CYBERSECURITY AWARENESS MONTH – WEEK 4
We’re into week four of Cybersecurity Awareness Month (CSAM), 20th birthday celebrations are still in full swing, and all guns are still blazing. You’ll remember that the central theme for this year is Secure Our World, focussing on four key elements of cybersecurity: passwords and password managers, multifactor authentication (MFA), phishing, and updates. This time we’ll dig deep into phishing, something that you are all familiar with and the main culprit behind those pesky ransomware attacks. Remember, that while CSAM is crammed with useful cybersecurity insights, one piece of wisdom stands out – the cybercrime landscape is evolving as we speak and we need to understand the importance of facing the unknown. In part of his proclamation on CSAM, United States President, Joe Biden said:
“I have made cybersecurity a national security priority because cyber threats affect every sector of society, from the critical infrastructure that underpins our daily lives to the schools where we educate our children and the products we use in our homes. We also take immediate action to better protect ourselves such as turning on multifactor authentication, updating software on computers and devices, using strong passwords, and remaining cautious of clicking on links that look suspicious.”
WHAT IS PHISHING?
Phishing is a form of cybercrime where individuals or groups make contact with one or more targets via email, phone calls, or text messages while pretending to represent a legitimate organization. Their objective is to deceive people into disclosing sensitive information, including personally identifiable details, banking and credit card information, and passwords. Once these cybercriminals obtain such data, they exploit it to gain unauthorized access to vital accounts, potentially resulting in identity theft and financial losses.
FIRST PHISHING COURT CASE
The first recorded phishing lawsuit emerged in 2004 when a teenager from California replicated the “America Online” website. This deceptive website allowed him to collect sensitive data from users, including their credit card information, which he used to make unauthorized withdrawals from their accounts. In addition to email and website phishing, there are other tactics employed by cybercriminals, such as ‘vishing’ (voice phishing), ‘smishing’ (SMS phishing), and various evolving phishing techniques.
TYPES OF PHISHING SCAMS
There are several types of email phishing scams, including:
- Pharming/DNS Cache Poisoning – pharming attacks redirect a website’s traffic to a deceitful impostor site, with the goal of stealing sensitive information, such as login credentials and financial data.
- Typosquatting/URL Hijacking – these fraudulent website URLs closely mimic legitimate ones, aiming to capitalize on user typing errors when entering URLs into their browser address bar. They may employ strategies like using neighbouring keyboard letters (e.g., ‘n’ instead of ‘m’), swapping letters, or adding extra characters.
- Clickjacking – In clickjacking attacks, attackers overlay multiple transparent layers to superimpose malicious clickable content on top of authentic buttons. For instance, an online shopper may believe they are clicking a button to make a purchase, but in reality, they unwittingly download malware.
- Tabnabbing – tabnabbing is a phishing technique that deceives users into providing their credentials on a counterfeit website designed to resemble the original site. This tactic exploits the common tendency of users to overlook the URL of the websites they visit.
TARGETED PHISHING
While a majority of phishing emails are sent indiscriminately to a large number of recipients, relying on quantity for their success (increased volume increases the chances of finding a victim who will open them), there are also more targeted approaches known as spear phishing, aimed at specific organizations or individuals. Similar to broader phishing campaigns, these spear phishing emails may contain malicious links or attachments.
Various forms of spear phishing include:
- Clone Phishing – clone phishing involves deceptive emails that appear to come from a trusted sender but are, in fact, sent by malicious actors. These emails often contain links to cloned versions of legitimate websites, impersonating the sender. The cloned website prompts the user to enter their login credentials, which the attacker subsequently steals.
- CEO Fraud – CEO fraud is a scam where an individual poses as a CEO or another high-ranking executive to deceive employees or others into divulging confidential information or providing money. Scammers may use email, phone calls, or social media to contact victims and employ fake websites or other methods to make their scheme appear legitimate.
- Business Email Compromise (BEC) – BEC is a type of cyberattack in which perpetrators use email to dupe employees into transferring funds or sensitive company information to them. These attacks often involve the spoofing of an email address belonging to a senior executive or another trusted figure within an organization, establishing trust with the victim.
RECOGNIZING PHISHING
Typically, phishing emails have one or more of these telltale signs:
- Requests for sensitive information – reputable organizations will never seek credit card details, social security numbers, or passwords via email. Should such requests be made, there’s a high probability it may be a fraudulent scheme.
- Utilizes an alternate domain – phishing scams frequently endeavour to mimic authentic enterprises – confirm the email’s legitimacy by examining the “sent” field, ensuring it originates from a verified domain. For instance, an email from Amazon should display the domain as @amazon.com not @clients.amazon.org
- Displays mismatched links – in the Amazon phishing scenario, you’ll notice that the links do not lead to the genuine Amazon domain. To confirm the link’s authenticity, hover your cursor over it to ensure it directs you to the expected website. Additionally, scrutinize the URL’s outset for “https://,” and refrain from clicking on links that lack HTTPS encryption.
- Contains unrequested attachments – a reputable company will never enclose or anticipate you to download files from their email communications. Instead, they will guide you to their website, where you can securely access any necessary documents. Exercise caution when it comes to opening email attachments, even if they claim to be from a reputed organization.
- Lacks personalization – legitimate businesses, especially those with whom you’ve conducted transactions before, will possess your name and will make use of it. They will refrain from addressing you generically, like “Dear Valued Member,” “Dear Customer,” or just a plain “Hello.”
- Exhibits subpar spelling and grammar – reputable institutions enlist skilled copywriters for their official communications. They would never distribute emails riddled with glaring spelling or grammar mistakes.
THE STATISTICS
In a recent study, the most commonly reported scams included:
- Email Scams or Phishing – 55% of respondents encountered fraudulent email attempts that masqueraded as legitimate sources and redirected recipients to counterfeit websites.
- Phone Scams or Vishing – In 47% of instances, individuals reported encountering fraud via phone calls, with fraudsters attempting to deceive them into disclosing sensitive information.
- Text Message Scams or Smishing – 40% of participants received deceptive text messages designed to deceive them into divulging sensitive information.
HOW TO REPORT PHISHING
As advised by GOV.UK, we can report misleading websites, phishing emails, phone numbers, phone calls or text messages you think may be suspicious.
- Dodgy emails – forward these to report@phishing.gov.uk and the National Cyber Security Centre (NCSC) will investigate it.
- Text messages – you can forward suspicious text messages at no charge to 7726. The fake message will be reported to your provider.
- Adverts – to report deceptive or fraudulent advertisements, contact the Advertising Standards Authority. You can file reports for online adverts, whether on search engines, websites, or social media platforms. Moreover, if you come across such ads in Google search results, report them directly to Google. Similarly, for ads in Bing search results, report them to Bing.
If you suspect that you’ve suffered financial losses or a cyberattack due to an online scam or fraudulent activity in England or Wales, reach out to Action Fraud. You can report your incident online by either signing up for an account or proceeding as a ‘guest.’ You can also contact them by calling 0300 123 2040.
SECURE YOUR WORLD
One thing about us humans is that we all make mistakes. Unwittingly, we may click on a link or download an attachment in a suspicious email. With support and guidance from me, you can be sure that never happens. Without being boastful, I am what many consider to be a London IT thought leader, entrepreneur, and cybersecurity expert. I have more than two decades of experience in helping SMEs in the UK with IT support, cybersecurity and risk mitigation, and implementing good cyber hygiene. With IT in my blood and in my blood, data protection is the name of the game for me. Contact me today and let’s secure your digital world and stop phishing in its tracks.