Gone Phishing

Phishing advice from PAAC IT

Fraudsters have been using so called phishing attacks for over 3 decades now, and they have got pretty good at it.  As email users have got wise to the ‘Nigerian prince’ and ‘my friend is stuck abroad’ fraudsters have upgraded their scams to look and behave like the rest of the emails hitting your inbox.  The goal is simple, get you to click on a link and enter some personal details or transfer funds.  To achieve this goal, they must convince you that the email sent is genuine and there is a good reason for you entering your details.  Once they have captured your personal information, they may use it to launch further attacks on you or your contacts, or simply sell the information on the dark web- for a hack to use another day.

Victims may be employees of an enterprise or simply individuals. The emails often target people’s emotions –  in previous years, PhishMe reported that fear, urgency and curiosity were the top emotional motivators behind successful phishes. Now they’re closer to the bottom, replaced by entertainment, social media and reward/recognition.

We’ve written this article to help you understand how fraudsters operate so you can protect yourself and your organisation. We have presented a few real examples below followed by the different types of attack and wrap up with actions you can take yourself. Security software can be added to the defensive arsenal, but in this article, we have focussed on things individuals can do to protect themselves.

You’ve won!!! .. or maybe not

  • A WhatsApp message has been doing the rounds across the world over several years and in different languages suggesting that Adidas is offering 5000 pairs of shoes to celebrate its xxx anniversary, followed by a link from which to obtain the free shoes. Unfortunately the victims just provided their contact details and payment arrangements to the scammers.
  • The BBC reported in November 2018 “University students have been bombarded with fake tax refund emails in the last month, HM Revenue and Customs (HMRC) has warned. It is estimated that hundreds of thousands of students have been targeted in a bid to steal their banking and personal details.”
  • A member of staff at one of our clients received an email from his boss instructing him to transfer £20k to a specified bank account. The email looked genuine, but the staff member followed protocol and checked with his boss by phone. Disaster averted.
  • An interior decorator emailed their customer an invoice for services rendered. Before their customer could pay, the customer received a second email purportedly from the interior decorator specifying a different account. Unfortunately, they paid, despite the new bank account being in Mexico – money gone!
  • While at my previous employer, I received an email from “UPS” about a parcel delivery. As I was expecting a parcel I clicked on the link – bad mistake. My PC was totally infected by malware and I received and mail from corporate security “disconnect from the network and take your PC to IT support NOW for a complete rebuild”.

Phishing Examples from PAAC IT

How to Phish

Just like real fishing, phishing has become very sophisticated with lots of different techniques, baits and lures.

Standard Phishing Attacks

Standard phishing attacks are broad and not personalised using general email messages to carry out the attacks. They use very common themes or lures in a generalised way in conjunction with a large enough pool of targets. The idea is that by chance some percentage of the phishing emails will look legitimate enough to the recipient to be successful. Hence using a giveaway or prizes from well known brands such as the Adidas example above.

Spear Phishing Attacks

Like its name implies, spear phishing is a more refined and targeted form of phishing. Fraudsters use themes or lures that are in some way relevant or appropriate to the victim – an individual, specific employees in an organisation or an organisation itself. The fraudsters have often done their homework to learn about their intended victim. For example, the email could appear to come from organisations (such as banks, your mobile provider or TV service provider) you trust and contain some information about you. Because the malicious email has a context for the target, you are more likely to trust it and open the email message and any attachments.

Conversation Hijacking

This approach involves a fraudster hacking someone’s email account. For example, Sharon and Jim are conducting an email conversation. A bad guy, Charlie, carries out an attack and gains complete control of Jim’s email account, often by theft of login credentials, such as a password. Once Charlie has access to Jim’s email account, he can continue the email discussion as if he were Jim with Sharon being totally unaware and prepared to trust anything she receives from “Jim”.

This is a highly sophisticated, labour intensive, focused attack, so its not something that most individuals need to worry about. But it has happened to another of our business clients.

Man in the middle attacks

In this case you may receive an email apparently from your bank or service provider, asking you to log in to your account to confirm your contact information. You click on a link in the email and are taken to what appears to be your bank’s / service provider’s website, where you log in and perform the requested task. Scammed!!

In such a scenario, the man in the middle sent you the email, making it appear to be legitimate. (This attack also involves phishing, getting you to click on the email appearing to come from your bank.) The attacker also created a website that looks just like your bank’s website, so you wouldn’t hesitate to enter your login credentials after clicking the link in the email. But when you do that, you’re not logging into your bank account, you are handing over your credentials to the attacker.

What can you do?

There are so many of these scams around today and they all look so real it can be very difficult to differentiate from genuine emails.

Here are ten key things to look out for:

  1. Generic and informal greetings – a lack of personalisation and formality is typical of phishing scams;
  2. A request for personal information – the core element in most phishing scams;
  3. Poor grammar – spelling mistakes, typos and unusual phrasing is indicative of a fraud. In one version of the Adidas scam for example, Adidas was spelt without the “dot” on the “i” – very subtle;
  4. Shortened links – fraudsters often use Bitly and other URL shortening services to make you think you are clicking a legitimate link. Hover your mouse of the link in the email to see where you are really being directed to;
  5. Out of the blue correspondence – unsolicited contact from your bank or a service provider, for example, is highly unusual;
  6. Unexpected attachments – as with above, if you’re not expecting something, think twice before you open – and even if you are expecting the mail, is it something you would expect to be asked?
  7. A sense of urgency or fear – be wary of statements like “click today” “get in touch asap” or “you owe HMRC”;
  8. Striking gold – if it is too good to be true, then it is too good to be true
  9. Peculiar domain names – Why would an English bank send you emails from Peru or a UK firm ask for a deposit to a Mexican bank account?
  10. HTTPS websites are not necessarily genuine – we have been taught the websites showing “HTTPS” are secure – they are and the traffic between your device and the website is encrypted. But the fraudster may have set up their own fake “HTTPS” website.

A classic defence strategy in football is “if in doubt, kick it out”. Very sage advice if you are unsure of the email pedigree you are about to click on.

Be safe out there!

If you would like more help and advice:

  • For businesses: we are running a training course for staff on 29 January 2019. Search “Cyber Security Awareness Training for your Staff” on Eventbrite.com, or follow this link, if you trust us!
  • For individuals: pop into our store and ask one of our advisors.
About Us

We provide supportive leadership enabling our business community to succeed and prosper through effective use of IT and Technology. PAAC IT is an IT Company in Surrey offering small businesses the personal attention and care that their IT systems deserve. If your company has between 1 and 100 employees and need a IT Company in Surrey we would love to hear from you!

Find out more
"PAAC IT provide a managed service for our PCs on a fixed monthly charge. Really great, they are there when we need them"
Julia Macquisten - OwnerLucas Field Media
"PAAC-IT provide and maintain our Apple Macs and Macbook Pros. Richard and his team at PAAC IT are very prompt and responsive when we need help, and a pleasure to work with"
David Alden - DirectorAlden Holmes
"Our business is highly dependent on computer technology – all the way from design and creative software platforms to administration processes. PAAC-IT set up and configured our mix of PC and Apple computers, file servers and security software and now keep it running. The team at PAAC-IT is very competent and keep our IT running smoothly"
Edward Green - DirectorMilly Green
"I was having trouble making Skype calls to my son. Both Darren and Connor were extremely helpful and patient. They were so kind to get the computer in and out of the car for me - i couldn't have done this on my own as i am disabled"
Jane Nightingale
"On moving house we required help of PAAC to coordinate a tablet, PC and laptop with new security and email addresses and to ensure transfer of old contact details etc. Some of this work was undertaken by Darren in the Midhurst shop and some at our new address. Darren was professional and helpful with successful results. PAAC also followed up with care to ensure that all was well. "
A satisfied customer
"I have been dealing with PAAC IT, mostly in their Midhurst Office, but also in Haslemere, for the past three or four years. They clearly understand Macs and have given me good advice, and sorted out various issues for me. Things did go wrong with the network wireless adapters I had bought from them, but they were quick to ensure they were checked and replaced without a problem, and they followed up with me a month later to ensure all was OK. That’s good customer service!"
James Tree
"Dynamite, goes the extra yard every time, reliable and essential support to my business."
Lawrence MullenThe Talking Trade
"Good, dependable, brilliant, local"
Anneke Clegg
"I have been using the services of PAAC IT for over two years. During this time I have found the staff to be courteous, understanding, and very efficient. I have received first class service on each and every occasion – from keeping my ancient computer running, to advising and supplying a suitable replacement when it eventually crashed. All my transactions have been with the team in the Haslemere shop where Richard, Mark, Darren and Oliver have addressed my computer difficulties with great patience and kindness. To them I am eternally grateful."
Derek Smyth