Taylor Toce
May 3, 2019
What is phishing?
The term phishing was first documented in 1996 in an online newsgroup and the first phishing lawsuit was filed in 2004. It’s is a type of cyberthreat that has been around for over two decades. Although technology has changed tremendously over the last twenty years, phishing’s intent has not. Its aim is to lure people into providing sensitive information where they should not. So why is it called phishing? There are two theories to this. The first being that it is a play on the word fishing, as in someone fishing for information. The other comes from a connection to an old nickname given to early hackers – phreaks. Phreaking was the exploration, experimenting and study of telecommunications systems.
Phishing occurs across different mediums using different techniques, but email is the most common and most constant, especially in the corporate world. You’ve likely come in contact with phishing emails – an email that looks to be from a trustworthy source, such as your boss or well-known company, that just doesn’t seem right. The email address doesn’t match the sender, the tone of the email is off, there are grammatical errors, or better yet, you’ve just won an all-expense paid cruise to the Bahamas and all you have to do is click the link below – offer expires in 5 minutes!!
If you receive an email that you’re unsure of, best thing to do is err on the side of caution. Check with the sender directly before responding to the email, clicking on a hyperlink included in the message, or downloading attachments. If you’ve actually won that free trip, I promise it will still be yours far beyond the five-minute countdown flashing on your screen.
Things to look out for
Phishers love when you are two things: gullible and trusting – so keep your guard up and don’t play into their scam. Of course, there will be days when you’re busy, not paying attention, or moving too fast to realize what you’re clicking on before it’s too late. We’re only human after all and even us skeptics need to be on the lookout for less obvious attempts. Below are a few questions to keep in mind while working through your inbox:
It’s important to know what to look for in a phishing email, but keep in mind that one of the most important things to trust is not technical at all – it’s your intuition. If you feel it in your gut that you shouldn’t act on a certain email, don’t. To protect both you and your company, always check with the sender first (and check with them in a manner other than via reply to their email!)
I fell for a phishing email, now what?
So you’ve responded to a phishing email or clicked a link in the message, huh? It happens to the best of us. Just remember what the purpose of these attacks are – to collect information. Most phishing emails will ask to verify credit card numbers, download or run a file, send banking information, or supply usernames and passwords to online accounts. Quite simply, never provide any of this information in reply to these types of emails. If you end up on a website after following a link within a phishing email, don’t enter in any personal information, do not enter your password if prompted, and do not fill out any forms. Attachments on phishing emails will likely contain malware or ransomware used to attack your computer once opened. These viruses can wreak havoc on your machine, steal and sell information, or hold that information for ransom. So, never open attachments or click on links in emails that you have not verified are authentic.
If you find yourself in that situation, you followed a link or responded to an email only to realize a moment too late that you shouldn’t have, you may be okay, but there are a few precautionary steps you can take. First, call your IT department or provider without delay! Never try and hide the mistake, this never works! If you can, disconnect from the internet/network to avoid any potentially malicious software from spreading or exfiltrating information. You should then run a full system antivirus scan to look for any potential malware you’ve unknowingly let loose on your computer. Now don’t forget the basics here – make sure to change your email password and other connected login credentials so that the attacker can’t use the ones stolen. Lastly, it may be good to turn off your computer to prevent any further spread across your network and follow up on any company policies put in place for these situations if the attack happens at work.
Other types of phishing
Although email is the most prevalent phishing technique, it is not the only kind. Phishers can hijack web session controls to intercept information, change bits of content on trusted sites to lead you outside of the original site and onto a phishing site, and can even pose as search results offering better deals in hopes of you buying their bogus product with real credit cards.
One of the more sophisticated phishing techniques is web based though a phishing system that sits between you and the site you’re visiting. Here, the phisher plays middle man and can track and collect information and transactions between you and the website you’re browsing. Since this system is neither on the site nor on your computer directly, phishers can get away with it without you ever knowing. One way to ensure safety and avoid these attacks when performing online transactions is to always verify the domain name and security certificate is correct before entering any personal/confidential information on a website. Take a look at the browser bar below for an example:
Not at your computer? You may not be in the clear just yet. Vishing, voice phishing, and Smishing, SMS phishing, are two newer phishing techniques that attack via phones. Phishers using these techniques will call or text you, posing as a trustworthy source, and ask to confirm personal information like account and credit card numbers. Keep in mind that you should never be required to type in or text personal information to confirm your identity with legitimate companies such as your bank. Also, the classic IRS scam is still alive and well. The IRS should never demand money over the phone, always consult with your CPA or tax advisor to verify the “IRS phone call” is legitimate.
Can you prevent phishing?
You may be thinking, “Okay, so if phishing occurs both on and off my computer, and sometimes I’ll be able to tell and other times I won’t, how do I prevent it?” Well, the answer to that question lies in basic IT security. You have to start with strong security to best protect yourself, your business, and your employees, from these threats. A strong network firewall, email and web filtering systems, and antivirus software can all help alert you to and prevent potential phishing attempts – especially phishing emails.
Also, new modern email filtering technologies are getting better and better at flagging and/or blocking message that might be phishing or malicious emails. Your IT department or provider should be able to set you up with a warning flag for emails that are received from outside the organization. This provides an easy way to know if that email from “your boss” is really from your boss or if attackers are simply posing as your boss. See an example below:
Also, with the evolution of artificial intelligence (A.I.), advanced mail filtering systems are available now that can analyze typical communication patterns in your organization and when something seems outside of normal (as most all phishing emails are indeed out of the norm in some way), it can flag and/or block these emails. Ask your IT provider or department if this is technology that you should implement.
Last, you should also stay up to date with current phishing trends, what phishing emails and other techniques look like, and always think before you click. The best line of defense for you and your business is continued learning and training on these threats. It is essential to make sure both you and your employees know what to look for and how to deal with possible phishing attempts. You can leverage security awareness training from your IT provider that will intentionally send phishing-like emails to your end users that report back to your IT team if emails are clicked on, so that you can engage in training with those that need it most.
There is no one preventative measure that completely stops phishing attacks from happening. They have been around for years and with their success rate, won’t be stopping any time soon. You should always be aware of potential threats, but you shouldn’t constantly worry about whether you are going to fall victim to the next phishing attack. If you know what to look for, are conscious of what you are clicking on and responding to before doing so, and you have multi-layered security in place, you’ll be good to go about your days worry free.
Check out these related articles: