Guide to Phishing
by Adam Arnold
The Internet is gaining quite the reputation as a dangerous place. It hosts countless threats, many of which hide behind links that shield their intentions. We call this phishing. Considering how much is on the line for your business, you need to make sure that you know which links are safe to click on, and which ones are best left ignored.
Phishing vs. Spear Phishing
The easiest way for a hacker to gain access to a network – called phishing – is to entice an individual to open a file or click a link that launches malware. This breach is often used by the criminal hacker to access sensitive data or network credentials that will enable them to dig deeper into an organization.
You might understand that an email from a strange person asking you to open an attachment is a bad plan. Unfortunately, the savvy people aren’t who they’re targeting…it’s the gullible who have no concept of why opening an attachment from an unknown individual is a bad idea.
Security software that detects the install of malware is the first line of defense against stupid decisions, but obviously, not everyone is as concerned with breaches as you may (or may not) be.
As the name suggests, spear phishing is more highly targeted and skillful use of phishing. Sony very well could have been a victim of spearfishing – a targeted focus on specific individuals within an organization by using personalized emails or by impersonating others so the emails are more compelling to open.
Spear phishing attackers use social media sites such as LinkedIn or Facebook to gather personal information to help cloak their attack, making it more believable to the target. Ultimately the attacker desires an organization’s secrets – confidential, internal email, intellectual property, or other data of value…such as Sony’s entire library of digital movies.
Yeah, we get it, you’re not Sony. But it’s not always the big corporation that will get attacked. The first step in the Target breach was stolen credentials of an HVAC contractor.
Real-Life Spear Phishing Scam
The Nigerian Prince email scam is so five years ago. Now when we receive them, we chuckle. Today, spear phishing is the game that most hackers play and the reason it works is because of familiarity.
According to the FBI: Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive.
Below is a Spear Phishing attempt recently sent to a staff member of one of our customers. This email looked official – like it was from her boss; it even used her boss’ email account. Fortunately, she thought it unusual and double-checked with “Bill” before sending.
OK, I want you to process a Transfer for $18,870 to the details below
Account Name : Stacey louise Collins
Account Holders Address : 814 Parkview circle Hewitt TX 76643
Bank Name : Chase Bank
Bank Address : 800 Hewitt Drive Waco TX 76712
Bank phone Number (254)666-1336
Account Number : 731923392
Routing Number : 111000614
E-mail me once you get this message and also when you have process the transfer e-mail me the confirmation slip.
Sent from my iPhone
After our client called us and we confirmed that it was a scam, they went on to send a few more messages. The hacker followed up with another email; “It looks like the transfer went through, but I have not received the confirmation number yet. Please get that to me ASAP.” They responded with “Of course. Call me and I will give that to you over the phone, rather than by E-mail.” The scammer went on to say “Will do. Am in a meeting right now, but will call afterward.” As you can see, this is a real person responding in real time. Scary.
Sure, in certain companies, it may be common practice to request wire transfers without much thought. Fortunately, this sort of thing was not common practice by our customer and they saved $18,870 and learned a lesson.
Know Your Stuff
Like we mentioned above, spear phishing is successful because it focuses on the familiar. It can catch even the most diligent person off-guard. Considering how much is on the line for your business, you need to make sure that you know which links are safe to click on, and which ones are best left ignored.
When in doubt, don’t trust links that you’re sent. It’s as simple as that. Malicious links can often be spread through mediums like email and social media messages. Your email client will allow you to see the full header of any message you receive, which shows you important information such as the sender’s full email address, options to reply to the address, and checking the legitimacy of the message.
But what if someone you know sends you a link without any sort of context? How are you supposed to know if you can trust this link? It’s crucial that you reach out to whoever supposedly sent the message in a way besides how you received the message with the link. Even social media isn’t immune to these threats, as it’s not uncommon to hear of people having their accounts hacked to spread malicious links. Either way, our point stands that you need to make sure you can trust the source of the message.
An attacker is even capable of creating a carbon copy of someone’s social media account, all just to trick someone into thinking that they are the genuine article. This might seem like a small, minor thing, but the person watching you through the account can keep tabs on your account as much as they want (or as much as you allow them to, anyway).
For Further Protection
One thing that’s becoming increasingly more apparent is that these messages are growing more convincing, which is a cause for concern. These phishing attempts often take advantage of data breaches to find targets for their campaigns. The best way to protect yourself from these types of threats is to keep a lookout for any questionable content and is to make sure that the link matches where it’s supposed to go. You can do this by hovering over the link without clicking on it. You should also be wary of misspellings, improper grammar, and other throwaway signs of malicious intent.
What Are Others Doing?
Google has adopted a policy that flags any website that doesn’t utilize Secure Sockets Layer, or SSL. Any website that displays as “not secure” needs to consider getting a security certificate as soon as possible. Otherwise, web visitors might get the wrong idea from your website.
Don’t let malicious links fool your business. To learn more about how to keep your business safe, reach out to Keystone for help with your IT security.