Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

Phishing: 3 Methods to Protect Yourself from Cyber Fraud
You are here: Home \ Phishing \ Phishing: 3 Methods to Protect Yourself from Cyber Fraud
phishing cyber fraud
Posted on Tuesday, May 30th, 2017 by

How to Avoid Phishing, Spear Phishing and Whaling Attacks

 

PhishingPhishing is a form of fraud where an attacker masquerades as a trustworthy entity to gain personal information from the victim. This information can include data like passwords, logon credentials, social security numbers, credit card numbers and other sensitive, private information. Phishing attacks often occur through email or by leading victims to fake, spoofed websites that often look authentic to the user.

Related webinar: The Anatomy of a Phishing Attack

 

Traditional Phishing Emails

Phishing scams have been around for years, however, over the past 3 years we have seen an explosion of this type of fraud. According to the 2016 Verizon Data Breach Investigations Report phishing is again and by a great margin, the number one attack tactic.

Phishing includes fraudulent e-mails that include malicious attachments that contain malware that once downloaded search your computer for sensitive information and communicate that information to a command and control server. Phishing also includes fake communication from banks, hospitals and other institutions who encourage users to go to a fake or spoofed site to fill out forms requesting sensitive information which is downloaded and sold on the black market or Dark Web.

Phishing comics

 

Generally, most phishing attacks want the victim to do one of the following:

  1. Enter their PII (Personally Identifying Information)
  2. Click on an attachment
  3. Click on a link to a webpage

Many enterprise (and home based) email scanning or antivirus programs screen out such emails, or at least mark them as junk, however, many phishing attacks circumvent prevention technology and result in substantial costs both for individuals and companies.

There are a few indicators that an email might be phishing for your information.  Phishing attacks are becoming very commonplace and are a huge concern for many enterprise environments, especially those that house customer or employee information.  Many of these traditional phishing emails have spelling mistakes, branding errors, or simply don’t make sense in terms of language and instructions.

 

Spear Phishing

Spear PhishingSpear Phishing is similar to traditional phishing attempts, but many of these attack emails are personalized to individuals or companies. Attackers often gather information about their targets using a variety of methods including Linkedin, Facebook, Twitter or other social media sites and utilize that information to personalize an email, rather than just sending it blindly to an email address. This personalization dramatically increases the success of a phishing attack.

 

Whaling

Whaling emails are a form of spear phishing emails that usually involve someone masquerading as a senior level executive like a CEO, CSO or COO asking another employee, in the finance department for example, to transfer money to a vendor, partner or outside 3rd party entity. The reason they are called “Whaling” is that, like a sales environment, these types of scams often involve large transactions. Many perpetrators of “Whaling” work in teams, gather large amounts of intel from their target, engage in social engineering, take their time, and build relationships.

Whaling emails are not as easy to identify as large tech companies like Ubiquiti Networks and Mattel, the toy maker in the US have fallen victim. The targeted e-mails are meticulously crafted, often contain information relevant to either the recipient or the perpetrated sender, and are often followed up by subsequent emails. Perpetrators of these types of emails often gather information from company websites as well as social media sites to include in the emails.  In the last two years, this form of phishing has cost businesses over $2 billion according to SC Magazine and has also cost many a CEO their job.

 

Ransomware

Recent reports show that that over 97 percent of phishing emails are associated to ransomware like Locky which encrypts or locks the victim’s data when the attachment or link is clicked.  The number of phishing emails used to spread ransomware has increased annually and with the availability of the ransomware and the ease of collecting data on victims, spear phishing attacks using Locky and other ransomware has exploded.

Related post: How to Fight Ransomware: Prevention, Response and Recovery

Criminals are gathering intelligence from the web to determine which companies do business with each other, and who to directly target at a company, and then use that information to generate targeted spear phishing emails using automated tools.  Like other automated sales processes, criminals are automating the gathering of information and phishing email campaign generation.

 

Top 3 solutions for protecting yourself from these types of scams:

#1. Slow Down. 

Slow Down You Can't Afford Not ToMany of us have a Pavlovian response when it comes to our emails.  The second we hear the “ping” from our phone, or see an email pop up on our screen, we instantly want to open it.

Criminals know this.   And they also know that if they add more pressure often by using the words URGENT, IMMEDIATELY, or CRUCIAL, you will be more likely not only to open an email, but potentially open an attachment or respond following orders, especially if it is coming from your CEO.

The 2016 Verizon Data Breach report shows that even waiting an hour before opening an email dramatically reduces your chances of being a victim.  Waiting even longer reduces your chance of being infected significantly more.

 

#2. Look at the Timing / Intent / Person / Content

Before opening an email, and especially before opening any attachments or clicking links contained in the email, take a closer look and think about these 4 aspects.

 

  • Timing: Is the timing of the email correct?  Are you expecting an invoice from someone, a document from someone, a file from someone? If not…be a little suspicious.

 

  • Intent: What is the intent of the email?  Is it to either get you to:
  1. Enter your PII
  2. Click on an attachment
  3. Click on a link to a webpage

If so, be a little cautious

 

  • Person (from): Who is the email from?  Someone who know, or don’t know?  Does the name in the From: section match the name in the body of the email?  If all you see is a name in the From: section, there are various methods depending on your email program, to see the full email address.  Look for spelling mistakes:  [email protected]feddex.com

Does the email have a signature?  Often whaling attacks are disguised as an email coming from a CEO’s mobile device that often do not have official company signatures attached to the name.

 

  • Person (to):  Look at the To: section of the email. Is it addressed to only you and others you know? If there are other email addresses in this section you do not know, it may be a spam email. Is the body of the email personalized, not just the typical “Dear Customer…”?  While looking at these areas does not always mean the email will not contain malware, it will dramatically cut down on your risk of falling for a general phishing attempt.

 

  • Content: Are there spelling mistakes or grammatical errors in the email. Does the content of the email make sense?  Would a CFO of a company be emailing you a receipt?  Would your CEO be emailing you asking for a money transfer to be made?

 

Webinar The Anatomy of a Phishing Attack

 

#3. Take another route.

Take another routeJust because an email says that you need to “verify” something, doesn’t mean that you have to click on the link in order to follow the instructions.  You can simply plug in your destination in your favorite Map app and lower your risk even further.

 

Guess what?  Just by reading this post, you are less likely to be a victim of these types of phishing attempts.  Education on cyber protection best practices has been shown to dramatically decrease rates of phishing victimization.  Share these cyber protection best practices with co-workers and friends and the data suggest that your chance of being a victim of fraud will be reduced substantially. I often get emails from a family member which contain links to very odd looking websites, or contain attachments which are often used to spread malware (zip files). This family member recently sent an email to many people in my family. I replied to everyone and gave a brief “education moment” on these types of emails and the risks of opening them.

It is often best to get confirmation before running an executable or opening suspicious documents or files that you are not expecting.  This is especially important before making any sort of money transfer.  Kick it old school and pick up a phone….or even better….talk to someone if you can before following the instructions in an email.

 

Ryan Duquette is Former Digital Investigator with the Peel Region Police, and Founder of Hexigent Consulting. You can listen to Ryan on the Amber Mac show discussing phishing scams.


For more information about how to protect yourself against phishing attacks, watch our webinar “the Anatomy of a Phishing Attack” below:

The Anatomy Of a Phishing Attack

Ryan Duquette
About author:

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now