What is Phishing?
Anyone with an email account has received plenty of spam email, including plenty of scams. Phishing is the fraudulent practice of sending emails that appear to be from legitimate companies or organizations. It is used in an attempt to trick you into revealing information that you should not reveal, such as usernames and passwords, how an internal procedure works, or other confidential information that’s valuable to an attacker.
Attackers constantly change tactics and use anything and everything to make their phishing emails effective. There are already many COVID-19 related phishing scams.
Defending against phishing is very important because it is the first step for attackers in many data breaches, as attackers exploit the weakest link to gain access, which is often people rather than software or hardware. You can see how effective phishing is in these phishing statistics.
A classic example of phishing is an email that asks you to log into what appears to be a legitimate web site, which then captures your credentials and sends them to the attacker. This blog covers how to identify common phishing scams so you can avoid falling for them.
Spear phishing refers to specifically targeted phishing attempts. Attackers use whatever personal information they can obtain on the potential victim to better convince them that they are receiving a legitimate email. If you think of your average phishing attack like a form letter, spear phishing is like a more detailed and targeted form letter. For example, a spear phishing attempt might address you by name and refer to public or private information about you that the attacker has gathered, perhaps from social media, to make it appear that the attacker knows you personally. Highly targeted spear phishing attempts may be personally written to appear even more authentic.
With the number of data breaches these days, more and more formerly private personal data about you is available to bad actors. For example, a recent round of phishing emails included people's leaked passwords from an earlier data breach, in an attempt to show that the attacker "knew" something about the recipient and had already “hacked” them in the past. In reality the attacker used a database from a breach to obtain this information.
Avoid Being Phished
It’s important to keep some general principles in mind to avoid falling for phishing scams. While phishing tactics are constantly evolving, phishing emails always try to cajole you into doing something, like click a link and enter your credentials, open an attachment, or click a link to download and run an executable. Be very suspicious of any email that tries to get you to take an action.
Phishing emails often use a “carrot and stick” approach to motivate you to act. They may use the carrot of a fake “shipping notification” that says you have a package on its way you didn’t order and include a malicious link to “track” the package. Or they may say you won a contest and just need to fill out a form to receive your prize. Examples of the stick method include impersonating your IT department and requesting that you to do something, or impersonating a government agency such as the IRS, and demanding payment.
If someone contacts you claiming they are in a position of authority and asks you to do something, verify their identity via another channel. For example, a common phishing tactic is to impersonate your IT or security department and ask you to do something. If an unfamiliar "Bob from IT" emails you and asks you to do something, don't be afraid to reach out to your IT department via phone, chat, or in person to verify that Bob is who he says he is.
Phishing emails may also attempt to exploit people’s desire to help others, for example a phony charity scam, or an appeal to help a distant relative of yours that does not really exist.
The technical tricks that attackers use to make phishing emails appear legitimate can make it tough for the average person to tell if an email is legitimate. That’s why it’s very important to ask your IT or Security department about suspicious email if you are unsure if it’s legitimate. You may need to open a ticket and/or forward the email to an internal phishing reporting email address.
Tactics to Use When Reading Emails
- Check the sender’s email address
- Do not rely on the name of the person or organization who sent you the email as being true. Always check the sender email address by clicking or tapping into the name to see the full sender email address.
- Check links
- Hover your mouse over links to read the full URL address. It is likely you will see a URL address you’re not expecting. Never click any links that have an address you do not recognize.
- Do not be fooled by close matches
- Often attackers will obtain a domain that closely matches the domain or the organization they want you to think the email is from. Be sure to carefully inspect all domains and email addresses.
What to do about Phishing emails
Report phishing emails. If you realize or even suspect that you were tricked by a phishing email, report it to IT/Security as soon as possible! This is extremely important because they may take need to take steps such as changing your password or locking down access, and often time is of the essence. Your IT department will likely be very grateful for your honesty and for telling them in a timely fashion.
If you don't know how to report a phishing email, that's a problem your IT organization needs to address. Reach out to IT and ask them for their procedure. IT departments need to make sure people are educated on basic email security and ideally hold regular training on it.
Every email client has ways to mark phishing or junk email which helps screen it out in the future. For example, Office365 has a “Junk” button which you can click and mark an email as junk, phishing, or simply block the sender. Take advantage of this, as this also helps protect you from future phishing attempts by training the filter.
Multi-factor authentication (MFA) or two-factor authentication can protect you if you do get phished and an attacker gets your username and password. MFA uses an additional token code that changes over time to authenticate, which you receive via a text message or via an app (using an app is the more secure option). In this case the attacker has your credentials but lacks the correct token code, so they cannot use your credentials to log in. Use MFA to protect important accounts whenever you have the option to use it. Within organizations this is generally up to the IT department, however if they aren’t using MFA for important accounts, raise the issue to management.
If you decide that a given email is likely legitimate, but you aren’t 100% sure, and someone is not available to ask, it’s better to use a bookmark you already have to log into the site in question, or to type the site’s URL into your browser, rather than clicking a link from an email.
There’s plenty more information out there on protecting yourself from phishing. Here are some helpful anti-phishing resources:
- How to Recognize and Avoid Phishing Scams– great advice from the FTC.
- Google's Safe Browsing page- specifically "How can I tell if a page is fake?" which gives examples of how you can examine a URL to see if someone is trying to trick you.
- Krebs on Security (phishingspecific posts) – the latest news on new phishing scams from veteran cybercrime journalist Brian Krebs.
Keep in mind that phishing often takes advantage of the most vulnerable, such as seniors with cognitive difficulties, people that have fallen on hard times that are desperate for money or attention, and children that don’t know better. Take care to educate your friends and family on how they can avoid being phished.
Stay safe out there! If you would like to talk about protecting your organization from phishing, contact iuvo Technologies.