How to defeat Phishing attempts
If you’re asking yourself “what the #$%@ is phishing?” then you should probably read on because phishing could potentially cost you your life savings, your identity, your job, your marriage and even your freedom. Although it’s pronounced fishing this has nothing to do with catching phish. If anything, it has to do with catching people.
Phirst Things First
Wikipedia defines phishing as “the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication”. In other words, phishing is a type of fraud that utilizes social engineering, forgery, impersonation and deception in order to induce a person to volunteer personal, financial and other sensitive information that can be exploited by criminal enterprises in order to gain unfettered access to your online accounts and profiles – most commonly to steal your money, to steal your identity or both.
It all begins with an unsolicited email that has been crafted to appear as though it originates from a reputable organization, perhaps a financial institution, internet service provider or government department that is familiar to you. The email will usually employ one or more of the classic confidence tricks in order to manipulate your response – for example, by enticing you with an offer you “can’t possibly” refuse or by compelling you to take immediate action to resolve a non-existent problem or avoid some type of impending doom. In many cases these fabricated emails are, at face value anyways, virtually indistinguishable from genuine communications that one might receive from those same organizations.
What the Ph…
Over the past 30 days I received an average of 10 phishing emails per day – a total of 303 separate phishing attempts which, I might add, accounted for 6% of all the emails I received in that period. Despite the fact that almost 1 out of every 16 emails I received over the last month was a phishing attempt, it was only when looking at these statistics that I realized just how many of them I was being exposed to. Up till that point, i’d been handling these phishing emails in much the same way that I do with unsolicited emails and spam in general – by hitting the delete button after a cursory glance at the content – after all, they were no more than a nuisance to me – certainly not a threat of any kind.
Apart from a handful of well polished (and quite frankly, almost dangerously believable) phishing emails I’ve encountered nearly all have been of such poor quality that one has to wonder what the phishers’ game plan is. Surely people are not that gullible? Right? Wrong. The reality is that people do fall for these emails. Hook, line and sinker. Regularly too. Rudimentary spelling, grammatical and syntax errors as well as glaring inconsistencies in style, formatting and typography seem to be commonplace – almost the template – for the bulk of phishing emails in circulation. A handful, however, were impressive, and had they not been from institutions with whom I have no business or personal relationship, I might have assumed that they were genuine. Would I have divulged information to the phishers? Definitely not. I’m not suggesting that i’m smarter or less gullible than the unfortunate victims of these emails. I’m just lucky to be in the line of work that i’m in – one that has exposed me to the realities of information and communications security as well as the capabilities of society’s criminal underbelly.
We’ve worked on a number of cases involving phishing and in most of those cases, our clients have had their identities stolen, their credit ratings ruined, their jobs and relationships compromised – and that is just for starters. The hard part is recovering from such an event: taking back one’s identity, restoring one’s credit rating, rebuilding one’s reputation and recouping one’s financial and other losses. By now you may be wondering whether there is anything you can do to be certain you’re never caught at the business end of a phishing attempt. Well, there is, and it’s simpler than you might think. Its as simple as ABCD.
A – ADDRESS – is it addressed to me personally?
This is the first key. Despite how one might feel targeted by phishers, they aren’t really gunning for you personally – they’re not dangling a single line of you-specific bait and waiting for you and only you to bite before they reel you in – they’re casting a very wide net in the hopes of catching as many unsuspecting individuals as possible. To do this, phishers will obtain huge mailing lists (in much the same way as unscrupulous spammers) and will send out the same email to tens or even hundreds of thousands of recipients at a time. They’re not able to personalize each email with the recipient’s name and a unique greeting. Here’s a comparison between a genuine email and a phishing email from my own bank. Notice that the “To:” field contains my email address and that it is not cc’d to anyone else. Also notice that the email is addressed to me personally, not “Dear Customer”. If you look a little closer at the phishing email you’ll notice what I meant by irregularities with typography and grammar/syntax.
B – BEWARE of links and attachments!
You should already know to look both ways before crossing a road, not to stick your fingers into a wall socket, and not to take candy from a stranger. These seem like obvious precautions right? Sure, they’ve probably been drummed into you since you were a child. Times have changed and so have the dangers. These days, we’ve had to add quite a few new precautions to our parenting checklist. Here’s one more for you: DON’T CLICK ON LINKS OR OPEN ATTACHMENTS in emails that you are not expecting or did not solicit. Apart from phishing threats, attachments are prime targets for deploying spyware and links can redirect your browser to websites that use drive by downloads or other methods to delivery payloads to your computer or exploit vulnerabilities in your browser and operating system. Lets take a closer look at that phishing email from my “bank” and more specifically at the link contained in that email.
If I hover my mouse-pointer over the link, the link destination pops into view (as below).
It seems these phishing crooks have masked the actual destination using Google’s own URL shortening service. Using the unshortening service at unshort.me I was able to get the actual link URL, http://advocatedirectory.in/nedbank.pdf.html – hardly a link on Nedbank’s own website. Fortunately, this link was already compromised by the time I tested it – here’s the warning screen I received:
Using the phishtank.com service I was able to obtain a cached view of the page that the link was originally pointing to. On this forged page I would have been required to enter my login credentials and thereby compromise my account as these login details would have been sent directly to the phishers who would have used that information to gain access to my account.
C – CONFIRM the source of the email and the action required.
Don’t reply to the email asking for confirmation – it will likely be from the phishers and what do you really expect they’ll tell you? Either pick up the phone and call the company concerned, or visit their website, get their confirmed email address and email them directly.
D – DON’T be intimidated and DON’T divulge anything voluntarily.
Just don’t do it. Regardless of what the email says, no genuine company will ask you for confidential information to be sent via email or will send you an email containing a link that takes you to a website that is not their own domain and require you to part with your private information. Not only that, but no reputable company would penalize you for not taking immediate action based on an email – especially not in view of the rapidly growing volume of spam and phishing emails being sent every day. Before you hastily click on links or divulge any information remember to check the address, beware of any links or attachments and confirm the source of the email and the action required.