Welcome to Week 4 of the Cyber Security Awareness Month! The topic for this week is Phishing, one of the most prevalent and successful forms of Internet threats existing today. Phishing can target the individual user for personal information or after a user known to have access to sensitive data at their workplace.
Phishing is a technique used by cybercriminals to obtain personal information from you or download malware (malicious software) onto your PC or mobile device through a call to action. Phishing attempts are mostly done electronically, such as an email or messaging application. The call to action may include an official sounding story and prompts you to reply to the message or click on a link taking you to a web site where you provide personal/sensitive information there. Often, the call to action also includes a reward as an enticement to click on the displayed link or replying to the message.
Phishing comes in a variety of forms depending on the target(s):
Mass Mail Phishing – This is a common technique in which an untargeted mass email message is sent from a source pretending to be a representative from a well-known business or organization. To be more convincing, the email often contains email spoofing in which the From field in the email header appears to come from a trusted/valid source. The email may also contain graphics and/or other text that actually does appear in a genuine email from the business or organization.
Examples: A UPS/FedEx delivery notice, PayPal warnings, account expiration notices (from banks, retailers, or other well-known entity), server maintenance verifications.
Spear Phishing – Another form of phishing targets employees within a business or organization. The targeted employees are those who are known to have access to sensitive data. In these cases, cybercriminals will take the time to research which employees to target and craft phishing attacks using any professional (or personal) information that is publicly available or through social engineering means.
Whaling – This is a variation of Spear Phishing, but the targets are now at the executive level (leaders) of the business or organization. The research is similar to spear phishing, but now includes research on a variety of topics that are most often dealt with by executive level employees (financial, legal, government, etc.) before crafting a phishing attempt. A successful Whaling attack may put additional types of sensitive data at risk only accessible by executive level employees.
Clone Phishing – This technique is similar to Mass Mail Phishing, but appears in a genuine looking email from the business or organization represented. The cybercriminal will take a genuine email, replace the original content with the phishing message, and retain the remaining design (graphics, layout, and even legitimate links).
Phishing attacks of any type can be even more dangerous when a user clicks on a link that leads to a web site of the business or organization that is also cloned to appear genuine. Using a cloned web site is particularly effective when the cybercriminal has knowledge of the user’s online activities/purchases and targets accordingly.
Now that you know the different types of phishing attacks you can encounter, here’s how to spot them:
Phishing attacks often prey on your emotions. Be wary when you receive a message that:
- offers a reward of some type (often financial)
- has a sense of urgency, such as involving a deadline
- contains a sensational headline involving a well-known person or hot-button issue,
- has a threat/consequence if you do not perform the requested action (reply or clicking a link)
Carefully read the suspected phishing attack for these tell-tale signs:
- Sender address doesn’t match the name or business or organization represented
- Language or punctuation errors. Very common, as English is not a native language to many cybercriminals
- If you are familiar with the sender, review the message for odd wording or overly formal tone. If suspicious, contact the sender and ask about the received message.
- Is there an email signature? Verify the contact information and format of the signature
Other “red flags” that may indicate a phishing attack:
- Attachments – Exercise caution when receiving an attachment you aren’t expecting. Malware can be hidden in exe, scr, PDF, or even MS Office documents
- Links – Worth repeating again. Links are often the culprit in a successful phishing attack. Mouse over the link to view the destination address and compare with the business or organization being represented
- Log-In Pages – Phishing attacks may replace a link with a genuine looking, but forged log-in page within the message
See Something, Say Something – If you receive a suspected phishing attack in your email, report it to your campus ACT for review and delete the message.