting into your in-box. Companies must still rigorously train employees in how to spot phishing attacks, and this training should include staged attacks.

Protect Yourself

  • Assume that phishing e-mails will sometimes use your company’s template to make it look like it came from corporate.
  • Assume that the hacker somehow figured out your first, even last name, and that being addressed by your full name doesn’t rule out a phishing attack.
  • Get rid of the outdated plug-ins.

Phishing attacks are also prevalent outside the workplace, and users must be just as vigilant when on their personal devices.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to Recognize a Phishing Scam

So someone comes up to you in a restaurant—a complete stranger—and asks to look at your driver’s license. What do you do? Show it to that person? You’d have to be one loony tune to do that.

3DHowever, this same blindness to security occurs all the time when a person is tricked by a “phishing” e-mail into typing in the password and username for their bank, or it may be the login credentials for their PayPal account or health plan carrier.

Phishing e-mails are a favorite scam of cyber criminals. THEY WORK.

When a cyber thief goes phishing, he uses a variety of bait to snag his prey. Classic examples are subject lines that are designed to get the recipient to immediately open the message and quickly react to it, such as an announcement you owe money, have won a prize or that your medical coverage has been cancelled.

And to resolve these problems, you’re asked to log into your account. This is where you place your account credentials into the palm of the thief on the other end of these e-mails.

  • Phishing e-mails may address you by name (the hacker already knows about you), but usually, your name is nowhere mentioned.
  • The e-mails usually contain at least one link they want you to click. Hover your mouse to see what the URL is. It may appear legit, but note the “http” part. Reputable sites for giant businesses, such as Microsoft and PayPal, will have an “https” in their URL. The phishing link’s URL will usually not have the “s.”
  • A big red flag is if there are typos or poorly constructed sentences, but a phishing e-mail may also have flawless text.
  • Don’t be fooled by company logos, stock imagery, privacy policies, phone numbers and other formalities in the message field. It’s so easy for a hacker to put these elements in there.
  • Be leery of warnings or alerts that don’t sound right. Gee, why would your account be “in danger of being suspended”?

The links will take you to a phony site that looks like the real thing and ask you for your login credentials, credit card information, etc. Another way this scam works is by downloading a virus to your computer after you click on the link. Sometimes there’s an attachment that you’re urged to open. The lure might be that it’s a survey from your bank or a report to review from your employer.

A phishing e-mail may still look like the real deal. So how do you protect yourself? Never click on links inside e-mails. Don’t open attachments unless they’ve been sent from someone you personally know. If you think it’s from your company, healthcare plan or bank, then whip out your phone and call the company to see if they sent you the e-mail.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.