PHISHING TRIPS

If you have not yet been introduced to it, phishing is a form of online fraud in which the fraudster contacts you on email or another communication channel, such as Instagram. The fraudster is always malicious, using phishing emails to distribute links or attachments that can do various kinds of damage from embedding viruses to capturing your login credentials or bank details. Phishing has become more popular with cybercriminals because it is easier to trick someone into clicking a malicious link in a seemingly innocent email than it is to penetrate a computer network’s defences. For some reason, Indonesia seems to have become a world centre for deceptive phishing with complete “factories” full of fraudsters in operation. Phishing used to be carried out by the occasional hacker; now it is a sophisticated big business and very well organised.

How phishing works

Threat actors (a technical term for “fraudsters”) use social engineering techniques, a method of attack that relies on human interaction and involves manipulating people into breaking normal security procedures and best practices, to gain access to systems, networks or physical locations, or for financial gain.  Social engineering lets the threat actor conceal their true identity and motives and present themselves as a trusted individual or body, to influence, manipulate or trick you into giving up privileged information or access within an organisation.

A sad aspect of phishing is that many social engineering ploys rely on people’s willingness to be helpful. We have all heard of an attacker sending emails in which they pretend to be a friend who has some kind of urgent problem that requires access to your bank details or wiring a sum of money to a given address.

Phishing expeditions used to use a “scattergun” approach, sending out huge numbers of emails and scammers were happy if 0.001% of recipients responded. These days phishers are likely to use social engineering and other public sources of information, including social networks such as  LinkedIn, Facebook and Twitter, to gather background information about the target’s personal and work history, interests and activities. They can uncover names, job titles and email addresses of potential victims, as well as information about their colleagues and the names of key employees in their organisations. They work this information into a believable email. Attacks are targeted now and YOU may be the target. If it has not already happened, any day now you may receive a phishing email containing a malicious link or attachment. There might be one in your email inbox now.

Many phishing emails are still poorly written and obviously fake (I remember receiving one from “Smith & Weston”) but we can no longer rely on that. Cybercriminal groups increasingly use professional marketing techniques to identify the most effective types of message, the “hooks” that provide the highest number of openings or responses.  Phishing campaigns can also be seasonal,  built around major events or public holidays or to take advantage of breaking news stories.

You might receive a message that seems to have been sent by a known contact or body. It will have either a file attachment that contains malicious software, or links to malicious websites. The aim is to install malware (a program or file that is harmful to a computer user) on your device (workstation, laptop, tablet or smartphone) or direct you to a website set up to trick you into divulging personal and financial information, such as passwords, account IDs, credentials or credit card details.

How to recognise a phishing email

A professionally produced phishing message will be difficult to distinguish from an authentic message. It is likely to use an organisation’s email font, incorporate logos and distinctive graphics and data, such as names and contact details, stolen from the organisation the sender claims to represent. The links within the message are also likely to have been set up to look as though it connects with that organisation.

However, there are some clues that can indicate that a message is bogus:

  • The message uses subdomains, misspelled URLs (typo-squatting) or otherwise suspicious URLs.
  • The recipient uses a Gmail or other public email address rather than a corporate email address.
  • The message is written to invoke fear, pity or a sense of urgency (“HMR&C have opened a case file with a view to prosecuting you”).
  • The message is written to invoke greed (“Reply now with bank account details or we will not be able to credit your refund”)
  • The message includes a request to verify personal information, such as financial details or a password (nobody has a right to ask for these details in an email, or face to face for that matter).
  • The message is poorly written and has spelling and grammatical errors (“From the Millenium Corporation”).

Phishing examples

Phishing scams come in all shapes and sizes. You can protect yourself by staying alert and knowing about some of the more recent ways that fraudsters have been phishing.

Digital payment-based scams. A phisher masquerades as an online payment service, such as PayPal or WorldPay. These attacks are usually in emails where a bogus version of a legitimate payment service asks a user to verify their login details and other identifying information, usually to resolve an issue with the user’s account.

Look out for greetings that do not include the victim’s name. Official emails always address users by their actual name or business title. Anything that starts with “Dear user,” or uses an email address instead is probably a scam. Legitimate payment services will never try to scare you into precipitate action. Phishing emails will “alert” you to the fact that your account will soon be suspended. Others claim that you were accidentally “overpaid” and now need to return money into a fake account. Payment service providers generally do not send downloadable attachments. If you receive one, do NOT open it.

If you receive any emails from as payment service provider, open your payment page in a separate browser, device or window to see if your account has any genuine alerts. Or you could phone the customer service number that the payment service provider gave you when you registered and NOT the one on the suspect email (sorry if that sounds obvious, but you would be amazed …). While you are logged in or on the phone report the issue to them so that they can monitor your account and track the intrusion.

Finance-based phishing attacks are a common form of scamming, and they aim to panic the target into giving them personal information. Usually, they pose as a bank or other financial institution. In an email or phone call, they tell their target that their security has been compromised. Look out for suspicious emails about money transfers that contain a receipt or rejection message about a money transfer. If the target assumes that fraudulent charges have been made in their account, they might click a malicious link in the message.

Direct deposit scams are often used on new employees of a company or business. The target receives notice that their login information is not working so they will not get paid. If they panic, they might click a bogus link in the email, which leads them to a fake website that installs malware onto their system. From there, their banking information is vulnerable.

Once again, call the financial institution’s help desk or contact centre to check, and report the incident. For the direct debit scam you can also talk to your payroll team.

Work-related phishing scams are usually highly personalised and hard to spot. In these cases, a phisher claiming to be the target’s CEO or CFO contacts the target, and requests a wire transfer or  fraudulent purchase. There is a particular scam aimed at collecting credentials from executives. Often it is an email advising the target that a scheduled meeting needs to be changed. They are asked to fill in a poll about when a good time to reschedule would be, via a link. That link will then bring the victim to a fake login page for Office 365 or Microsoft Outlook. Once they have entered their login information, the scammers steal their credentials.

Types of phishing

As we educate our clients and deploy anti-phishing strategies, the phishers become more sophisticated with their existing types of phishing attacks and roll out new types of phishing scams. At the time of writing (February 2020) these are some of the more common types of phishing attacks to look out for:

  • Spear phishing attacks are directed at specific individuals or organisations, often using stolen information specific to the target. Look out for emails that seem unnecessarily to refer to your colleagues, make references to co-workers or executives at your organisation, as well as the use of your name, location or other personal information.
  • Whaling attacks specifically target senior executives, or others with the ability to commit large sums of money within an organisation, usually aiming to steal large sums. Look out for unexpected messages authorising a large payment to a supplier.
  • Pharming is a type of phishing that depends on attackers being able to replace legitimately saved data on a system with compromised data that contains malicious code. This will redirect users from a legitimate site to a fraudulent one, and trick users into attempting to log in to the fraudulent site with personal credentials.
  • Clone phishing attacks use legal, previously delivered, emails that contain either a link or an attachment. Phishers make a clone of the legitimate email, replacing any number of links or attached files with malicious links or malware attachments. These are dangerous because they appear to be a duplicate of the original, harmless email, so there does not seem to be any reason not to click again.
  • Evil Twin attacks take place when phishers set up a Wi-Fi access point and advertise it with a deceptive name that is similar to a legitimate access point. When victims connect to the evil twin Wi-Fi network, the attackers gain access to all transmissions to or from victim devices, including user IDs and passwords.
  • Voice phishing (or vishing), is phishing over voice communications. The phisher leaves voicemails apparently notifying the victim of suspicious activity in a bank account or credit card account and asks the target to respond to a phone number to verify their identity, compromising the target’s credentials.

There is no “silver bullet” to protect against phishing attacks; your first, and best line of defence, is to develop a healthy scepticism and do not believe anything you cannot confirm.

Related Post

THE WEAKEST LINK

THE WEAKEST LINK Talking to a cybercrime specialist from Barclays yesterday I learned...

Leave a Comments