Security Terminology Demystified: Phishing

Sep 14, 2019

Oh no! The bank is about to close my overdraft! I should definitely click on this link and get this sorted out …

Stop. Don’t click on the link. Don’t open the attachment. Don’t fill in those details. And definitely don’t hand over your personal information. When you receive a nicely worded email from your bank, a good friend, a colleague or, perhaps, a not so nicely worded email from your boss, your first instinct is to immediately respond and do what they ask.

Sometimes, this may very well be from an institution or person you trust, but very often it is a phishing email that’s designed to con you out of confidential information that can be used to steal money, data and your identity. This is known as phishing and it is one of the most pervasive and unpleasant cyberattacks on the market today.

In the past, phishing attempts were crude and almost embarrassing in their inability to spell or appear even remotely real. Today, the situation has changed dramatically. Cybercriminals are well funded and committed, they have all the time in the world to come up with phishing ideas that will catch you unawares.

You can be conned by a rather well written email, a brilliantly crafted threat from a bank or business, and even a phone call. Yes, hackers can now use voice samples to pretend to be someone you know on the phone. While the latter is something more often associated with big business – getting an innocent employee to share important log-in information with someone who sounds like their boss – it is still a concern everyone should be aware of.

So, what exactly IS phishing all about?

 

The definition

Phishing is a form of cyber attack that’s used to gather personal information or data that can be used to access bank accounts, personal accounts, business systems and so much more. The hacker’s chosen attack vector is usually an email that’s designed to make them look like a person or institution you trust. They use persuasion, inspiration and fear to get you to do what they want. They then use the information you gave them to steal money, access personal accounts, spread viruses or further phishing emails, hijack your identity and even hack into the company you work for.

Phishing is one of the oldest cyberattacks around – it emerged in the 1990s along with MC Hammer and unfortunate trousers – and is spelled phonetically to sound like ‘fish’. The use of the ‘ph’ instead of ‘f’ is due to the hacker nod to the original hacking known as phreaking (phone breaking) coined by John Draper in the 1970s. Phishing is so described as it refers to the actual activity of fishing – throwing a hook out into the ocean of email users to see which ones will get caught.

Phishing attacks come in the following forms:

  • Emails from trusted organisations threatening you or telling you that you’ve been hacked or there is a problem with your account. Some of these are very well written so be careful.
  • Emails from friends or colleagues asking you to look at something or send them some information. These can be badly written, often so much so that they are immediately recognisable, but they are still very successful.
  • SMS’ with links asking you to log into accounts because you’ve been hacked or to give you a special offer or to update a payment method. These vary considerably and are very easy to fall for. Just remember, banks and other financial institutions are unlikely to ask you to fill in your personal data over email or SMS or WhatsApp.

An example: Recently, Netflix users were sent an email telling them that the company was having issues accessing their billing information. The email asked them to click a link so they could update their payment methods. The link then took them to a hacker-owned site (always check the URL) and the rest was hacker success history.

 

The threat

There are several things you need to be aware of when it comes to a phishing:

  • Look out for poor grammar and spelling. These emails, messages and SMS’ are often badly written so this should be your first warning. If it is from a friend or colleague, check that it’s from them before you do anything. If it is from a bank or a business, it’s probably fake.
  • Don’t be scared. Many of these emails appeal to the fear factor. You are made to panic that your bank account will be closed or your bills not paid so you quickly enter your details to fix the problem. Check the spelling, the URL, and the details before you do anything. Then call the business and ask them for more information.
  • It’s big names that most people use. Phishing emails are sent out in bulk so they are often hooked on the names of big companies or banks or businesses like PayPal or Netflix or Amazon. They will also not use your name or spell it wrong.
  • Spear phishing is more targeted. These emails are very well designed, closely targeted and focused on getting results. An Amazon spearphishing attack sent customers an email saying ‘your order has been dispatched’ with a code and an attachment. When they opened the attachment, they opened up a potential can of virus worms. Literally.
  • Clone phishing is equally nasty. In this attack, the email is sent from an email that is so close to the original sender that few people can see the difference. It relies on you just skimming the page and then following the instructions. These also use links to fake websites or infected attachments to cause damage.
  • Whaling is also phishing. This is, as the name suggests, all about hitting the big targets. This is when the attackers are going after someone or something big so they can get really juicy data or information. They sophisticated, smart and, unfortunately, quite successful.

Fun fact: In March 2016, the Hilary Clinton campaign chairman, John Podesta, helpfully handed over his Gmail account information in a very successful phishing attack. The emails, subsequently leaked to the internet to really drive home his embarrassment, told him that his account had been accessed by someone and that he should immediately click on a link to change his password. The email was so good that even the campaign IT helpdesk was fooled.

 

The protection

Here are five steps that you should follow to stop becoming a fish:

  1. Don’t open it, click on it or read it if it looks odd – If you have a security software solution installed, like Norton Security Premium, then it will help protect your system against phishing by removing suspicious emails at the outset. However, if one slips through then you should always avoid clicking on anything until you’ve verified it.
  2. That link isn’t real – Don’t click on links inside emails, it doesn’t matter how valid it claims to be, if they ask you to change passwords or financial information. They are invariably fake. Often these links will take you to fake sites and log-in pages that will steal your personal information.
  3. Don’t use email for personal information – It doesn’t matter who it is for or why, just don’t send financial information over email, SMS or WhatsApp.
  4. Backup your data. Ensure your files are constantly backed up and stored in a secure location that cannot be accessed over the network. That will ensure your information remains free from infection.
  5. Be aware of everything. The spelling, the URL, the SSL certificate, the nature of the request and the validity of the contents. Yes, it would be terrible if your power was cut off or your Netflix unplugged, but rather sort that out over the phone, on a call you made, to your provider.