Fraudsters have been using so called phishing attacks for over 3 decades now, and they have got pretty good at it. As email users have got wise to the ‘Nigerian prince’ and ‘my friend is stuck abroad’ fraudsters have upgraded their scams to look and behave like the rest of the emails hitting your inbox. The goal is simple, get you to click on a link and enter some personal details or transfer funds. To achieve this goal, they must convince you that the email sent is genuine and there is a good reason for you entering your details. Once they have captured your personal information, they may use it to launch further attacks on you or your contacts, or simply sell the information on the dark web- for a hack to use another day.
Victims may be employees of an enterprise or simply individuals. The emails often target people’s emotions – in previous years, PhishMe reported that fear, urgency and curiosity were the top emotional motivators behind successful phishes. Now they’re closer to the bottom, replaced by entertainment, social media and reward/recognition.
We’ve written this article to help you understand how fraudsters operate so you can protect yourself and your organisation. We have presented a few real examples below followed by the different types of attack and wrap up with actions you can take yourself. Security software can be added to the defensive arsenal, but in this article, we have focussed on things individuals can do to protect themselves.
You’ve won!!! .. or maybe not
- A WhatsApp message has been doing the rounds across the world over several years and in different languages suggesting that Adidas is offering 5000 pairs of shoes to celebrate its xxx anniversary, followed by a link from which to obtain the free shoes. Unfortunately the victims just provided their contact details and payment arrangements to the scammers.
- The BBC reported in November 2018 “University students have been bombarded with fake tax refund emails in the last month, HM Revenue and Customs (HMRC) has warned. It is estimated that hundreds of thousands of students have been targeted in a bid to steal their banking and personal details.”
- A member of staff at one of our clients received an email from his boss instructing him to transfer £20k to a specified bank account. The email looked genuine, but the staff member followed protocol and checked with his boss by phone. Disaster averted.
- An interior decorator emailed their customer an invoice for services rendered. Before their customer could pay, the customer received a second email purportedly from the interior decorator specifying a different account. Unfortunately, they paid, despite the new bank account being in Mexico – money gone!
- While at my previous employer, I received an email from “UPS” about a parcel delivery. As I was expecting a parcel I clicked on the link – bad mistake. My PC was totally infected by malware and I received and mail from corporate security “disconnect from the network and take your PC to IT support NOW for a complete rebuild”.
How to Phish
Just like real fishing, phishing has become very sophisticated with lots of different techniques, baits and lures.
Standard Phishing Attacks
Standard phishing attacks are broad and not personalised using general email messages to carry out the attacks. They use very common themes or lures in a generalised way in conjunction with a large enough pool of targets. The idea is that by chance some percentage of the phishing emails will look legitimate enough to the recipient to be successful. Hence using a giveaway or prizes from well known brands such as the Adidas example above.
Spear Phishing Attacks
Like its name implies, spear phishing is a more refined and targeted form of phishing. Fraudsters use themes or lures that are in some way relevant or appropriate to the victim – an individual, specific employees in an organisation or an organisation itself. The fraudsters have often done their homework to learn about their intended victim. For example, the email could appear to come from organisations (such as banks, your mobile provider or TV service provider) you trust and contain some information about you. Because the malicious email has a context for the target, you are more likely to trust it and open the email message and any attachments.
This approach involves a fraudster hacking someone’s email account. For example, Sharon and Jim are conducting an email conversation. A bad guy, Charlie, carries out an attack and gains complete control of Jim’s email account, often by theft of login credentials, such as a password. Once Charlie has access to Jim’s email account, he can continue the email discussion as if he were Jim with Sharon being totally unaware and prepared to trust anything she receives from “Jim”.
This is a highly sophisticated, labour intensive, focused attack, so its not something that most individuals need to worry about. But it has happened to another of our business clients.
Man in the middle attacks
In this case you may receive an email apparently from your bank or service provider, asking you to log in to your account to confirm your contact information. You click on a link in the email and are taken to what appears to be your bank’s / service provider’s website, where you log in and perform the requested task. Scammed!!
In such a scenario, the man in the middle sent you the email, making it appear to be legitimate. (This attack also involves phishing, getting you to click on the email appearing to come from your bank.) The attacker also created a website that looks just like your bank’s website, so you wouldn’t hesitate to enter your login credentials after clicking the link in the email. But when you do that, you’re not logging into your bank account, you are handing over your credentials to the attacker.
What can you do?
There are so many of these scams around today and they all look so real it can be very difficult to differentiate from genuine emails.
Here are ten key things to look out for:
- Generic and informal greetings – a lack of personalisation and formality is typical of phishing scams;
- A request for personal information – the core element in most phishing scams;
- Poor grammar – spelling mistakes, typos and unusual phrasing is indicative of a fraud. In one version of the Adidas scam for example, Adidas was spelt without the “dot” on the “i” – very subtle;
- Shortened links – fraudsters often use Bitly and other URL shortening services to make you think you are clicking a legitimate link. Hover your mouse of the link in the email to see where you are really being directed to;
- Out of the blue correspondence – unsolicited contact from your bank or a service provider, for example, is highly unusual;
- Unexpected attachments – as with above, if you’re not expecting something, think twice before you open – and even if you are expecting the mail, is it something you would expect to be asked?
- A sense of urgency or fear – be wary of statements like “click today” “get in touch asap” or “you owe HMRC”;
- Striking gold – if it is too good to be true, then it is too good to be true
- Peculiar domain names – Why would an English bank send you emails from Peru or a UK firm ask for a deposit to a Mexican bank account?
- HTTPS websites are not necessarily genuine – we have been taught the websites showing “HTTPS” are secure – they are and the traffic between your device and the website is encrypted. But the fraudster may have set up their own fake “HTTPS” website.
A classic defence strategy in football is “if in doubt, kick it out”. Very sage advice if you are unsure of the email pedigree you are about to click on.
Be safe out there!
If you would like more help and advice:
- For businesses: we are running a training course for staff on 29 January 2019. Search “Cyber Security Awareness Training for your Staff” on Eventbrite.com, or follow this link, if you trust us!
- For individuals: pop into our store and ask one of our advisors.