Your Mom Doesn’t Click Here
How Phishing Attacks Prey on Emotion and Exploit Trust
“Just because you’re paranoid doesn’t mean they aren’t out to get you . . .” or so the saying goes. In the context of phishing emails though, the more accurate rendering is, “They are out to get us all.” Reading that has me wanting to shift into Dan Aykroyd mode, putting on some dark sunglasses and shouting, “You, me, them, Everybody! Everybody!” And then I’d belt out the lyrics to Everybody Needs Somebody to Love and we’d all go home happy. But I digress. Today’s topic is how to safely navigate through your email inbox without subsequently needing assistance from the Illinois law enforcement community.
First off, what the heck is phishing? As you attorneys no doubt know, the textbook definition is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information. In other words, it’s thieves pretending to be someone you trust in hopes that they’ll trick you into giving them something of value like a credit card number, a social security number or even your passwords. On a side note, I’m not entirely sure why the bad guys even need to ask us anymore . . . in the post-Equifax breach world can’t they just look it up for themselves?
Considering that a sense of urgency is key to the attacker’s success, they pose as senders who are likely to elicit that emotional response from you, a tactic known as “spoofing.” Attackers assume the identities of companies and individuals that victims will trust in order to achieve that response. According to the latest statistics, the company identities most used in phishing attacks are as follows:
1. Google
2. Chase
3. Dropbox
4. PayPal
5. Facebook
6. Apple
7. Yahoo
8. Wells Fargo
9. Citi
10. Adobe
You almost have to feel bad for the Bank of America folks, they have three major competitors on that list but didn’t even break the top ten!
Can’t my email provider block the spoofers?
Absolutely, and the powers-that-be on the Internet are actively hunting and shutting them down, but the problem is that this is something of a game of whack-a-mole. Each month over 1.4 million new spoofing websites are created, most of which only live for 4-8 hours, but during that timeframe they are “fed” by millions of phishing emails seeking unwitting recipients. There are also a variety of Do-It-Yourself kits out there that allow people to setup their own phishing sites and email campaigns. That’s a lot of moles and there aren’t nearly enough people doing the whacking.
What else should I know about spoofing?
The most nefarious spoofers are the ones willing to go the extra mile - researching something or someone with whom you already have a relationship, and then using that aura of trust to trick you into doing something dangerous. The spoofer will hunt your Internet presence (think Facebook, Instagram, LinkedIn, etc.) to identify people you know, and then use that to craft a message tailored for you using a blind email address that looks like it came from someone you know.
Just last summer we came across a particularly virulent phishing attack that harvested Office 365 logins. The email arrived from an actual known and trusted business contact, with an attachment linked to a bogus O365 login page. Once the login was captured by the fake site, the spoofer then sent the same message to all of the victim’s contacts and the cycle repeated . . . you can see how it spread like wildfire.
I’ve often said that the most valuable email address to have would be Mom’s – who wouldn’t click on something sent from her? Savvy email users scoff at this risk thinking that their eagle eyes will spot a spelling error, awkward grammar or Cyrillic letters, but trust me that is no longer the case. These folks are professionals and use the English language flawlessly. Just ask the voters who read the ads on Facebook during the last election.
So… what can I DO about it? I can’t just stop using email.
Things were definitely safer in the days of fax machines. Back then – aside from the errant Nigerian Prince needing to repatriate his $25 million – the biggest risk likely to come across the wire was a paper cut. Nowadays, with e-mail as engrained in corporate life as it is, we need to up our game starting with a healthy dose of paranoia. If you have an email from your bank, lean back and think about the possibility that it isn’t really from your bank. If there’s a link in said email, skip that and instead enter the bank’s website directly into your web browser. If you don’t already have an aggressive spam-filtering service on your email then now’s the time to get one.
If you’ve already clicked on the link – and you’ll likely know this has happened by the sudden surge of adrenalin and that sinking feeling in your stomach – then don’t panic, now’s the time to call your IT person (you have one, right?) and fess up quickly to everything that unfolded. As long as you haven’t actually entered anything into the phishing website you are likely ok, but that’s not a 100% guarantee and you’ll want them to make sure. The only thing worse than triggering an attack is not telling your IT person that you might have done so.
Finally, if you’re concerned that the rest of your staff might not know how to spot a fraudulent email, third-party spear phishing tests can be a great way to educate employees and make sure that they, and your IT department, are up to the task.
But whatever you do… trust me, your Mom doesn’t need your PIN number. Not now, not ever.
First off, what the heck is phishing? As you attorneys no doubt know, the textbook definition is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information. In other words, it’s thieves pretending to be someone you trust in hopes that they’ll trick you into giving them something of value like a credit card number, a social security number or even your passwords. On a side note, I’m not entirely sure why the bad guys even need to ask us anymore . . . in the post-Equifax breach world can’t they just look it up for themselves?
Secondly, what does a phish look like? This is the more pressing question that we receive from the legal community. As with any security-related exploit, it can look like virtually anything. But regardless of the outward appearance, the key tactic that attackers use is to leverage your emotions and then exploit your trust while you’re emotionally vulnerable. A phishing email is generally designed to trigger an emotional response in the form of a sense of urgency, thus tricking you into clicking a link where you’ll be instructed to enter the information they’re seeking.
Considering that a sense of urgency is key to the attacker’s success, they pose as senders who are likely to elicit that emotional response from you, a tactic known as “spoofing.” Attackers assume the identities of companies and individuals that victims will trust in order to achieve that response. According to the latest statistics, the company identities most used in phishing attacks are as follows:
1. Google
2. Chase
3. Dropbox
4. PayPal
5. Facebook
6. Apple
7. Yahoo
8. Wells Fargo
9. Citi
10. Adobe
Source: Webroot Quarterly Threat Trends Report, Sept 2017
http://www.techrepublic.com/article/security-alert-1-4m-new-phishing-sites-created-each-month-report-says/
http://www.techrepublic.com/article/security-alert-1-4m-new-phishing-sites-created-each-month-report-says/
You almost have to feel bad for the Bank of America folks, they have three major competitors on that list but didn’t even break the top ten!
Can’t my email provider block the spoofers?
Absolutely, and the powers-that-be on the Internet are actively hunting and shutting them down, but the problem is that this is something of a game of whack-a-mole. Each month over 1.4 million new spoofing websites are created, most of which only live for 4-8 hours, but during that timeframe they are “fed” by millions of phishing emails seeking unwitting recipients. There are also a variety of Do-It-Yourself kits out there that allow people to setup their own phishing sites and email campaigns. That’s a lot of moles and there aren’t nearly enough people doing the whacking.
What else should I know about spoofing?
The most nefarious spoofers are the ones willing to go the extra mile - researching something or someone with whom you already have a relationship, and then using that aura of trust to trick you into doing something dangerous. The spoofer will hunt your Internet presence (think Facebook, Instagram, LinkedIn, etc.) to identify people you know, and then use that to craft a message tailored for you using a blind email address that looks like it came from someone you know.
Just last summer we came across a particularly virulent phishing attack that harvested Office 365 logins. The email arrived from an actual known and trusted business contact, with an attachment linked to a bogus O365 login page. Once the login was captured by the fake site, the spoofer then sent the same message to all of the victim’s contacts and the cycle repeated . . . you can see how it spread like wildfire.
The only thing worse than triggering an attack is not telling your IT person that you might have done so.
I’ve often said that the most valuable email address to have would be Mom’s – who wouldn’t click on something sent from her? Savvy email users scoff at this risk thinking that their eagle eyes will spot a spelling error, awkward grammar or Cyrillic letters, but trust me that is no longer the case. These folks are professionals and use the English language flawlessly. Just ask the voters who read the ads on Facebook during the last election.
So… what can I DO about it? I can’t just stop using email.
Things were definitely safer in the days of fax machines. Back then – aside from the errant Nigerian Prince needing to repatriate his $25 million – the biggest risk likely to come across the wire was a paper cut. Nowadays, with e-mail as engrained in corporate life as it is, we need to up our game starting with a healthy dose of paranoia. If you have an email from your bank, lean back and think about the possibility that it isn’t really from your bank. If there’s a link in said email, skip that and instead enter the bank’s website directly into your web browser. If you don’t already have an aggressive spam-filtering service on your email then now’s the time to get one.
If you’ve already clicked on the link – and you’ll likely know this has happened by the sudden surge of adrenalin and that sinking feeling in your stomach – then don’t panic, now’s the time to call your IT person (you have one, right?) and fess up quickly to everything that unfolded. As long as you haven’t actually entered anything into the phishing website you are likely ok, but that’s not a 100% guarantee and you’ll want them to make sure. The only thing worse than triggering an attack is not telling your IT person that you might have done so.
Finally, if you’re concerned that the rest of your staff might not know how to spot a fraudulent email, third-party spear phishing tests can be a great way to educate employees and make sure that they, and your IT department, are up to the task.
But whatever you do… trust me, your Mom doesn’t need your PIN number. Not now, not ever.