Posted on: October 19, 2021
There is a saying that goes: “All is Fish that Comes To the Net” which means a person who takes advantage of all available opportunities to complete a task. In a sense, hackers live by this idiom. Constantly, looking for cracks in computer systems; willing to deceive through fraud, impersonation, and trickery to turn those cracks into craters. Phishing is one such deceptive tactic hackers love to use. Phishing, a type of social engineering, involves an attacker sending fraudulent messages to an unsuspecting victim in an attempt to have them disclose sensitive information or to run dangerous software. Over the years, phishing has evolved into different “flavors” targeting specific individuals based on the hacker’s preferred “taste” of victim:
Unsolicited Email – this is the most common form. A deceptive message is sent indiscriminately to as many individuals as possible usually through a bulk email blast. The hacker’s goal is to achieve volume. The messages are often broad and vague, poorly written with inconsistencies in email addresses and often does not mention the recipient by name (hint of a bulk email send).
Spear – a message specially crafted for one individual. In stark contrast to the aimless and scattered phish, Spear Phishing requires the attacker to perform significant reconnaissance of their target. Performing numerous internet searches, alongside reading public social media posts, the hacker constructs a personalized victim-tailored message to maximize the chances of a successful phish. Because of the significant effort in detective work, victims aren’t selected at random, but instead chosen for what is perceived by the attacker as someone who has information of value.
Whale – spear phishing for big game. This type is the same as spear (individually targeted) except the victim is seen as a person of high importance. Typical targets include Chief Executive Officers, VP/Presidents, and other high-profile employees who have access to an organization’s high-value data. The rationale is a successful phish of a high-ranking person should result in a big payoff.
The method of communication for phishing is not limited to simply email. Thanks to smartphones, two common transport methods to look out for are:
Vishing – short for “voice phishing”, this attack type involves voice phone calls directly to the target. The calls are usually automated, but sometimes the hacker is quite bold in which the call is live. Often the call is a hybrid automated/live call where you are first contacted by machine, then if interested you are transferred to a live “agent”. This allows the attacker to mass call large number of individuals but have those who appear interested speak to a real person.
Smishing – another attack vector thanks to the era of smartphones. In this variation, the phishing occurs over SMS text messaging.
Today’s internet users are quite savvy to phishing and yet it is still very successful. Financially, it is estimated that phishing generates $17,700 USD per minute in cybercrime revenue. Not to mention the damage caused by losses in productivity, data loss, and reputation. So what’s the best defense?
Spam filters are the behind-the-scene frontline responders. All organizations use some kind of filtering technology to sift out the phish from the fish. And yet; – phishing is still a major problem. Ultimately, it is the responsibility of the individual to protect themselves. Telltale signs to watch out for:
- Poor grammar and spelling errors. Often these messages come from all over the world; consequently, English might not be the attacker’s native tongue.
- Unrecognized/Unsolicited email address. You receive an email from an unrecognized source and/or you never initiated the conversation (unsolicited).
- Unfamiliar tone. You recognize the sender but it doesn’t “sound” like how you would expect them to talk to you.
- Inconsistent email addresses, links and domains. The email might have a “from” tag with an inconsistent return email domain. For example: “From: John Cuzzola email@example.com” has many red flags. “John Cuzzola” does not match the apparent email sender “jan.grene” and the domain @bluewave.it is not the expected domain of @tru.ca. Also watch for link inconsistences where the link visually reads https://www.tru.ca but when you mouse over it, it becomes https://bluewave.it/login.
- Threats or urgency for action. Hackers want you to act on impulse and not spend time scrutinizing the message. Hence, phishing often involves threats of something bad happening if you don’t do what’s asked immediately.
- Unusual requests. Often the ask is just plain weird.
- Message is very short and terse. Long winded emails with lots of details give you time to think. Short and forget-about-it is the preferred attack style.
- Request for login credentials or cash. What hackers are usually after. A straight-up request for money or your username/password should set off alarm bells.
- Suspicious attachments. Attachments are used to try to avoid spam/virus filters. Pause and think carefully about 1-8 before proceeding. Open with caution.
Stay vigilant! Be alert!, and exercise a healthy dose of skepticism when receiving any kind of electronic messaging. A little common sense can go a long way in preventing you from becoming a hacker’s catch of the day!
Have you received a SPAM or PHISHING email lately? KnowBe4’s Phish Alert button gives TRU users a safe way to forward suspected email threats to the Information Security team for analysis. The button also deletes the email from the user’s inbox to prevent future exposure. All with just one click! Read more about this button and how to use it at https://its.inside.tru.ca/2021/06/10/pab-now-available/.
Written by John Cuzzola, Director, Information Security