Phishing as we know it has been an established scam since the mid-nineties, if you can believe it. That’s nearly a quarter century of scamming! And the technique itself hasn’t changed a lot since then, though it has grown more sophisticated of course. But the premise and the basic tactic is the same.
We’ll spare you the full-length history lesson, but there’s something important to take away from this. Phishing attacks have been successfully working for nearly 25 years. If it didn’t work, they wouldn’t keep doing it. So don’t get too cocky and assume you’re above such an attack. Everyone is a target of phishing emails, because unfortunately… it works. So, having said that…
What is Phishing?
Phishing is a type of cyber attack that targets individuals (often at random). Targeted victims receive a fraudulent email posing as a legitimate institution. The scammer tries to entice individuals to provide sensitive data freely. This could be your password, credit card details, security questions, or any other personally identifiable information. The information can then be used to access important accounts, identity theft or financial loss.
It sounds like it’s easy to avoid, but phishing frequently uses scare tactics to pressure you into taking the bait. They’ll also offer too-good-to-be-true deals, urgent requests with looming deadlines, misleading hyperlinks, and malicious attachments disguised as something innocuous. Firstly, we’ll run through features to identify a phishing email, so you know what to look for. Then we’ll give you tips on how to avoid falling victim to a phishing scam.
The Significant Events In The Rise Of Phishing
What Does A Phishing Email Look Like?
Chances are you’ve received a phishing email from Apple before. If you don’t own any Apple devices, this would be supremely easy to identify and avoid. But for the rest of us iPhone addicts — these phishing emails can easily be confused for the real thing if you’re not on alert. Personally, I receive a lot of phishing emails from Paypal and Apple, but at a glance it’s easy to identify them.
Most inboxes will only show the display name of the sender, like John Smith or Australia Post, for example. So, in the case of my phishing email from Apple, the sender appears to be ‘Apple Payment’. But if we click on the header link to view the sender information, we see the email is actually from this totally professional email: email@example.com — yeah, seriously. Doesn’t exactly scream official Apple business, does it?
Look for any combination of the following signs to identify suspicious phishing emails:
Reg Flag #1: Dodgy Grammar and Spelling
The biggest giveaway in any generic phishing email is going to be poor spelling and grammar. A real email from a legitimate brand is usually well-crafted in terms of spelling, grammar and formatting. Scan the email carefully, and note any errors in spelling.
Red Flag #2: Odd Manner of Greeting
Many companies you have previously dealt with will address all emails to you personally. The email should address you by name, or be otherwise familiar. If you get a strange “Greetings Valued Customer” then your alarm bells should be going off.
Red Flag #3: Misleading URL
These emails frequently include a link for you to confirm your account details, or reset your password. However, these links are usually misleading. How do you know without clicking? If you’re viewing the email on your browser (not mobile), you can simply hover the mouse over the link and it will show you where it’s really linking to. Bet it’s not where it’s supposed to go!
Red Flag #4: Urgent or Threatening Language
A lot of phishing emails will utilise language that encourages you to act immediately. Either your account has been compromised and you have no money! Or this amazing once-in-a-lifetime opportunity that is only valid for the next 15 seconds so CLICK NOW. Never give in to this tactic.
Red Flag #5: Request for Personal Information
Your bank or any other legitimate institution will never ask you to submit your password or other personally identifying information via email. These companies will almost always speak with you over the phone and verify your identity in several ways before commencing business. Any email that asks you to input your password is a phishing scam.
8 Habits To Help You Avoid a Phishing Scam
We’ve now looked at a few ways in which you can identify a phishing scam. Hopefully with these tips, you’ll know what to look for with these phishing emails, and be able to avoid falling prey to such a scam. However, there are some habits you should try to enforce with yourself and your team. These habits are more or less common sense, but often we overlook the importance of them.
Habit #1: Look for the Lock
These days you shouldn’t be trusting any site that doesn’t have verified security. This means the URL will begin with HTTPS (not http). Any sites with https will have a little padlock on the address bar, so you know it’s safe. If you end up on a site that is not secure, make sure you don’t enter any information on the site.
Habit #2: Watch Out For Pop-Ups
It wasn’t so long ago that pop-ups were solely the domain of malware attacks and phishing attempts (Wow! You’re the 1,000,000th Visitor! Click Here to Win Free iPad!) but nowadays many legitimate websites are utilising their own pop-ups to push subscriptions and account sign-ups, which gets seriously tedious after a while. If you were looking to sign-up, or subscribe to a website, be wary of any pop-ups and make sure you’re going through a secure form.
Habit #3: Never Give Out Personal Info
On that note, any forms you submit through a website (whether secure or not), should not contain your personal information. At most you should be entering an email address or a phone number, but any web form worth its salt won’t be needing your financial information or password.
Habit #4: Always Use Antivirus
Antivirus will help protect you from phishing attacks by blocking access to malicious files. Of course, this is in the instance that you’ve accidentally taken the bait on a phishing attack and now they are trying to access your system.
Habit #5: Think Before You Click
This is basic common sense when it comes to online etiquette. So many phishing attempts try to trick you with wording and misplaced buttons, or they have disguised urls (as we discussed above). Take your time, make sure you’re somewhere secure and ensure the link goes where you want it to.
Habit #6: Keep Abreast of Phishing Scams
As mentioned previously, phishing emails have been around for just about 25 years. That means they’ve evolved over time and new ones are forever coming into circulation. Check sites like Scamwatch and Stay Smart Online which provide updates and news.
Habit #7: Check Your Accounts
This one feels harder because it’s 2019 and you probably have about 300 online accounts for various sites that you can’t even remember anymore. Many of these are probably defunct, or you simply don’t use them anymore but someone else might have taken over and is using it maliciously. Search your email inbox for “new account” or “confirm email” to find sites you’ve registered for in the past.
Habit #8: Keep Your Browser Updated
Patches and updates that are periodically rolled out are usually designed to repair vulnerabilities and security loopholes that could or have been exploited. If there’s an update for your browser, INSTALL IT.
10 Steps To Take After A Phishing Attack
1. Disconnect The Device From Internet
The biggest risk after clicking a phishing link is that malware or ransomware could be downloaded to the computer within minutes. Immediately disconnect the computer from the Internet to ensure that the attacker cannot remotely access it, and that no virus attempts to send links to your own email contacts.
2. Scan for Malware
The next step is to scan your system for any malware that could already be self-replicating to spread through the network. Ensure that the scanning software can run offline, and consider running a secondary scan with another program after the first to catch anything that was missed.
3. Backup Files/Follow IR
You should have an incident response plan for your business, and now is the time to follow it. This should include protocols for backing up files, restoring any damage and how to go about identifying the cause and source of the breach and how to contain it.
4. Change Password
This is a no-brainer. Even if the victim of the attack didn’t give away any passwords directly, there is no way to be sure that the attacker doesn’t now have access to them. Just to be on the safe side, update all related account passwords.
5. Notify ScamWatch
ScamWatch is a service run by the Australian Competition and Consumer Commission (ACCC). It provides information on how to recognise, avoid and report scams. Informing ScamWatch provides them up-to-date information on the latest scams and assists in protecting the community.
6. Contact Your Financial Institution
If you’re afraid that your financial information may be compromised, then contact your bank. Advise them that there was a phishing attack and you can either opt to freeze any accounts, cancel cards, or request account monitoring to watch for suspicious activity.
7. Advise Team
Whether it was you, or another team member who fell victim; you still need to keep everyone in the loop. Send out a notice to the whole team advising them of what has occurred — this ensures that everyone stays on their guard as the phishing attempt could very well target other members of the business.
8. Adjust Email Filters to Block Similar Messages
Review the phishing email in question and take steps to adjust email filters so that the email doesn’t get through to other potential victims. The From, Subject and other fields may change with each email so search for a phrase or key words you can utilise in the filter.
9. Review Outbound Traffic & DNS Logs
Search your firewall logs for suspicious IPs or URLs, including the ones from the email. Check if there was any outgoing traffic heading to those addresses. But due to changing IP addresses, you should also review the DNS logs to identify any suspicious activity.
10. Use The Opportunity To Educate
Take this chance to educate your team and remind them of how they can be responsible for cyber security within the business. Don’t shame or berate the victim unnecessarily, as this may leave others reluctant to come forward, but simply use it as an example to raise security awareness and remind your staff to think before they click.
Let’s Look At A Real Phishing Example:
Despite all the warning signs to look for, the main thing to keep in mind is that phishing attacks are always being refined and attackers know that people are looking for giveaway mistakes in phishing emails. So, they have begun to eliminate these glaring red flags that we discussed — let’s have a look at a real phishing attack that hit many Australians last year.
Targeted victims received an email appearing to be from Medicare, prompting them to log in to myGov and update some information. The email was very convincing as it duplicated the real logos from Medicare and myGov websites as you can see here:
The “Sign in” link took victims to a cloned myGov website that looked identical to the original, the only giveaway being the URL. At a glance, the site looks authentic, and you can even see it has the “lock” which establishes it as a secure site! So they are definitely becoming more sophisticated. But the real myGov URL is my.gov.au — as opposed to mygovau.net (the phishing site).
This type of phishing scam can be called ‘brandjacking’ as well, wherein scammers forge an email template to look identical to a legitimate and trusted company. This leads victims to let their guard down and are more likely to trust the email, as it contains a familiar layout and logo.
We’d also like to touch on spear phishing while we’re on this topic. Spear phishing is a type of phishing attack that is far more targeted. Consider the analogy between phishing and fishing, where you’re casting for one of thousands of fish. The analogy carries through with spear phishing. It’s targeting one specific target with a specialised attack and tool.
Traditional phishing attempts will send thousands or even millions of emails with no personalisation. The attacker is relying on catching even just a handful of these victims — even 1% of 100,000 attacks is still 1000. That’s 1000 wins.
Spear phishing of course has many features in common with regular phishing attacks. Both appear to come from a trusted source (usually), and both will attempt to lure the victim into giving away personal information.
So, what is Spear Phishing exactly?
The key difference is this: spear phishing attacks are highly personalised and customised towards their target. The attacker will be sure to carefully research everything they can about their intended victim. This means combing all social media profiles (Twitter, Facebook, LinkedIn, Instagram), they’ll research where the victim works, who they interact with and build a full profile on the victim to flesh out all their knowledge on the victim.
With this detailed profile on their victim, they are able to craft a very realistic email that is purely designed to fool this one person. It’s scary to think about!
Due to the effort of personalisation and realism that goes into these spear phishing attacks, they are often more likely to succeed than generic phishing attacks. Which is a concerning thought, as these attacks are usually intended to access highly confidential information or corporate secrets.
Overall, it seems that the best thing you can do is keep informed on phishing news and the evolving scams. If you think you’re up to speed, then take this quiz created by Google and see if you can identify a phishing scam on the fly. There is always room for improvement!
If you’re concerned about a phishing attack within your business, or the security of your data, then contact Stanfield IT about it today.