Phishing is a form of social engineering. Social engineering is using psychology to trick people into doing what you want them to. Social engineering exploits the natural human responses of one of three things:
- fear of being reprimanded or confronted,
- desire to help
Other forms of social engineering are:
- SMShing – phishing done over a text message, WhatsApp, Facebook Messenger etc.
- Vishing – phishing done over a voice call
- Spear Phishing – this is focusing on specific individual. A criminal will use information that’s publicly available to launch a targeted more convincing attack. Criminals may use social media to build a story about that person and drop in facts to convince them. For example, they might talk about their family or pets from Instagram, use details about their job from LinkedIn, or use facts about places they’ve been from Facebook.
- Whaling – this is spear phishing aimed at high value targets such as CEO’s or other board members/execs.
Because coronavirus has changed a lot of the of rules we have always know, people are more susceptible to being exploited. People are also scared for their futures, they want to help, and they’re also confused. This means they’re more susceptible to doing things they perhaps wouldn’t usually.
Specific scenario’s we’re seeing in relation to coronavirus:
- Impersonation of internal HR departments or executives telling staff to do something. This isn’t new but is more effective in this uncertain climate, playing on peoples fear of being told off or losing their jobs.
- Criminals claiming to be the government, advising of free school lunches for children of parents working from home or key workers.
- Claiming to be DWP regarding universal credit application/payment.
- Claiming to be WHO distributing attachments with the latest health advise.
- Claiming to be health bodies having found a cure or vaccine.
- Impersonating the government SMS alert that was sent out as people know to expect it.
The reason phishing is so common is that:
- It’s relatively low cost, but with potentially huge returns
- General user awareness isn’t great in this area (computers only do what they’re told, people don’t)
- Requires very little technical experience, criminals have developed Phishing as a Service platforms.
- Plenty of targets, nearly every individual or company on the planet uses some form of digital communication
- It’s difficult to locate phishing attackers and prosecute (especially if internationally)
How to spot phishing
- Subject lines written to draw attention. “URGENT” “Final Notice” prefixing “Re:” so it looks like you initiated the conversation and this is just a reply and you must have forgotten the original.
- Check the sender.
- Criminals will often purchase domains that look similar like “mlcrosoft.net” or “micro5oft.com”
- Sometimes will send via a mail service such as SendGrid or MailChimp as these are difficult to block without impeding genuine business operations
- If you check the headers, the “From” header (which is what you’ll see in your mail client) may be the person they’re trying to impersonate, but the “Reply-To” can be set to the criminals email address so when you click reply it goes to them instead of the person you were expecting.
- Criminals use templates that we’re familiar with, impersonating a service you’re likely familiar with. Some popular examples are a Google login alert, a message from HMRC, a notification of a shared file from Microsoft OneDrive or WeTransfer. A lot of phishing comes from lesser known top level domains (TLDs) such as .fit .work and .tk (Spamhaus maintain a list of the worst offenders https://www.spamhaus.org/statistics/tlds/)
- If there is a link you’re suspicious about, right click it, “Copy Link Address” and paste that into notepad to see where it would take you before you go there. Just because it says www.safe.com the hyperlink can be changed to go to www.evil.com
- A call to action such as logging in, clicking a link, or downloading an attachment, issuing a payment.
- Trying to install a false sense of urgency to pressure you to doing something perhaps you know is wrong. “This should have been done yesterday!” or “This offer wont last long, click now!”
- Use to URL shorteners (bit.ly/… ) to mask what the original destination until it’s too late and you’re already on the website.
- Lookout for bad grammar, misspellings or phrasing that you don’t usually use (i.e. “please update my checking account” which is an American term, in the UK we’d likely say “current account” or just “bank account”
- Does the tone of voice sounds correct? Does that person usually sound like that, of use that turn of phrase? Your ‘gut feeling’ is often right about these things.
- Anyone can create a free Gmail or Hotmail address to impersonate someone, if you put the first and lastname as Dan Perry that’s what will show first (especially to a recipient on mobile). Take a moment to go look for the email address itself rather than just the name that pops up.
The important thing to remember is that these are just rough guides – the more we train out specific indicator like this, the criminals realise people are clocking on and change their tactics.
How to prevent phishing
The difficulty with preventing phishing is that it’s an arms race with the criminals. As we improve our technologies, processes and people to stop it, they adapt their tactics to circumvent the new controls.
- The number one way to prevent phishing being successful is educating your colleagues in how to spot phishing. If you educate you end-users in security, they become a part of the security team and begin to breed a culture of vigilance throughout the business. Training shouldn’t just be an annual tick box exercise. It should be small and often throughout the year so that they’re engaged. Training should also be relevant to what they do, and based in extensive research in the wild reflective of what the criminals current techniques are.
- Trust; but verify! It’s easy to fall down a rabbit hole of paranoia thinking everyone is out to get you but that not what we want to encourage. If you have any doubt whatsoever about a communication you’ve received, reach out to the person or company t through a separate channel that you know is correct. i.e.
- call or text then with a number you call ready have saved
- Email them but type their address from scratch, don’t just hit reply
- Go to their official website by typing the full domain in, and contact them on a method listed there.
- Relying solely on technical preventative measures is not advised due to the fact that the indicators they look for change frequently. It is however, advised that you implement some technical controls in addition to the aforementioned education. This maintains a defence in depth approach so that should the first step fail (we all get things wrong!) there are technical measure to help back us up.
These are your basic security hygiene:
- Monitor and alert at your email gateway for known phishing tactics and phrases. Ensure you’re blocking addresses or domains as they come through.
- Ensure all your servers and endpoints are patched an up to date.
- Ensure staff keep their browsers up to date.
- Block known malicious websites from phishing attempts.
- Ensure your staff’s laptops and computers have an up to date anti-malware solution.