One phish, two phish, bad phish: don’t click!

You’ve most likely heard about an online threat called phishing. Although it’s been around for many years, it’s still a pretty big security issue. While there are all kinds of threats on the Internet, many people find phishing to be one of the most worrisome ones because it is so common, and because it seems like a much more personal attack.

sp_ncsam_twitter-9-10

Phishing is a tactic used by bad actors to steal private information through deceptive means. There are many types of phishing attacks, ranging from broad, spam-based email attacks to Spear Phishing attacks in which criminals target individuals in attempts to access a company’s network or specific accounts. One thing remains the same in all phishing attacks: the messages are scary, urgent, and written to spur action from the reader.

This is at the core of why phishing campaigns work. It plays to humanity’s fundamental weakness: our need to please, protect, and respond. The problem is further compounded by the fact that most people – even security practitioners – often don’t pay close attention when clicking on links in email or social media.

Let’s review a few common phishing attack methods and discover a little more about why they can cause so much harm.

Traditional Email Phishing Attacks

Phishers can send bulk emails that have been cloned from legitimate email messages to thousands, and even millions, of people at once, asking for their private information. These emails will ask for anything from your ATM PIN, Social Security Number, and bank account credentials, to answers to common security questions, your full name, and birthdate.

Cyveillance-Phishing Blog

Below is an example of a suspicious email. Notice the attention-grabbing header, “Security Alert,” that conveys an urgent tone, warning of negative action against your card if you don’t respond right away. The email provides a phone number; however, this number is nowhere to be found on the bank’s website. Is it a phish?

No, it’s legit. But how can you tell? Since the phone number in the email is not on the website, the best thing to do is call the number directly on the back of your card. Otherwise, you could end up calling a center that is part of an elaborate criminal scheme. It only takes a bad actor a few minutes to copy a legitimate email like this and send it out to millions of people with a malicious phone number and website link.

Phone Calls and SMS Texting

Some phishing attacks don’t require a website at all!  These involve a text message or voicemail to the victim, requiring them to call a number back. When you call the number, you’ll hear a professional recording or someone will answer the phone in a soothingly professional voice. The person will have some private information about you, so they can verify themselves as legitimate, and will proceed to ask for more private information. In a related scam, callers may pretend to be calling from the technical support division of a real company and try to convince you that you have malware installed on your computer and that they can remove this for you if you just provide your credit card details and access to your computer.

Puddle, Spear, and Whale Phishing

When a bad actor targets an organization to gather corporate insider information, the attack can come in many flavors.

  • Puddle phishing: A generalized attack that targets the employees of a company
  • Spear phishing: Attacks targeted more towards specific individuals within an organization via emails that contain personalized information or attachments that appear to be legitimate, such as billing or shipping information
  • Whale phishing: Attacks targeted towards high net worth or high value individuals, such as executives, board members, and the C-suite

Advanced Persistent Threats (APT)

Advanced Persistent Threats (APTs) are used to probe the defenses of an organization over a length of time, sometimes years, in order to exploit weaknesses and gain knowledge, data, or access to private systems. For example, information about merger and acquisition (M&A) discussions can be used to play the stock market, or insight into product development can circumvent development efforts, disrupt manufacturing, and negatively affect a company’s profitability.

Phishing can cause significant harm to both individuals and corporate entities. For individuals, it can damage your credit rating and even get you in trouble with the law if bad actors take out loans in your name without your knowledge. For organizations, phishing can harm your brand, undermine consumer confidence in your stability, and cost you millions of dollars in hard and soft financial loss.

The folks at Stop.Think.Connect have some great tips and advice about staying safe online. Considering that it’s Cyber Safety Awareness Month, it’s a good time to brush up on some of these basic precautions:

  1. Keep your machine clean. Keep your anti-virus software up to date and don’t download files or apps from dubious emails, websites, or app stores.
  2. Protect your personal information. Use strong passwords and change them often, and don’t use answers for security questions with information that could easily be found on social media, such as your pet’s name.
  3. Be web wise. Stay informed about safe computing and read about current cyber threats online.

Cyveillance provides a variety of services leveraging intelligent detection technology that finds phishing attacks faster and more accurately than others. We can remove these threats before they can cause any real harm to your organization and customers.

In the case of phishing, it pays to take precautions. The problem for many enterprises is between the seat and keyboard. Training employees to be suspicious and vigilant creates a much safer workplace environment and helps to protect valuable corporate assets. Cyveillance’s Cyber Safety Awareness training provides critical education about online threats in the modern Internet. It’s not a matter of IF you might be attacked, it’s a question of whether or not you’re prepared to deal with the threat and recover quickly when it happens.

About the author

Gregory Ogorek CISM, PMC-III, is a technology professional with more than 20 years of product development, technical sales support, public speaking, and operational process experience in application, network, and anti-fraud products and services. As the Senior Director of Cyveillance’s cyber security operations, he is responsible for all operational aspects of service delivery covering anti-phishing services, brand protection, mobile application analysis, online threat response, and 24×7 security monitoring services.