Phishing: Beware of those Sneaky, Slimy, Stinky Messages
DATE: May 04, 2021
It’s 3 am, you are abruptly awoken from a deep sleep by a banging on your door. You wipe the sleep from your eyes and glare at your alarm clock, who could that be at this hour, you say to yourself. You’re not expecting any late-night visitors, your family is sound asleep in their beds, your mind races to the evening news. Your heart is pounding. Do you immediately jump out of bed and open the door? No? Why not? Too risky?
I propose that if we treated items delivered to our Internet mailboxes like a tap on the door at 3 am we would all be a bit more cyber safe. George, you are crazy and paranoid. Perhaps, but does it hurt to be a bit more cautious when online? George, what are you talking about? I am talking about phishing.
Phishing is a messaging technique that tries to trick a recipient into divulging information or taking an action such as clicking a web link or opening an attachment. I use the phrase messaging technique because phishing is an attack on human behavior using targeted messaging; these malicious messages have been observed in pretty much all communication platforms. It’s not just a threat you need to watch out for within eMail messaging. Phishing has been observed in eMail, SMS text messaging, instant messaging such as AOL & Yahoo Messenger (yeah, I am old!) iMessage, WhatsApp, Facebook Messenger, Snapchat, LinkedIn, voicemail, etc. If it is a platform where you can send and receive messages, I guarantee you that it is being targeted by phishers. Phishing attempts can also involve being telephoned…do you really think they want you to renew your car warranty?!?
You said phishing is an attack on human behavior? Yes, like other scams, phishers will craft their messages to elicit a specific reaction preying on human nature and emotions. In almost all cases, it is safe to read a phishing message, as long as you DON’T take any action with it. If by chance, you’re able to determine the message is suspect by the subject alone, just delete it. Deleting it without opening it prevents the scammer from detecting that you ever even received the message; thus, confirming the email address is alive and attended too.
According to Security Boulevard’s Staggering Phishing Statistics in 2020, 30% of phishing emails are opened by users, and 12% of these targeted users click on the malicious link or attachment. Furthermore, the creation of around 1.5 million new phishing sites was witnessed every month in 2020, and 22% of all data breaches in 2020 involved phishing attacks.
Phishing is difficult for technology solutions to screen out for you automatically, so the more you know about identifying a malicious message the better you will be in protecting your information.
There are many types of phishing messages, depending on the goal of the scammer. Some use a spray and pray tactic, hoping to snag any uninformed recipient in their snare. These are generally the easiest to spot. Think of the Nigerian Prince scam that seeks your help in transferring millions of dollars out of their country. Do you know a Prince personally, if not, delete and move on! Other messages are highly targeted, this attack is called spear phishing. These messages target a specific person or role within your organization such as an accounts payable clerk. The message may not be out of context for the person receiving the message; however, the requested action seems out of place or suspicious. These messages will generally spoof the identity of a person or organization that is trusted by the recipient in hopes to make the message more realistic. Whaling is a type of phishing attack that targets senior executives or companies’ CEOs. These types of messages generally seek to get fraudulent financial transactions authorized or to get large dumps of data on employees such as W2 exports of the HR system. Regardless, if the message was sent to thousands of unconfirmed email addresses, a regional Facebook group of Star Wars enthusiasts, or to a single individual, there is one thing that is common in the messages; they are deceptive and looking to gain from your misfortune.
Fortunately, unlike being awakened at 3 am, there are clues that a message is an attack. Here are the most common ones:
- A sense of urgency that demands “immediate action” before something bad happens, like threatening to close an account (e.g., Confirm your webmail account within 24 hours by logging into this random, shady looking website or it will be closed and all your emails will be gone FOREVER, or a voicemail indicating SSN fraud and the threat of sending you to jail if you don’t do something). The attacker wants to rush you into making a hasty decision.
- Pressuring you to bypass or ignore your policies or procedures at work. (E.g., Pay this vendor via Venmo, and don’t bother asking your boss first, they are in an important meeting about this vendor acquisition).
- A strong sense of curiosity or something that is too good to be true. (No, you did not win the lottery... really, you didn’t, now just delete the message and move on!)
- A generic salutation like “Dear Customer.” Most companies or friends contacting you know your name.
- Requesting highly sensitive information, such as your credit card number, password, or any other information that a legitimate sender should already know. Here is a tip, service providers NEVER need to know your password, a request for your password is always, yes, ALWAYS a scam.
- The message says it comes from an official organization but has poor grammar or spelling or uses a personal email address like @outlook.com.
- The message comes from an official email (such as your boss) but has a Reply-To address going to someone’s personal email account.
- You receive a message from someone you know, but the tone or wording just sounds off. If you are suspicious, call the sender to verify they sent it. It is easy for a scammer to create a message that appears to be from a friend or coworker. Senior citizens might get an email alleging to be from their grandchild on vacation in Mexico, who needs money wired to them, so they can get home due to a lost wallet and cell phone. The use of social media makes this type of information gathering very easy for scammers.
If you responded to a phishing message and provided personal information, like your Social Security (or PAN), credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost. If you responded with a personal password, go to the service directly and change your password immediately, while you’re in your account if multifactor authentication is supported ENABLE IT!
If you responded to a phishing message divulging a work-related password or information, seek assistance from your information technology department immediately. Be sure to also change your password as soon as possible.
If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a full system scan. If this is a work computer, seek assistance from your IT department, EVEN if the scan indicates that you are not infected. There could be others at your organization that needs assistance, and the sooner the attack is identified the sooner everyone can be protected.
Phishing is constantly evolving to adopt new forms and techniques. Your best defense is common sense. If the message has a threatening tone, too good to be true, or otherwise seems suspicious in what it is asking, it is more than likely a phishing attempt. Just like that tap on your door at 3 am, if you pause before opening or taking action on unsolicited messages you receive, you will be in a better position to spot all those sneaky, slimy, stinky phishes.
About the author
Assistant Director, Cyber Services