More About Phishing

  • Published: Tuesday, April 19, 2022

There are so many angles of phishing. Getting phished is dangerous; it can rob you of personal information, reputation and money. There are different levels of phishing tactics. Some are merely annoying, but others are outright malicious. Perhaps you have experienced some of these.

  • Phishing is an email that attempts to gain the recipient's trust in order to convince them to take an action. This action could be logging into a fake website, opening an attachment that contains malware or transferring funds.
  • Spear phishing is targeted emails to a group or type of user. For instance, a message to a CFO requesting the transfer of funds or purchase of gift cards, rr to the administrator of an organization requesting W-2 information on all employees. Spear phishing can also be to a group, perhaps an athletic department, requesting a log in to a commonly used sporting goods website that redirects to a cleverly disguised website operated by the crook.
  • Whaling is a phishing email that is targeting the executive level of an organization.

Ransomware is when a virus infects a device, usually through a phishing email containing a venomous link or attachment that the end user executes. Executing the link or attachment initiates an invasive attack on the device -- and any other network connections attached to it -- that will encrypt files and render the device unusable. The attackers then demand a ransom in order to get the decryption key to reinstate the files. This form of extortion is becoming more frequent, and cyber criminals are adding other layers of extortion by threatening to release the stolen data on the Internet and/or go after any partners used by the company with threats.

Then we have sextortion. This type of ransomware is usually targeting individuals with threats and an urgency to respond. The context will explain that the criminal has taken control of your device, perhaps claiming to have your password, which it likely got from a previously breached database. So even if the password is a match for one previously used, the user would have changed it by now. The cyberpunk goes on to explain how they have all your data. Not only that, they have observed the perverted activity you have participated in and have recorded it through your camera. They will demand a payment in cryptocurrency in order to prevent it from being released to all your contacts and on the web.

Let's review some security best practices for email:

  • Use a secure, unique and strong password.
  • Use Multi-factor authentication (MFA).
  • Do not click on links or open attachments from unknown or unsolicited emails.
  • Recognize that phishing emails may include:
    • A sense of urgency: "Act now to take advantage of this deal"
    • Threats: "Your account will be disabled in 24 hours if..."
    • Bad grammar and/or spelling
    • A generic salutation: "Dear Valued Customer"
    • Logos or signatures that may impersonate popular sites or brands.
    • Unusual requests for money, gift cards or personal information. NEVER transfer any of these requests without PERSONALLY (via phone or face-to-face) identifying the requestor.

Since spoofing an email is a method for cyber crooks to bypass a user's attention to detail, it is important to look at the message's reply to address. Is it really going back to the sender it pretends to be? For example:

John Smith <[email protected]>

A user should always be suspicious of links in emails, even those received by known senders. If a bank or commonly used service sends a user an email with a link to log in, it is best to go directly to that website, without clicking the link. Open a browser and log in directly and you will know that you have not been directed to a false page.

Phishing and spoofing are not limited to email.

  • Website spoofing is making a malicious website look like a legitimate one.
  • Caller ID spoofing is similar to email spoofing. It appears that the phone number appears to be familiar or local.
  • Caller ID spoofing can result in vishing, which is phishing by phone contact. The threat actor may call to imply that they have discovered a problem with your account, or impersonate a child or grandchild who claims to be in trouble and needs cash to recover.
  • SMiShing is phishing via text messages (SMS) and may encourage the victim to click on a link or respond. Once they receive an acknowledgement the attacher knows they have a potential patsy.

Slow down. Don't click. Scrutinize those emails. Some messages are merely spam or a way to add a target to a marketing database. But it's those others that can be potentially damaging where we need to exercise vigilance.