This means educating your people has to be a key plank in any phishing defence strategy.
When the Finance Manager received an email from her boss asking her to wire transfer funds to an account, she didn’t hesitate. It was a busy afternoon and there wasn’t anything to suggest anything untoward about the email. She transferred the funds, as requested, to the value of several thousand pounds.
If she had stopped to inspect the email a little more closely, perhaps she would have spotted the various inconsistencies. Or perhaps she would have made a call to check the transfer instruction.
But she didn’t – and she became yet another victim of a targeted phishing attack.
Phishing is the process by which malicious hackers attempt to acquire sensitive information from your users. They are looking for financial credentials, login and password details, and other exploitable or sellable data.
They seek this information by disguising their scam as seemingly trustworthy emails, messages or websites which prompt the recipients to voluntarily hand over sensitive information.
It’s possible to prevent some of these malicious phishing attempts reaching their intended recipients by good IT housekeeping: keeping Operating Systems (OS), browsers and other software versions up to date, and choosing effective malware, anti-virus and email scanning tools.
However, as scammers become more targeted and sophisticated in their attack vectors, it’s difficult for even the best IT security tools to keep up. Also, the threat risk has increased further during the coronavirus pandemic, with attackers taking advantage of people's fears and desire for information to exploit it for their own financial gain. As a result, staff education about potential phishing attack vectors must be a key plank in your phishing defence strategy.
The best way to protect your people against phishing attacks is to give them the tools to be able to spot potential attacks. Combine this with a reporting mechanism when they do spot anything suspicious and you should be able to contain most attacks.
Here, the Grant McGregor team discusses the ten vital red flags that should have your staff ringing the potential phishing attack alarm bells.
#1. Emails that request login credentials or billing information
When phishing first started in the 1990s, hackers targeted AOL customers at random and in bulk to send emails that asked users to “verify” their accounts. It’s an approach that works so well, it’s still in use today.
Instead of masquerading as AOL, today’s hackers use information garnered from data breaches to masquerade as a service you use, such as Adobe or PayPal. In August 2014, iCloud users were targeted with emails that looked like legitimate Apple alerts. These emails warned recipients that their accounts may have been compromised and requested they enter their account details. The scam resulted in 500 private celebrity photos being leaked.
If you do receive an email asking you to enter login details, be suspicious; don’t click on the links contained in the email. Rather, confirm the message via an alternative source.
#2. Misspellings and poor design
Often – but not always – phishing attempts won’t quite hit the mark.
Poor spelling and blurry logos have historically been a giveaway for phishing attempts. As attacks have become more sophisticated this is less of a giveaway as it used to be, but it’s still worth paying attention to.
#3. A service you use has recently been subject to a data breach
When your data has been stolen, you are at greater risk from phishing attempts.
There’s a huge black market for stolen data on the dark web. Hackers can piece information together to develop convincing spear phishing campaigns, especially if this data is augmented with information you’ve already freely shared on social networking sites.
If you know an organisation you subscribe to has been victim of a data breach, it’s worth being extra cautious about any unsolicited emails you receive. For example, the Equifax data breach in September 2017 and Carphone Warehouse data breaches exposed millions of people to this type of risk, as well as Travelex at the beginning of 2020.
#4. A deal seems too good to be true
In August 2017, Amazon customers were pleased to receive notifications about promotional Prime Day deals. However, not all were what they seemed.
Hackers had sent out thousands of emails that prompted recipients to purchase time-limited bargains. When they clicked on the links, the transaction couldn’t be completed, and the victims were prompted to input their login or payment data. Those who did so put it straight into the hands of the phishers.
In March 2018, Internet security researchers(1) found phishing kits available for sale on the dark web that mimic branding elements of well-known companies. These kits make it easy for hackers to create convincing phishing emails.
And it isn’t just emails you need to be wary about. Hackers also use ads on websites to offer tempting deals that invite people to click on links. Phishing sites will capture your financial data when you attempt to “purchase” something on the website. Researchers have found they often masquerade as shops and banking sites.
#5. You receive a “missed voicemail” message
Now that online PBX and email services are integrated in many companies, one dangerously successful approach used by hackers has been to mimic voicemail files.
The Necurs botnet(2) is one tool that uses this approach. Once victims download the “voicemail” attachment, it installs ransomware or other malware onto the victim’s device. Often, another email is contained in the attachment which contains the actual phishing attempt.
So successful has this approach been, hackers are widening its attack profile – sending files via SMS and other messaging tools as well. Be careful when you receive any “voicemail” file – if there’s another way to listen to the message, use it.
#6. You are sent a web link
Never blindly click on a weblink or a link to an app such as YouTube or Messenger. It’s good practice to check any weblink you receive; whoever it is from and however you receive it.
Facebook Messenger and SMS text messages are the new battlegrounds for this type of phishing attack.
#7. You receive an email with your password in it
A legitimate company would never include your password details in their communication with you, so if a password appears in a message this should immediately raise warning flags – even if it is a password you recognise.
Unfortunately, there is so much data available on the dark web today, that using hacked passwords to give a phishing attempt more credibility is now an established approach.
In July 2018, a widespread “sextortion” phishing campaign used this approach to extort money from unwitting recipients - with versions of this scam still happening within the last year(3).
#8. You receive an email from someone within your own company, but the tone is off
One proven technique for business email phishing attacks is to leverage company email to pretend to be a work colleague. Once the attacker has your trust, they’ll invite you to click a malicious link, send a bank transfer, or share sensitive information.
If you receive an email from a work colleague that seems out of character, follow it up with a quick phone call before you act on it.
#9. You’re offered unexpected Wi-Fi network choices
Some hackers pose as Wi-Fi networks.
Be wary if you are connecting in a public space and doublecheck to ensure you are connecting to the right domain. If you accidently connect via the hackers spoofed network, they’ll be able to harvest any data you enter during that browsing session and may even compromise your device.
Be sure to check with the coffee shop or hotel which Wi-Fi name is theirs, or use your mobile as a Hotspot instead.
#10. Beware the social share
Phishing attacks using social media are on the rise. Phishing attacks that leverage social sharing have a very high success rate – if you think your friend is endorsing a message, you’re much more likely to click on it.
Some Facebook users have fallen victim to .SVG attachments which redirect the victim to a spoofed YouTube page which then prompt them to install two Chrome extensions in order to view the video.
The volume of information about you available on LinkedIn makes this social network a key resource for phishing attackers. It’s a useful way for them to identify potential victims. Phishers then use the platform to send standard phishing communications via InMail or to the victim’s registered email address.
Just because you receive a message on a trusted platform, you shouldn’t assume the content doesn’t need to be considered.
If you’d like further support to help your staff spot phishing attacks, get in touch with the Grant McGregor team today.
We have an established training programme, reinforced with hands-on follow-up exercises and testing, which have proven success rates to reduce the risk from phishing-style attacks.
Contact us today on 0808 164 4142 for more information.
Sources:
1. https://research.checkpoint.com/a-phishing-kit-investigative-report/
2. https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/
3. https://www.welivesecurity.com/2020/04/30/new-sextortion-scam-claims-know-your-password/