Anatomy of a Phishing Scam

Phishing Scam

Does anyone else remember the 1990s Hollywood depiction of hacking? Dimly lit roomnerdy looking character, possibly wearing Hypercolor t-shirt and fluoro shades, whizzing through a CGI mainframe wonderland. Yes, I know.

Scam1

As cool as that is, the reality in 2018 isn’t like that at all. You are much more likely to run into trouble from a plausible email from your utilities provider or from someone you know.   

Small businesses are one of the biggest targets for hackers with some 43% of all cyber-attacks hitting small businesses.  

Why are these kinds of attacks on the rise? Because they can be extremely profitable for perpetrators! The good news is that are also relatively easy to combat. 

Let us give you a rundown of the current approaches from scammers and tips on how to stay cybersafe.

What is Phishing? 

Put simply, Phishing is a method of stealing confidential information by sending fraudulent messages to a victim.  

Unlike Spear phishing or Whaling these emails are not personalized to their victim. They are more likely to come in the form of emails from places like the ATO, Telstra or your favourite bank. 

Traditionally the perpetrators attempted to target basic human emotions such as fear and curiosity to elicit a sense of urgency out of their target and increase the likelihood that the target goes along with the request. But as internet behavior changes, so do cyber-attacks. The most commonly targeted motivators in 2018 are social, reward and recognition. Losing access to your Facebook account is a terrifying prospect now, isn't it? 

The end game of phishing is to coerce users into performing specific actions such as opening an attachment, visiting a website, revealing account credentials, providing sensitive information or even transferring money. 

Spear Phishing  

To increase their probability of success, attackers may gather information about a specific target and customize their message to the user, often taking into consideration timing of the message as well as the appearance and content. This 'spear phishing' technique is by far the most successful on the internet today. 

The term Whaling has been coined for a specific kind of attack where high profile targets, such as Directors or Senior Executives, are directly targeted. 

Phishing emails are crafted to appear to originate from a known and trusted source. Quite often these emails can be very sophisticated, appearing at a cursory glance to be the genuine deal.  

Phishing emails from Ben (1)

Imagine if your 'CEO' emailed a few people and sent them a meeting invite and the link in the email prompted the users to sign-in to attend the meeting. Hmm, that dodgy link doesn’t appear to work. Meanwhile, it’s mission accomplished for the 'bad guy'. 

How to Spot a Phishing Scam 

 While socially-engineered messages can be very convincing, there are things to look for to assist in differentiating them from legitimate messages. Users should first consider the following questions: 

  • Do you recognise the sender? 
  • Are you expecting a message from the sender? 
  • Is the tone consistent with what you would expect from them? 
  • Is the message suspiciously written? 

While most attackers go out of their way to make their messages appear legitimate and from a relevant and trustworthy source, some may simply lack the capability or motivation to do so. Look for simple spelling issues such as incorrect spelling or grammar, abnormal tone or the absence of a specific addressee indicating a shotgun untargeted message 

  • Is the sender asking you to open an attachment or access a website? 
  • Is the attachment or website relevant to the content of the message? 
  • Is the website asking you to login to either your email or social media accounts? 

When messages contain links to websites, consider browsing to the website rather than clicking on the link in the message or directly copying or typing the link into a web browser. A scammer can use several techniques to either bewilder or trick users into accessing a malicious website that they think is legitimate. Never enter credentials into websites if directed there by a link in a message.

  • Is the sender asking you to perform a specific activity for them? 

You should treat any requests to change the configuration of systems or perform specific actions, such as manually running macros in an embedded document, as highly suspicious.

There is another form of this scam, known as “CEO fraud”, that involves someone masquerading as an organisation’s CEO, or accounts team and requesting the transfer of funds.  If at all unsure, then the best course of action is to pick up the phone and call to confirm identity and intent.  

  • Is the sender asking for information they wouldn’t necessarily have a need to know? 

Most people like to be helpful. The easiest way for an attacker to access sensitive information is to exploit your natural desire to be a nice guy or girl and simply ask. 

Often, they may masquerade as someone people may expect to have a legitimate requirement to access the information being asked for. A colleague asking for copies of documentation that is claimed to have been accidentally deleted for example.  

Needless to say, you should never disclose your credentials to other people. You should be suspicious of any requests originating from sources that you do not interact with on a regular basis and even if you know the person you should still consider whether that individual has a legitimate requirement to know the information that they are requesting.  

How should socially-engineered messages be handled? 

If you suspect that you’ve received a socially-engineered phishing message, do not delete or forward it. Contact your organisation’s information technology help desk (or #nerdherd, if you have one), and seek advice on how to proceed.

Example of a phishing scam masquerading as an email from the Australian government.

Three ways to keep your business cybersafe

Education and Awareness 

The first line of defence against a social-engineering attack is that clever human right behind the keyboard (that's you!).

Here are some fast and easy tips to help keep your organisation covered:

  • Don’t click on links or download attachments unless you and/or your staff are certain the email is legitimate. When in doubt, manually type the web address into a browser, rather than clicking on a link. 
  • Trust your instincts—if you or your staff think you know the source of an email but something seems odd—phone to check if they did send it. 
  • Report suspicious emails to your IT security staff. 

Password Hygiene 

Quite often, the objective of a phishing attack is to have their target enter their credentials into spoofed pages of popular sites to gain access to employees’ usernames and passwords.  

One of the best ways to minimise your exposure is to ensure that you are practicing excellent password practices. Good, complex passwords, changed at an appropriate frequency, but most importantly  

stop sharing passwords

Really. Stop sharing passwords.

Sharing passwords greatly increases the risk of sensitive information being released into the wild and damaging your business' hard won reputation.

We aren’t just talking about employees sharing passwords a-la “Passw0rd!” on the post-it-note on the monitor either (and please don’t let that be your password).  

Sharing passwords between systems can be incredibly dangerous. Do you or your staff use the same passwords on your mission critical systems that you use on Facebook or your personal Gmail? If you do, then please just zip over and change your password now. It will only take a minute, I’ll wait.  

Technical Solutions 

Although the best defence against this kind of sophisticated threat is an alert workforce there are also tools available for extra protection. 

Grassroots IT uses and recommends ManageProtect MPMail as a tool in your tool box to help mitigate the risk of falling foul to phishing attacks, as well as reducing the torrent of spam. 

MP's patented method of identifying and controlling spam delivers more than 99% accuracy in eliminating spam mail from your inbox. The technique also results in highly accurate threat protection with low positive rates, meaning that legitimate emails are not misidentified as spam. (No Hypercolor t-shirts or fluoro visored shades required). 

Once filtered, suspect messages are stored in a safe, accessible and configurable external quarantine. 

Scam3

With MPmail Fraud Protection, users are protected from fraudulent phishing emails and the multi-layered filtering protects employees from unwittingly releasing sensitive information. 

Automatic filtering identities and blocks unwanted, inappropriate and malicious content in body copy and attachments before it enters or leaves your organisation. 

To truly combat phishing tactics, companies of all sizes must become more vigilant through employee training and a culture of awareness as well as the use of security software, to better spot and avoid debilitating and costly attacks. 

New call-to-action

 

Picture of Gary Titmarsh

Gary was the previous Client Success Manager at Grassroots IT. He has worked in the IT industry for almost 20 years, in a variety of roles from systems engineer and project manager through to account manager. After gaining vast experience in global organisation IBM, Gary is Six Sigma Green Belt certified and skilled in a variety of Project Management Methodologies including Prince2 and IBM WWPMM. He is fluent in Japanese and enjoys spending time with family in Japan, participating in festivals and playing the Japanese Taiko.

share the love

Recent Posts