A Casual Conversation About Phishing
by Sam Conwell, Fortis Incident Response Supervisor
I am sure you have already read many technical articles on the dangers of phishing, in all of its forms, so we are just going to have a casual conversation. The goal here is to convey not just the dangers of being phished but just how easy it is to fall victim to it. It will also hopefully give you something to share with your network of colleagues, family, and friends who might not be as technical and tend to zone out anytime the geek-speak starts to flow.
It is very important to note that the levels of sophistication of those initiating the phishing campaigns has increased by an incredible amount over the last few years. Let your people know, the days of bad grammar, typos, illogical situations, preposterous claims, promises of untold wealth, and easily discernable fake websites are still applicable, but the news of these is out there and the general public is much more aware of this type of scam. What we are looking for here is to share how the phishing landscape is changing and what to look for.
As promised, nothing too technical, but let us quickly get some definitions out of the way:
Phishing – A cybercrime that is a decades old social engineering scam that revolves around getting you to divulge personal information.
Spear Phishing – A more personalized form of phishing where the threat actor takes time to do research before initiating contact. This form of contact will usually have your full name, address, phone, email, and job title as well as that of the person they are trying to impersonate.
Whaling – This one takes spear phishing to another level. It concentrates not on coming across as a valid individual from outside your organization, but rather impersonates someone of high importance within your organization, such as a C-Suite executive, President, Vice President or Director. This can wield an immense amount of power and influence if you receive one of these types of emails unexpectedly.
Pharming – Keeping true to my promise to not get too technical, I will not mention how it is achieved, but pharming basically redirects you to a fake website that appears to be legitimate. The malicious site that you end up on will be designed to look like the site you want to visit, but instead of logging into the intended site, you just gave the threat actor your credentials for the real site.
Spoofing – Is the act of pretending to be someone else. A common example of this is someone impersonating an employee from your IT department requesting you verify your credentials.
Vishing – Is the same as phishing but over the phone as opposed to email. There are two main ways vishing is leveraged. The first is geared at seniors that do not have email or even if they have it use it very infrequently. One of the newest uses of this is much more sophisticated and geared at everyone. This type records the call and uses that recording to get past voice recognition systems. An example of this is a well-known, national financial institution that literally uses, “My voice is my password, please verify me” when calling in.
Now that we have the definitions out of the way it is time to prepare you, and those you care about, how to avoid these miscreants and keep you and your company safe. These steps apply to all of the above definitions, except vishing which will be covered separately. We are going to start with how the threat actors operate:
- Branding
- The threat actor will create a duplicate of a website that they think you are going to visit
- This fake website can be anywhere from crude to sophisticated and almost perfect
- Tips that something is different can be that the logo shape and/or color is a little different from the colors of the authentic website
- The threat actor will create a duplicate of a website that they think you are going to visit
- Spelling and Grammar
- Even though threat actors have come a long way, there will often still be spelling and grammatical errors in the fake website
- If you see the repeated use of the word “kindly” – run! This is a dead giveaway
- An oddly generic greeting in the email is also another giveaway
- Sense of Urgency
- The threat actor will make the subject of the email something designed to get your attention, knock you off balance and get you out of your head space and off-guard
- Special Note – Once you give into this it is very difficult to break out of
- This works especially well in spear phishing and whaling campaigns when an employee who is not normally in contact with C-Suite Executives receives an email from what they believe is from someone who wields so much power within your organization or a person who commands great respect
- FOMO – “Fear of Missing Out” - Threat actors often utilize this tactic to put people into a heightened state of urgency. This has been proven to get test subjects to abandon their cyber training for things as simple as:
- Only for the first 100 people to respond
- Available for only “X” amount of time
- 50% off the price, if you order by…
- Countdown boxes showing how many items are left before the conditions change
- The threat actor will make the subject of the email something designed to get your attention, knock you off balance and get you out of your head space and off-guard
- Letter substitution on the email address or web address
- Never forget that at a quick glance a capital O looks very close to a zero (0)
- Letter substitution, like the combination of “r” and “n” can be mistaken for the letter “m” – (rn) if not focused on what you are reading
- Email impersonation
- Email addresses that can look similar to very similar to an authentic email you might be familiar with
- Email addresses that can look similar to very similar to an authentic email you might be familiar with
- Account takeover
- An email that comes from an account that has already been compromised
- This is almost impossible to detect on your own
- There are several email security products that can help protect against this, and Fortis can provide guidance if this is something that you or your organization needs
- An email that comes from an account that has already been compromised
- Information that is posted publicly
- Threat actors will research your Facebook, LinkedIn, Instagram, and any other public facing platform out there
- Threat actors have been known to copy entire profiles of one of your friends to make a fake persona that you will interact with
- Threat actors have been known to actually go to the hangouts of those they are investigating, bump into them, and attempt to make “fast friends” in an attempt to gather information that can be leveraged in the future
- Threat actors and other criminals look for “Check Ins” on social media
- Insecure links
- Make sure you are going to https:// links not http:// links. The “s” stands for secure.
- Tiny URL links - These are used to shorten the length of long URLs (web links). They can also be used to obfuscate the true, malicious destination.
- URLs that are numbers and not names
- The human brain is very astute when it comes to remembering words but strings of numbers are much more difficult to remember, especially over time.
- Threat actors will use this approach to hide a malicious domain name as well as attempt to evade security tools that are focused on domain names.
- Make sure you are going to https:// links not http:// links. The “s” stands for secure.
- Moving the conversation from email to text or voice
- Threat actors will often use a combination of the various tactics described above to nudge you into a space where you can’t really reply directly via an email but will ask you to provide an alternative way to contact you
- An example of this would be an email stating the person is presenting at a conference so they can’t talk on the phone right now and asks you to provide your cell phone number so they can text you directly
- Moving you to a different media, say your cell number, gets the threat actor direct contact with you that is outside all of your organization’s security tools, devices, communication channels, and policies
- Threat actors will often use a combination of the various tactics described above to nudge you into a space where you can’t really reply directly via an email but will ask you to provide an alternative way to contact you
- Vishing, here comes the onslaught of spam and robo-callers
- One type of this is direct contact from the threat actor
- The other type of call involves call recording and can be live or a robo-caller
Now that you’re more familiar with the different types of attacks, what can you do to protect yourself and your organization from these threats? Not to worry, there are several ways to better prepare yourself to resist the inbound temptations.
- End user training is always going to be the best, first answer
- An overwhelming percentage of compromises are tracked back to a user that clicked a bad link in an email
- There are several best-of-breed user training offerings out there that will set up structured, tailored, scheduled training, and even run simulated campaigns on your end users
- Fortis stands at the ready with offerings to train and secure your users and organization, so let us know how we can be of assistance
- Take a few moments to center yourself and think about the training you have been provided
- Many of the tactics employed are meant to catch you off guard and get you out of your normal headspace
- Question and verify everything
- Does the email have a warning banner notifying you it is coming from outside of your organization?
- Did you verify the email address as real?
- Why is this individual asking for this information?
- Is this normally the person that would be requesting this kind of information?
- Is this from someone that would never send an email? Example, the IRS states on their website that they will NEVER send you an email requesting your personal information.
- Are links in the email https or http?
- Have the links been obfuscated via Tiny URL or some other way?
- Do not click any link in a suspicious email. If you want to verify the address is legitimate, open a new window in your Internet browser and physically type (do not copy and paste) in the address you are wanting to visit.
- Does the email have a warning banner notifying you it is coming from outside of your organization?
- Is this banner highlighted in a different color to catch your attention?
- Train yourself to look for the banner, not the color as there are ways that the threat actors can send the emails where the highlighting is not able to be displayed.
- Things to look for if your email has a preview panel that you might notice
- Logos are not perfect
- Colors are slightly off
- Spelling, grammar, and writing style are off from what you would expect
- Does the email have a warning banner notifying you it is coming from outside of your organization?
- Threat actors and other criminals look for “Check Ins” on social media, so if you must post where you went and what you did – do it after you are already home.
- There is nothing like telling the entire Internet that you are not home by “Checking In” at a location on social media
- This applies not only to phishing but also for your physical security, your dwelling, your family, and your belongings
- Tiny URL links
- Using your mouse, hover over the link and the entire URL will be displayed
- Make sure the link is https, as noted above
- FOMO – “Fear Of Missing Out”
- These will attempt to make you feel rushed and will lose out on an opportunity if action is taken fast.
- When you receive one of these, the best thing to do is pause and take a breath. Once you step away for a minute, the warning signs are much clearer that this could be a malicious attempt to steal personal or login information from you.
- Media change
- This should immediately raise a red flag here for the following reasons:
- Once contact is established there is rarely a valid reason to change how it is taking place.
- Almost every organization has the cell phone numbers of everyone already loaded within their contact management of internal communications systems. So, if the email was legit would the sender not already be able to retrieve that information?
- This should immediately raise a red flag here for the following reasons:
- Vishing
- One type of this is direct contact from the threat actor.
- On this call the threat actor will pretend to be from any of the thousands of scams that are out there. The tone of the call can range anywhere from a sincere sounding individual that speaks slowly, softly and that seems to only want to help you all the way up to accusatory, borderline belligerent and rushed tempo trying to get you flustered and make you believe you did something wrong or even illegal.
- The other type of call involves recording and can be live or a robo-caller.
- These calls eventually get you to a person that says, “I am looking for (your full name) is that you”?
- Never say “Yes” to these calls. That response will be recorded and used to impersonate you on sites that have voice recognition as part of their security, such as many financial institutions.
- Never say “Yes” to these calls. That response will be recorded and used to impersonate you on sites that have voice recognition as part of their security, such as many financial institutions.
- These calls eventually get you to a person that says, “I am looking for (your full name) is that you”?
- One way to cipher out if the call is legitimate is to ask the caller for their company and name and let them know that you will call them back.
- If they are scammers they will try to find a way to not divulge that information or tell you that they do not have inbound calling
- If they give you the company name and their contact information, Google the company, look at what people are saying about the company in reviews and check out their main phone number. Also be sure to Google the company name followed by the word scam and check those results before initiating contact.
- One type of this is direct contact from the threat actor.
In conclusion, the best way to handle these attacks is to avoid the contact all together. Every email should be considered suspicious by default until you work through your process to prove that it is legitimate before you click on it. The same applies to phone calls. If you do not recognize the number, let it go to voicemail or use one of the call screener apps from your cell provider or your app store. Remember, some of these threat actors are bold enough to leave a voicemail so if they do, still vet out the company as described above before reaching out to them.