CATEGORY:

Featured, Loss Prevention

TAGS:

Don’t Click the Weakest Link

Phishing is a cyber crime that targets individuals by email, telephone, or text message and poses as a legitimate institution to lure individuals into providing sensitive data or personal information. The thief then uses that information to access private accounts, leading to identity theft and financial loss. Since 2014, the volume of phishing attacks increased 107% within the United States alone.

Origins of phishing

Hackers coined the term “phishing” sometime around 1996. They were involved in stealing America On-Line accounts by unsuspecting users. Dubbed phish, these hacked AOL accounts were traded as currency among hackers. Often, people would trade 10 working AOL phish for a piece of hacking software needed for further operations.

This primitive type of hacking was better known as “phone phreaking” and operated using a device to produce tones that allowed a user to control the phone switches, thus allowing hackers to make long-distance calls either for free or to bill their calls to other phone numbers. The “ph” is a standard replacement for the letter “f” by hackers in an homage to the first hacker, John Draper aka Captain Crunch. Captain Crunch invented a device used to hack telephone systems in the early 1970s known as the Blue Box.

At this time, neither users nor system administrators had ever encountered a racket quite like this. Phishers conducted attacks against AOL and its users by stealing users’ passwords and creating randomized credit card numbers. While results came rare, hackers used actual hits to open up new AOL accounts.

Hackers used these accounts to spam other users, and this caused a large problem for AOL until they created security measures to prevent the use of randomly generated credit card numbers.

However, as is the standard for phishers, they adapted.

From the randomized credit card scheme, hackers started sending messages to users posing as AOL employees. These messages would request users to verify their accounts and confirm billing information. Since the world had never seen anything like this before, more often than not, users fell for the trick.

Types of Phishing

To date, not much has changed in the world of phishing. Sure, hackers have had time to hone their skills and adapt to a developing world wide web with increased security measures, but hackers have always had an advantage given they target users, employees, and individuals to provide the sensitive information and data they’re after.

While there are quite a few types of phishing, it is important to know a few of the most common types.

Deceptive Phishing – This is the most common type of phishing. It occurs when an attacker attempts to gather confidential information from the victims. Phishers use information to steal money or launch other attacks on other individuals. A fraudulent email from your credit card company asking you to verify information behind a link is an example of this.

Spear Phishing – This type targets specific individuals instead of a wide group. A criminal conducts research ahead of time using social media in order to construct messages that appear authentic. This type is often the first step in infiltrating an organization’s defenses before orchestrating a targeted attack.

Whaling – This type is the targeting of a high-profile individual within an organization such as a CEO or District Manager. The cyber criminal is going after the people who have the most information.

Pharming – Similar to phishing, this is when a cyber criminal uses a fake website that appears to be legitimate. It can take the form of an organization you have never heard of before, or be a large company like Google or Apple. In cases of pharming, users do not even have to click a link; instead, an infected computer will redirect the user to this fake website even after the real URL is typed in.

Smishing – This is the text message version of phishing. This often involves a text message with a link to a phishing website. Do not click any link in an email or text that you do not know where the domain leads.

Vishing – This is the voice version of email phishing. Do not think that just because you have left the computer behind that you are safe from hacking attempts. This is a scam in which individuals are tricked into handing over confidential information. The best advice is to avoid giving out information, hang up, and use the internet to confirm the number and contact information of the caller.

Evil Twin Wi-Fi – We touched upon this in our previous issue regarding the dangers of public Wi-Fi. As our avid readers know, hackers can create public networks with official-sounding names that are anything but that. Make sure you know the network you are connecting to before doing so.

Link Manipulation – This describes the use of a similar URL (web link) to pose as a genuine, trusted site. The URL might appear legitimate but would fail a close inspection of the characters making out the address. An example would be “csdpool.com” versus “csdpoo1.com.” Clicking on it will take users to the phisher’s website. To avoid this, hover over the URL to see where it actually goes.

Examples

In 2016, a Florida school district was on the receiving end of a phishing attack that resulted in the loss of over 7,700 employees’ names, addresses, wages, and social security numbers. The cyber criminals acquired all of this information through obtaining W2s of all of the district’s employees. This occurred after a payroll employee responded to an email that appeared to come
from the District Superintendent.

The email said: “Forward all schools employees 2016 W2 forms to me attached and sent in PDF, I will like to have them as soon as possible for board review. Thanks.”

On the surface, this seems like a normal channel of communication. However, the recipient of this email was a victim of deceptive phishing.

In another instance, following Hurricane Harvey in Texas, the Harris County auditor’s office received an email request from someone who claimed to represent a contracting company slated to do business with the County. The email claimed that the contractor was planning to repair damaged parking lots and roads, was asking the county to deposit $888,000 in the contractor’s new bank
account.

This email read, “If we can get the form and voided check back to you today would it be updated in time for our payment?” Of course, the county sent out the check, and the next day found out that the account was unrelated to the actual contracting company.

Protecting Yourself and Your District

In both of these cases mentioned, avoiding this attack had nothing to do with anti-virus software, or the latest computers updates. These errors were the result of poor training and preparation for the employee, who failed to verify suspicious or seemingly fraudulent requests

The best defense to phishing, surprising as it may sound, is user awareness. Using technological defenses can only go so far in preventing a coordinating phishing attack against your organization. Instead, proper employee education on how to accurately identify illegitimate emails and potential threats can be more valuable than any resource you can buy.

Train Your Employees

Here are a few tips and things to consider before hitting send or opening an attachment from an unknown sender.

  • The sender of that email may not be who they say they are – Never trust an email strictly based on the source. Phishers have developed a variety of tactics to disguise their identity, and that includes impersonation of people in authority.
  • Remind everyone that enticing or aggressive subject lines are bait – Whether it is the promise of a free vacation or the threat of cancelling your credit card, phishers use time-sensitive language to illicit an immediate response. Their goal is to get you to act first, and think later.
  • Watch out for impersonal greetings and bad grammar – These two things, while not always an indicator, should be red flags that you are dealing with a phisher. Often times, these fraudulent emails lack personal greetings and contain salutations such as “customer,” employee,” or “member.” Additionally, if a reputable company sends you an email that does not sound quite right, trust your gut.

Fail-Safe in Place

Once your employees are aware of what to look out for, the next step is to develop some good habits. The best piece of advice is to do your own typing. If a company or organization sends you a link or a phone number through email or your smartphone, do not trust it blindly. Instead, use your preferred search engine to look up the information yourself.

As we mentioned above, even though a link or phone number may look legitimate and official, it can actually be a trap.

Another great habit to develop is to use two-factor authentication on any account that can support it. This method requires both your password and an additional piece of information to log into your account.

For example, if you have a Gmail account or bank with certain providers and attempt to login using a new device, it will call or text your saved phone number to confirm you are truly who you say you are. This method protects your account regardless whether your password is in the possession of criminals.

Backing up files to external sources also works as a great method to protect against viruses and ransomware attacks, which can infect computers if a link or attachment is opened from a hacker.
This allows you to keep all of your data and information protected and out of an internal system that is much more susceptible to infections.

If You’ve Been Hit

If you suspect you have fallen for a phishing ploy, the first course of action is changing all your passwords. This goes for email addresses, bank accounts, and even PIN numbers. In addition, make sure you contact one of the three major credit bureaus and have a fraud alert put onto your account.

This will make sure that if anyone tries to open a line of credit in your name, the agency will notify you. At the same time, it is important to notify your credit card companies, given they are separate entities.

In addition, invest in anti-virus software or update what security you currently use. Once up-to-date, run a comprehensive virus scan to look for viruses and malware that might be infecting your computer.

Remember

Newly passed Colorado legislation requires notification at the districts expense. Under Federal Redflags Legislation Statute §681.1: Duties regarding the detection, prevention, and mitigation of identity theft, a Board is required to annually address issues of protecting personally identifiable information that it possesses.

Last, keep an eye out for our forthcoming TargetSolutions course on phishing awareness this quarter. For more information, email us at csdpool@mcgriff.com.

Both comments and trackbacks are currently closed.