No matter who you are, nor your level of technical expertise, in today’s hustle and bustle world phishing schemes thrive on our lack of attention to detail and our day to day to routines.
What is this phishing you are talking about?
Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., passphrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.
One type of phishing attempt is an email message stating that you are receiving it due to fraudulent activity on your account, and asking you to “click here” to verify your information.
Phishing scams are crude social engineering tools designed to induce panic in the reader. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.
Specific types of phishing
Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker’s objective. Several distinct types of phishing have emerged.
Phishing attacks directed at specific individuals, roles, or organizations are referred to as “spear phishing”. Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.
The best defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.
The term “whaling” is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.
Avoiding phishing scams
To guard against phishing scams, consider the following:
- Your colleagues and other reputable organizations will never use email to request that you reply with your password, full Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a website or by replying to the message itself. Never reply to or click the links in such a message. If you think the message may be legitimate, go directly to the company’s website (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.
- The safest practice is to read your email as plain text.
Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client’s ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.
- If you choose to read your email in HTML format:
- Hover your mouse over the links in each email message to display the actual URL. Check whether the hover-text link matches what’s in the text, and whether the link looks like a site with which you would normally do business.On an iOS device, tap and hold your finger over a link to display the URL. Unfortunately, Android does not currently support this.
- Before you click a link, check to see if the message sender used a digital signature when sending the message. A digital signature helps ensure that the message actually came from the sender.
When you recognize a phishing message, first report it to your IT Department or IT Services Provider, and then delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the websites it points to.
Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won’t avoid them all. Some legitimate sites use redirect scripts that don’t check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.
Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to produce URLs that look remarkably like the authentic ones.
What to look for
What can users do to keep their guard up? A report from fellow cybersecurity company FireEye that analyzes how malicious files get past traditional defenses also includes a helpful list of the most common file names and extensions being used in phishing attacks.
If you order anything to be shipped, whether for work or home, be careful of where your confirmation and tracking e-mails come from. The FireEye report says that, between the second half of 2011 and the first half of 2012, words related to shipping grew from 19.2 percent to 26.3 percent of phishing e-mails, with “label” and “invoice” being the most common.
Another tactic on the rise is sending e-mails that try to create a sense of urgency, which grew from 1.72 percent to 10.68 percent of the e-mails, the report said.
The 20 most common words in use in the first half of the year, and the percentage of phishing e-mails in which they appeared:
- label, 15.17
- invoice, 13.81
- post, 11.27
- document, 10.92
- postal, 9.80
- calculations, 8.98
- copy, 8.93
- fedex, 6.94
- statement, 6.12
- financial, 6.12
- dhl, 5.20
- usps, 4.63
- 8, 4.32
- notification, 4.27
- n, 4.22
- irs, 3.60
- ups, 3.46
- no, 2.84
- delivery, 2.61
- ticket, 2.60
The five most common categories used in phishing e-mails were: postal (26.33 percent); urgency, such as confirmations and alerts (10.68); banking or tax matters (3.83); airline and travel information (2.45) and billing (0.68).
Phishers aiming to distribute malicious files generally try to get users to click on a link to a malicious website or download a file attached to the e-mail. In terms of attachments, users would be wise to be wary of .zip attachments, which appeared in 76.91 percent of the phishing e-mails FireEye checked in the first half of the year.
The next most common attachments were .pdf (11.79 percent), .exe (3.98), .doc (2.67) and .pif (1.09). The .exe extension, noting an executable file for downloading and running programs, was once the go-to extension for malware distribution, but with people learning to be careful about it, hackers have moved on to ZIP and PDF.
Tactics change, but the most common ruse at the moment is trying to get people to feel they can’t wait to find out about the matter at hand and using .doc and .docx files with embedded scripts.
There’s no excuse today for SMBs to leave themselves unnecessarily at risk of a cyber-attack. With the right investments, a proper appraisal of your risks, and some good old-fashioned common sense, it’s a straightforward task to keep your SMB as safe as it can be.
Want to know how your business measures up in today’s world of cyber-threats?
Contact us today at 954-908-3600 about our Cyber Security Assessments, one of our skilled Network Security Experts can work with you to determine your current risk levels and establish an action plan to mitigate any threats.