Phishing is unique among cyber attacks – it doesn’t rely on weaknesses in computer software, or new vulnerabilities – it relies, initially at least, on human gullibility.
This means that devices users often think of as ‘immune’ to cyber attacks – such as smartphones – are in fact the perfect vehicle for phishing attacks.
Phishing attackers will select the easiest, cheapest method to steal the information they need. This could be using a malware-laced attachment to steal a password using a keylogger – or enticing the victim to hand it over willingly, by entering details on a bogus site.
Attacks such as the defacement of the New York Times’ website, where the entire site vanished to be replaced by the name of a hacker group, began with one person opening an email they should not have. The Target breach, where 40 million credit cards leaked, began with a phishing email targeted at an air-conditioning contractor who worked with the retail chain.
Consumers are affected as much as large organizations – in this year’s Microsoft Computer Safety Index Survey, polling 10,000 consumers, 15% said they had been victims of phishing, losing on average $158 each.
Some phishing emails are still comical – ESET’s David Harley reports a “419 scam” email with the message, “I have a project. If interested. Reply”, and no text in the body. Many, though, are highly professional and may seem to come from friends. Our tips should help you avoid taking the bait.
Phishing emails can affect you on any device
Phishing attacks don’t always depend on the victim clicking on a malware-infected link – often they’ll be directed to a bogus page which will ask for passwords and user details. This means that no system is immune – whether you’re accessing the web from a PC, a Mac, or a mobile device – whether it’s an Android device or an iOS one. If you type in your details, the cybercriminals can access your account – whether it’s a bank account or an iTunes one (with credit card attached). Describing one recent reported scam targeting Apple users, ESET Senior Research Fellow David Harley writes, “Victims are directed, via spam messages apparently from Apple, to sites that are crafted to resemble real Apple sites, festooned with links to real apple.com pages and objects. The criminals who set them up are clearly interested in iCloud and iTunes contents and credentials, and of course the credit card details associated with those services.” Harley adds, “However effective an operating system’s technical defences are, there are always ways of bypassing them by hacking the victim rather than the device.”
Some phishing emails are cleverer than others
Emails purporting to come from your bank are often crude, asking you to confirm a password (something your bank will NEVER do) – but some use clever tricks to look believable. For instance, some scam emails forwarded to ESET’s Threat Radar offer the customer a ‘Yes’ or ‘No’ choice relating to recent transactions or a change in contact details – with links offering the choice, ‘Yes, I made this request,’ or ‘No I did not,’ as reported by ESET Senior Research Fellow David Harley in a series of posts on new phishing techniques. This echoes the language used in security phone calls – but of course, both links are bogus. And sometimes they don’t even bother to make the links different!
It’s easy to hand phishers the bait they need to make you a victim
If you work within a company that’s a high-value target, you should ensure that your details remain private – otherwise phishers can craft targeted attacks which sound legitimate. Last year, an electricity company was targeted with a polished spear-phishing attack, as reported by We Live Security here. The attack used a published list of attendees at a committee meeting to target employees with a malware-infected phishing email. The company site had listed the email addresses and work titles of everyone at a meeting – which was enough information for cyber-criminals to craft a convincing-looking tailored attack directed at the company, via the Inboxes of everyone attending the meeting.
Don’t click links in bank emails – even if the email looks real
Your bank will almost certainly not email you a link to their web address in any communication – so the appearance of such links is a ‘red flag’ indicating that an email’s a fake. ESET’s David Harley says, “We’d always advise that even if a login link looks OK, it’s safer to go through a URL known to be legitimate, not the one that’s given in an email. Unless, at any rate, you have no doubt at all that the email is genuine (like one you’ve verified with the sender by other means). And in general, any email apparently requiring you to click on a link in the message in order to log in to your account is either fake or sent by a bank that knows so little about phishing that you probably ought to consider banking elsewhere.”
If you are not addressed by name, it’s probably a fake
Cybercriminals have got much better at using convincing logos – and even mimicking the language of banks and other institutions. One recent example, supposedly from Barclays, sounds highly convincing to begin with, “We need your help resolving an issue with your account. To give us time to work together on this, we’ve temporarily limited what you can do with your account until the issue is resolved. We understand it may be frustrating not to have full access to your Barclays account. We want to work with you to get your account back to normal as quickly as possible.” All very persuasive. But if the email has been sent out as part of a mass spam campaign, it won’t be addressed to you – instead, it will begin, ‘Dear Customer’ or something similar. This is a near-certain sign that you’re dealing with a phisher – or a company too ignorant of security to be worth having anything to do with…
Telephone numbers aren’t a guarantee an email is real
Do not trust professional-looking emails where there is a phone contact number – this can be another cybercriminal trick. The number may well work, but you will be connected to a scammer instead of the company you’re hoping to speak to – and they will attempt to fool you into handing over further details.
If your IT department emails, they won’t need you to ‘confirm’ your password
Targeted “spear phishing” attacks can appear to come from your own IT department – or from business contacts, or senior managers within your organisation. Be wary. If a web link from your IT department suddenly asks for your login details or password, don’t enter them – it’s a common scam used by cybercriminals to penetrate business systems. Phone your IT department and ask if it’s real – they will thank you for it.
Be wary of unexpected good news
Cybercriminals disguise their attacks as everything from wedding invitations to tax rebates – with rebate emails timed to coincide with local tax deadlines. This tactic appears to be growing in popularity, with a wave of highly convincing emails sent out in Britain this year – 50% more than the previous year’s total, as reported by We Live Security here. Tax authorities tend to communicate via post to prevent fraud. Gareth Lloyd, HMRC’s head of digital security, said: “HMRC never contacts customers who are due a tax refund via email – we always send a letter through the post.” For a more in-depth article on tax scams, read the January Threat Report.
Author Rob Waugh, We Live Security