Cyber Summer: Phishing


In the first part of our 8-part Cyber Summer Series, we reviewed some frequently asked phishing questions with our center expert, Ian. Phishing is one of the most popular ways of acquiring information and can be executed in many different ways.

Q: What is phishing?

A: Phishing is when an attacker attempts to trick a subject into clicking on a link that is malicious. Phishing is one of the most popular ways of gaining information. This is due to the fact that humans are the easiest point of infiltration. Spear phishing is when elements of an email are modified to replicate a trusted source in order to be more convincing and is much more targeted. Since the attacker is looking to mimic a trustworthy source, it is considered fraud in all circumstances. Attackers are typically looking for login credentials or other PII (personally identifiable information) that they can use to infiltrate your personal accounts or enter secure areas of your otherwise secure systems.

Q: What kind of information should I protect?

A: Generally, you should never give any sort of information to a source that you’re not 100% positive is verified. Some examples of specific information that attackers might be looking for are; SSN (social security number), credit card information, birth date, or login credentials. Typically, an attacker will create some sort of rouse to acquire this information, such as some sort of crisis or even data breach verification asking you for information that the person or company being mimicked would already have access to.

Source: edts.com
This is of an example employee receiving an email from someone who is pretending to be their CFO. This is obviously a phishing email because this individual should never be asking for this type of information through an email.

Q: What is the difference between spam and phishing?

A: Spam is generally ads or a company trying to sell a product or service whereas phishing is a means of maliciously obtaining account information to use against you. Spam can be considered as your everyday marketing emails for sales and promotions.

Q: Is phishing done only through email?

A: No. Phishing can be performed through any means of communication. This can include but is not limited to email, texting, instant messaging, or postal mail.

Q: How do I avoid becoming a victim of a phishing scam?

A: It is impossible to avoid receiving phishing attempts, but there are steps you can take to avoid falling into the trap. First, after receiving an email that you are suspicious of, whether that be due to suspiciousness of the sender, the content is pushing you to provide personal information or has weird links and/or grammatical errors, you must be sure to not click on any links. The link may not always be obvious, sometimes they are embedded in an image, so when the image is clicked, the malware runs without even being noticed. Malware can also be embedded in email attachments. Clicking on these links could immediately start running malicious code that could take information from your computer without you having to volunteer it. Your last step should be to immediately notify a manager or your IT department.

Source: edts.com
Source: edts.com
If you ever receive an email that is similar to the examples above, be sure not to click the links. Companies like Amazon or Bank of America would not send you emails requesting personal information. If you were to log in to your Amazon account after seeing an email similar to the one shown below, there would be no indication that anything was wrong with the account which is further proof that the email was spoofed.

Q: What if my personal email account, bank account, or other accounts were compromised?

A: My advice would be to immediately change the passwords to all of your accounts and any accounts that have the same password or other compromised information and then reach out to the company that runs the account and inform them of the breach and to confirm all recent activity. In my experience, I have had to deal with clients that have given out PII and other confidential information pertaining to the business. Luckily, no credit card information was relayed, but they did give out company email addresses. While this seems harmless, a month down the road, the client received spear phishing emails. The spear phishing emails looked like an email from the software company they normally would log in with, prompting them to reset a password. The old password field was being submitted to the attacker and the new password field did nothing. Fortunately, in this case, the employee did not have administrative access to the system. The only information compromised was future sales. Changing the password and informing the employees on the dangers of phishing emails caused them to go incident-free from that point forward.

Q: How do I report a phishing email?

A: The answer to this question depends on what kind of account received the message. If it is a personal account, just flag the email as spam and immediately delete it. From that point forward, the email can no longer be harmful to you or your device.

This is an example of a phishing email that was caught in our spam filter. We highlighted the information that we deemed to be suspicious.

This is the 1st part of an 8-part series. To learn more about cybersecurity and safe practices, check out the links below:
Phishing
Safe Internet Browsing
Social Engineering
Safe Passwords and Security
IoT + BYOD
Rogue Access Points
Penetration Testing
What to Do After a Data Breach

Next week, we’ll be diving into Safe Internet Browsing and what you can do to further your internet safety.

If you have any specific questions regarding cybersecurity, email us at info@hvtdc.org call (845)391-8214.