I get asked all the time, “what is phishing?” I have 8 facts that I share even though there are a myriad more that could be covered, and will be covered in future articles.
Phishing is a prevalent type of cybercrime where hackers send emails that appear to be from a trustworthy source, institution or acquaintance. It’s a way to lure individuals into providing sensitive data such as personally identifiable information, banking, credit card details and passwords.
Here are some of the basic terms you year when explaining the methods and delivery of a phishing scam.
What Is Phishing? 8 Facts
Malware is a catch-all term for any malicious software, regardless of how it works, intent, or delivery method.
Social engineering is the art of manipulating, influencing or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access.
A breach is an incident where information is stolen or taken from a website or database without the knowledge or authorization of the company owner. The size of the company doesn’t matter when it comes to data breaches — hackers don’t care if you’re large or small. Stolen data may involve sensitive, proprietary or confidential information including:
- Usernames
- Passwords
- Credit card numbers
- Social security numbers
- Customer data
- Trade secrets
- Matters of national security.
Here are some Phishing and Email Fraud Statistics from 2019
- The average financial cost of a data breach is $3.86m (IBM)
- Phishing accounts for 90% of data breaches
- 15% of people successfully phished will be targeted at least one more time within the year
- BEC scams accounted for over $12 billion in losses (FBI)
- Phishing attempts have grown 65% in the last year
- Around 1.5m new phishing sites are created each month (Webroot)
- 76% of businesses reported being a victim of a phishing attack in the last year
- 30% of phishing messages get opened by targeted users (Verizon)
By 2021, global cybercrime damages will cost $6 trillion annually, up from $3 trillion in 2015, (according to estimates from the 2020 Official Annual Cybercrime Report by Cybersecurity Ventures.)
The primary defense used against phishing emails is the email provider. Most email providers, such as Google (Gmail), Hotmail and Apple, scan incoming mail in an attempt to filter out spam and phishing emails. This is done by searching each email for bit strings that are previously determined to be characteristic of spam and phishing emails.
There are different types of phishing email scams Hackers use many methods to lure you in with bait or deception. Fake website, request for confidential information, an email from an executive or human resource at work.
Email phishing: A phishing email can tempt users with a variety of scenarios, from the promise of free gift cards to urgent alerts from upper management. If users click on links in a phishing email, the links can take them to websites that collects information through social engineering or deposit dangerous malware into the user’s personal or company computer.
The hackers will register a fake domain that mimics a genuine organization and sends thousands out thousands of generic requests. The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’. If you receive an email from a bank or Netflix about a particular issue relating to your account. Check the link, does it go to the company domain, i.e., Netflix.com, Chase.com, or you have Wikipedia.org.
Alternatively, hackers might use the organization’s name in the local part of the email address (such as paypal@domainregistrar.com) as part of its phishing scam in the hope that the sender’s name will simply appear as ‘PayPal’ in the recipient’s inbox. Is the link the same or something different Netflixx.com or accounts.netflix.com.gotoreport.net? Both examples I gave are wrong. When you are unsure. Login to the site itself, don’t follow a link.
In 2009, the FBI called Operation Phish Phry the largest international phishing case ever conducted. Hundreds of bank and credit card customers received official-looking emails directing them towards fake financial websites. Victims entered their account numbers and passwords into fraudulent forms, giving the attackers easy access to their private data.
Spear phishing: There are two other, more sophisticated, types of phishing involving email. The first, spear phishing, describes malicious emails sent to a specific person. Hackers who do this will already have some or all of the following information about the victim:
- Their name
- Place of employment
- Job title
- Email address
- Specific information about their job role
One of the most famous data breaches in recent history, the hacking of the Democratic National Committee, was done with the help of spear phishing. The first attack sent emails containing malicious attachments to more than 1,000 email addresses. Its success led to another campaign that tricked members of the committee into sharing their passwords.
Twitter was hacked and compromised the accounts of celebrities, political leaders, and corporations. Twitter revealed hackers obtained user login credentials through a sophisticated spear-phishing campaign aimed at a select group of employees. Using these credentials, the hackers were able to gain information about Twitter’s internal processes, which ultimately gave them access to high-profile, verified Twitter accounts.
Target data breach that affected 110 million users, including 41 million retail card accounts. a third-party HVAC vendor which enjoyed trusted access to Target’s servers. Upon compromising FMS’s servers, gaining complete access to Target’s network was simple, just as planned.
Whaling: Whaling attacks are even more targeted, taking aim at senior executives. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler. Tricks such as fake links and malicious URLs aren’t useful in this instance, as hackers are attempting to imitate senior staff. Scams involving bogus tax returns are common variety of whaling. Tax forms are highly valued by hackers as they contain useful information: names, addresses, Social Security numbers and bank account information.
Walter Stephan CEO of FACC, which manufactures aircraft components for Boeing and Airbus, hackers faked Stephan’s email and demanded a lower-level employee to transfer the enormous sum to an unknown bank account as part of an “acquisition project”.
Smishing and vishing: With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves hackers sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation. A common vishing scam involves a hacker posing as a fraud investigator (either from the card company or the bank) telling the victim that their account has been breached. The hacker will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the hacker’s account.
Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia,
Angler phishing: A relatively new attack scenario, social media offers a number of ways for hackers to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware. Alternatively, hackers can use the data that people willingly post on social media to create highly targeted attacks.
In 2016, thousands of Facebook users received messages telling them they had been mentioned in a post. The message had been initiated by hackers and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension on to the user’s computer. When the user next logged in to Facebook using the compromised browser, the hacker was able to hijack the user’s account. They were able to change privacy settings, steal data and spread the infection through the victim’s Facebook friends.
The most important defense is you. The person reading this article. How you say? Once you click the link or provide information, you have assisted the hacker. Being aware is your best weapon. I have been caught by phishing emails and other malware. Do not tell anyone. These incidents happen at home and at work. I should know better right? Why did I get snared by a phishing scam? Hubris. I was not paying attention. I was distracted with work or mindlessly surfing at home. While those incidents did not have catastrophic results, they were lessons to me about hubris and applying the training I have had and the training I provide to customers.
People when given the opportunity will default to trusting before diligence. It is in our nature. In the modern age we must be diligent first. Trust but verify is the famous saying. No one should ask you for passwords through an email or link. If you are at work or home, if you receive an email from tech support without you submitting a ticket, go to the site get the tech support email address and send them a quick email or call them to verify. Web site will ask you to login again if you go to more sensitive areas like credit card or account information.
Steps to defend against phishing attempts and limit damage.
- Diligence without training is useless. Take Cybersecurity Awareness Training. An informed user can be trained on how to spot a phishing email and thus, avoiding suspicious links. If it is not offered at work, ask your supervisor or IT Manager.
- Get a password manager. Dashlane, Roboform, 1Password and LastPass are some of the many password managers you can use to keep track of all the sites you have accounts and their related username and password. If there is ever a breached or you to fall victim to a phishing scam, you can go directly to the site in question and reset the password immediately. There are multiple companies checking for you to see if the website and your account has been breached. PLEASE, DON’T REUSE PASSWORDS. I recommend a minimum password length of 12 characters. Or use 6-word passphrase with numbers and a special character; CatcallXboxHardeningRecopyUncurledPreschool%4416
- Make sure your Operating System at up to the current patch revision level. I.e. Microsoft; Windows 10, Windows 8.1, Linux; Ubuntu, Redhat.
- Have antivirus scanner and VPN software up to date. Antivirus: Microsoft Defender Antivirus, F-secure SAFE, Norton 360 with LifeLock Select, Bitdefender Antivirus, McAfee Total Protection, ESET NOD32 Antivirus. VPN; NordVPN, SurfShark VPN, UltraVPN, F-Secure Freedom
- Backup your data and operating system. Online backup and local backup are good. In my opinion, a hybrid approach to backups is best. You can restore quickly in need be and you have the safety of your backups being stored in the cloud encrypted if your primary location is inaccessible. But that’s another article.
- Where possible, use multi-factor authentication (MFA). If a password is known, then the second (or third) “factor” of authentication is an additional layer of protection. A good resource for checking if MFA is available on different services is https://twofactorauth.org/. Multifactor Authentication are use by banks and companies where you get a code texted or emailed to you to enter when prompted to validate who you are.
If you do fall victim to a phishing scam at work, report it immediately to your help desk or IT support teams. Follow their instructions. If you are a consumer and or small business file a complaint with the Internet Crime Complaint Center.
The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center, also known as IC3, is to provide the public with a reliable and convenient reporting mechanism to submit information to concerning suspected Internet-facilitated criminal activity and to develop alliances with law enforcement and industry partners. Information is analyzed and disseminated for investigative and intelligence purposes to law enforcement and for public awareness. https://www.ic3.gov/
National Institute of Standards and Technology (NIST) government agency that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry. NIST produces and provides standards and guidelines to help federal agencies and companies. They are a treasure trove of information for the consumer and businesses of all sizes.
NIST published a guide the NIST Cybersecurity Framework. This is one of the many guides and documentation NIST provides based on best practices from several security documents, organizations, and publications to assist business in cyber security. https://www.nist.gov/
Small businesses with limited resources and budgets are also a target audience of NIST. These companies need cybersecurity guidance, solutions, and training that is practical, actionable, and enables them to cost-effectively address and manage their cybersecurity risks. This NIST Small Business Cybersecurity Corner puts these key resources in one place. https://www.nist.gov/itl/smallbusinesscyber
These are the basic things you can do as a start to making yourself safer online and interacting with emails. The more you get educated the more you can do to be safe.
Stay, Aware, Stay Safe: Seth Melendez, President, WareGeeks Solutions. Phone: (877) 653-7146