Posted October 4, 2016
What is Phishing and How to Avoid Phishing Scams
This blog is part of LookingGlass’ phishing series in support of the National Cyber Security Alliance’s initiative, National Cyber Security Awareness Month (NCSAM). This first week of this month (October 3-7) discusses the basic steps to online safety and security.
If you’re on the Internet, there’s a good chance you’ve been the target of a phishing scam – whether it’s because you received a phishing email or clicked on a link from an unknown sender on social media. Recent studies show that about 56 percent of email users still click links from unknown senders, even though they’re aware of common phishing indicators.
Today, we’re going to discuss the basics of phishing, review how phishing scams work, and offer solutions for how you can avoid them.
What Is Phishing?
Phishing is a tactic threat actor’s (cyber criminals, scammers, etc.) employ when trying to trick a target into giving away confidential information, such as a social security number, login credentials, ATM PIN number, credit card number, sensitive personal data, confidential business data, etc. This practice, a form of social engineering, uses human interaction to trick people into doing something they wouldn’t normally do otherwise (another topic we will discuss later this month).
Most people know phishing in its traditional form: Email phishing attacks. This can range from the more obvious “urgent message” from your bank requiring you to click a link and log-in to resolve the problem immediately, to the Nigerian email scams that that have been around for years, to an email that appears to be from a close family member who needs you to “quickly send money” because they are overseas and their credit cards have been stolen. As we become more connected, many people don’t realize that phishing doesn’t happen exclusively over email. You can also be phished via text messages, phone calls, instant messaging, and even social media.
There are many different types of phishing attacks. Some of the most popular include:
- Spear Phishing: Attacks targeted towards specific individuals via methods that contain highly personalized information or attachments that appear to be legitimate.
- Whale Phishing: Attacks targeted towards high net worth or high value individuals, such as executives, board members, and the C-suite.
- Puddle Phishing: A generalized attack that targets the employees of a company. Similar to Watering-hole attacks where a group is targeted, except rather than duplicating websites, phishing emails are used to scam the targets.
- Vishing (Voice Phishing): Phishing attacks that occur over the phone.
- SMShing: The use of text messages to lure targets into calling a fraudulent number or clicking a malicious link.
- Angler Phishing: Targets receive “support” messages from a social network’s customer service account. Instead of helping, these accounts attempt to steal credentials. Many times this particular scam is targeted towards the financial services industry.
How & Why Phishing Works
Phishing has become a simple process for the threat actor to accomplish. The attack can be as simple as an email with a “Lure” message containing a “hook” or call to action that involves visiting a fake web page, or just calling a voicemail in order to leave your private information on a recording. The tools used have become a commodity, with threat actors trading in a hidden market to share phishing kits, tactics and results.
Phishing has worked so well for so long because the messages seem legitimate and play into human emotion, such as to please, to protect, and to react out of greed or fear. The basic human instinct to trust others or familiar destinations (as in a website) is compromised by confidence-inspiring message content crafted to manipulate these emotions.
A tone of authority and urgency are also often portrayed in phishing messages, which can make you feel pressured to provide information that you would not normally share.
How to Avoid Being a Phishing Victim
Combating phishing is more important than ever. The Anti-Phishing Working Group (APWG) saw more phishing attacks in the first half of 2016 than any other time in history. Phishing awareness starts with the individual. Organizations should consider a combination of cyber safety training for employees and investing in a phishing detection service.
Specifically, here are warning signs to look out for:
- Deals that are too good to be true. This often happens during certain times of the year such as holidays, back to school, etc.
- Messages from close relatives asking for personal information. It doesn’t hurt to pick up the phone and personally contact that individual to confirm his or her message.
- Any suspicious message asking you to click a link, especially a tiny URL (shortened URL).
- Always check the “From” line for misspellings, such as zeroes instead of “O” or “3” instead of “E.” Another hint is to look for email addresses with obviously spoofed or unmatched aliases (such as firstname.lastname@example.org ‘Tammy Jones’).
- Beware of any urgent call to action that claims you must “Act Now” or any language along the lines of “It’s an emergency.” Typically, if an official organization needs something urgently, you will be notified via other mediums.
- Be wary of communications that reference government departments such as the IRS or District Courts. Many people will provide personal information or financial data when faced with intimidation or threat of legal action.
By: Greg Ogorek, Sr. Director Cyber Security Operations and Michael Perry, LookingGlass SIU
Follow and connect with us on Twitter, Facebook, and LinkedIn if you would like to discuss any of our blogs in more detail, and see how else we are championing NCSAM here: https://www.lookingglasscyber.com/solutions/phishing/!
You May Also Be Interested In…
- [WHITE PAPER] Four Steps to Effectively Protecting Your Organization from Phishing Attacks
- [DATA FEED] LookingGlass Cyveillance Phishing URL
- [THREAT INTELLIGENCE SERVICE] Phishing Detection
- [SOLUTION] Dynamic Threat Defense