Posts Tagged ‘phish’

by William V. Burns

October 24, 2014

You are a juicy, delicious phish. Allow me to explain. I am not referring to the jam rock band, the ice cream flavor from Ben & Jerry’s, or the homophonic wiggly gilled denizens of watery environments.

No, to a select group of individuals, you are far more valuable. You are a trusting person with a mouse. You click on things.

More precisely, you follow links in emails.

Now, I can’t really blame you. You were taught that behavior. ‘Click here’ was the mantra of the early Internet. Email was one of the prominent ways to spread links around.

*sound effects*

“You’ve got mail! Click!”

 Those times are now in the past, and it’s time for you, Mr. or Ms. Phish, to put the mouse down for a moment and let me explain about Social Engineering and Phishing.

phishing

Phishing – Pic from betacontinua on flickr

Social Engineering is the practice of abusing the usual trust folks have for other people in order to gain some advantage. Simply put, there are jerks out there that will lie to you and take advantage of your habits and tendencies to trick you into handing over your money, or your information, or your money and information.

One set of jerks, commonly referred to as ‘hackers’ or cybercriminals, go setting traps for you through email. They coined the word ‘phishing’ to describe the practice.

One way or another, these criminals harvest some likely consumer emails, known to be active, and associated with a known company, preferably one that has a financial relationship with you, especially a bank or online payment service such as PayPal.

Their next step is to set up a server which can host a webpage which looks like that bank or payment service, with a logon page or credentials confirmation page. The cybercriminals will set up temporary or even stolen hosting in order to create this site, which will collect people’s account and login information.

Then they go ‘phishing.’ A batch of emails is sent out, often through compromised or open mail relay servers, to thousands of harvested consumer email addresses, and these emails have a clean background, a logo, contact information, and overall look just like they came from (for example) your bank. Often the email will have language suggesting a sense of urgency:

A purchase was made using your card which may have been a fraudulent use.

Please log on to our site and verify your identity, or we will cancel your account

within the next six hours. Click here to verify your identity: link

 Pro tip: don’t click that link. Victims follow the link, end up on the criminal site, try to ‘verify’ their information, and enter it into the web page, which collects it for the ‘hackers.’

Millions of people every year fall for this trick. And why not? It looks like your bank is protecting your account.

How to stay safe:

  • Don’t click links in emails. Go to your bank or institution’s already-known email address, or call them. Don’t use the information from the email.
  • Sign up on your real institution’s website for a smartphone app (so you know you’re getting the actual app). Get your alerts and information from there.
  • Be less trusting about your email. If several of you at work have received the same ‘phishing’ email attempt, contact your company’s security office.
  • Learn more, stay up to date. Read some of the linked articles below for much more information.

There is a more focused version of this, called ‘spearphishing,’ where the cybercriminals have collected specific information about your company and tailor the emails and the collection site so they seem even more legitimate. If you’re considered a top person in your organization, you might even be the only person to get the email. This last version is known as ‘whaling,’ and is the most focused of all.

Don’t click that email link!


 Bibliography:

TechRepublic – 12 steps to avoid Phishing scams

 Kaspersky – Simple Phishing Prevention Tips To Protect Your Identity and Wallet

 Biztech – 10 Tips for Phishing Prevention

 InfoWorld – How to stop your executives from being harpooned

 About Technology – What is Whaling?

Advertisements