Phishing: Don't Get Hooked
Author Elaine Harrison-Neukirch
Social engineering is used to trick people into divulging confidential information such as username & passwords, PII (personally identifiable information), financial information,and business secrets. Tricking people into sending money or gift cards is high on the list. Lastly, Phishing can be used as an entry way to enable the attacker to launch a ransomware or other type of malware attack. One of the most prevalent and successful social engineering tactics is Phishing. Phishing can be conducted through email, phone calls, texts and instant messaging. Email and instant messaging through Social Media are the most popular methods. The attacker is able to pretend to be someone else by creating fake personas on Social Media or masking their real name in an email. These vectors (methods) enable the attacker to cast their net wide and reach a large number of people with minimal effort. There are several types of phishing, each with a different purpose or attack vector. Barrel Phishing, Spear Phishing, Whaling, BEC Compromise, Vishing, and Smishing.
This tactic is used to send hundreds of phishing emails out to random people. The attacker has no specific target, just hopes that many recipients will fall for the phish.
An attacker targets a specific organization. The attacker may have an email address list or just the names or people who work there. If the attacker only has names, emails with variations of the names may be sent in a reconnaissance email, to determine which addresses are good email addresses. Reconnaissance emails typical only have a few words in the body or nothing at all. Most are sent from Gmail or other free webmail accounts. The goal of a spear phishing attack may be to acquire user credentials for their Active Directory or Office 365 accounts. The attacker could also launch a Business Email Compromise attack (BEC). This type of phishing attack attempts to get targeted people on specific departments to either divulge confidential information (Employee Tax Information, Social security numbers, etc.) or it may be to convince someone to wire money. The spear phishing emails usually mask themselves as being from someone with authority within the company (CEO, CIO, HR Director). They may also seem to come from a trusted vendor, with an invoice for immediate payment attached to the email.
Whaling emails target the CEO or other high level executives. These emails aim to gain logon credentials or hope to trick the recipient into directing another person to provide sensitive information or wire money under false pretenses.
Vishing is phishing done through phone calls. The caller may spoof the phone number so it looks like it is from a known person or company. The caller will pretend to be a person of authority or an employee of a known company. They may try to get social security numbers, credit card information,or other sensitive information that can then be used to steal money or hack online accounts.
Phishing texts or instant messages are known as Smishing. Examples of a text message include texts that instruct the recipient to change their password by clicking a link or asking the recipient to call a phone number immediately to avoid an account shut down. Malicious actors will setup fake social media accounts and attempt to get information through instant messenger. The most popular Smishing method is to copy someone’s social media profile (using their picture and information)and then message the person’s connections, pretending to be them.
Hacked Email or Social Media Account
These are more difficult to identify because they are traditionally sent from a known person. If an email or message from someone you know looks off or requests unusual information, do not respond to it. Call that person and ask if they sent the communication.
How to Identify a Phish
It is getting increasingly more difficult to identify phishing emails. Malicious actors are getting better crafting these emails so they make it past firewalls and other threat protection applications. Several tell-tale signs are:
Poor spelling and grammar
Unknown email addresses from known people or companies (Netflix password change email sent from firstname.lastname@example.org)
Links that do not look like they should when you hover over them (www.Netflix.com is actually notnetflixyz.ca when you hover over the link)•Requests for money, gift cards, or specific information from unknown senders
Requests to change an account password or credit card information
There are several things that will help you to protect yourself from phishing and other scams. Install Antivirus and Anti-malware protection on your devices. Most paid subscriptions allow you to install on multiple devices. There are also good free versions available.
Always install your device updates (Windows, Mac, iOS, Android). Having an up to date operating system helps to ensure that your devices are not vulnerable to hackers and malware
NEVER use a link from an email to change your password or update your financial information. Type in the url (website address) and log into your account to make any changes.
Setup two-factor authentication/multi-factor authentication on any accounts that offer it including banking, credit card, social media, and email. If someone were to get your login credentials, they would also have to authenticate through the additional layer which would require having your phone or hardware token in hand.
Never open attachments that you are not expecting, even from known senders.
Check out this helpful video on cybersecurity from a recent Girls Dream Code/CSNP Event.
About the author: Elaine Harrison-Neukirch is a Network security Engineer and aspires to educate many people about Cyber Security and Cyber Hygiene.