Posted October 12, 2015
This post was written by our Director of Cyber Security Operations Greg Ogorek, and appears as a guest post on Sticky Password’s blog.
Although phishing has been around for many years, a surprising 23 percent of phishing email recipients will still open messages, and 11 percent will click on attachments, according to the 2015 Verizon Data Breach Incident Report. Since phishing is still one of the most prevalent security issues, and it is National Cyber Security Month, (#CyberAware) today’s educational post provides a high-level overview of phishing, why it still works, and how you can avoid falling victim to these scams.
While there are all kinds of threats on the Internet, many people find phishing to be one of the most worrisome ones because it is so common, and because a phishing email often seems like a more personal attack.
What Is Phishing?
Phishing is a tactic used by bad actors to steal private information through deceptive means. There are many types of phishing attacks, ranging from broad, spam-based email attacks to spear phishing attacks, in which criminals target individuals in attempts to access a company’s network or specific accounts. One thing is generally the same in all of them: the messages are typically urgent and designed to spur immediate action from the recipient.
This is at the core of why phishing campaigns work. They play to humanity’s fundamental weakness: our need to please, protect, and respond. The problem is further compounded by the fact that most people – even security practitioners – often don’t pay close attention when clicking on links in emails or on social media.
Let’s review a few common phishing attack methods and discover a little more about why they can cause so much harm.
Traditional Email Phishing Attacks
Phishers can send bulk emails designed to look just like legitimate email messages to thousands or even millions of people at once, asking for private information or for confidential corporate information. Emails requesting private information will ask for anything from your ATM PIN, Social Security Number, and bank account credentials, to answers to common security questions, your full name, and birthdate. Emails asking for corporate information can come disguised as emails that appear to be from vendors or contractors, coworkers, and even CEOs, and may ask for you to complete a form or click on a link.
Below is an example of a suspicious email. Notice the attention-grabbing header, “Security Alert,” that conveys an urgent tone, warning of negative action against your card if you don’t respond right away. The email provides a phone number; however, this number is nowhere to be found on the bank’s website. Is it a phish?
No, this one is actually legit. But how can you tell? Since the phone number in the email is not on the website, the best thing to do is call the number directly on the back of your debit or credit card or the fraud department phone number on your bank’s official website. Otherwise, you could end up calling a center that is part of an elaborate criminal scheme. It only takes a bad actor a few minutes to copy a legitimate email like this and send it out to millions of people with a malicious phone number and website link.
Phone Calls and SMS Texting
Some phishing attacks don’t require a website at all! These involve a text message or voicemail to the victim, requiring them to call a number back. When you call the number, you’ll hear a professional recording or someone will answer the phone in a soothingly professional voice. The person will have some private information about you, so they can verify themselves as legitimate, and will proceed to ask for more private information. In a related scam, callers may pretend to be calling from the technical support division of a real company and try to convince you that you have malware installed on your computer and that they can remove this for you if you just provide your credit card details and access to your computer.
Puddle, Spear, and Whale Phishing
When a bad actor targets an organization to gather corporate insider information, the attack can come in many flavors.
- Puddle phishing: A generalized attack that targets the employees of a company
- Spear phishing: Attacks targeted more towards specific individuals within an organization via emails that contain personalized information or attachments that appear to be legitimate, such as billing or shipping information
- Whale phishing: Attacks targeted towards high net worth or high value individuals, such as executives, board members, and the C-suite
Advanced Persistent Threats (APT)
Advanced Persistent Threats (APTs) are used to probe the defenses of an organization over a length of time, sometimes years, in order to exploit weaknesses and gain knowledge, data, or access to private systems. For example, information about merger and acquisition (M&A) discussions can be used to play the stock market, or insight into product development can circumvent development efforts, disrupt manufacturing, and negatively affect a company’s profitability. Since they’re still so effective, phishing emails are often one of the first tactics that criminals or state-sponsored actors use in APTs.
Tips to Fight Phishing
Phishing can cause significant harm to both individuals and corporate entities. For individuals, it can damage your credit rating and even get you in trouble with the law if bad actors take out loans in your name without your knowledge. For organizations, phishing can harm your brand, undermine consumer confidence in your stability, and cost you millions of dollars in hard and soft financial loss.
As part of National Cyber Security Awareness month, we wanted to highlight some great tips from the folks at Stop.Think.Connect about staying safe online. No time is better than the present to brush up on some of these basic precautions:
- Keep your machine clean. Keep your anti-virus software up to date and don’t download files or apps from dubious emails, websites, or app stores.
- Protect your personal information. Use strong passwords and change them often, and don’t use answers for security questions with information that could easily be found on social media, such as your pet’s name.
- Be web wise. Stay informed about safe computing and read about current cyber threats online.
In the case of phishing, it pays to take precautions. The problem for many enterprises is between the seat and keyboard. Training employees to be suspicious and vigilant creates a much safer workplace environment and helps to protect valuable corporate assets. It’s not a matter of IF you might be attacked, it’s a question of whether or not you’re prepared to deal with the threat and recover quickly when it happens.