Phishing

Phishing is a specific type of email scam that involves trying to get the person that received the email to give up private information, such as a password, by making them believe the email is a request from a legitimate source

An example is the phony bank request letters that implore you to log into your account and verify some transaction. Clicking on the link in the email does not take you to the location you think you are going. Instead you are presented with a page that looks exactly like the one you expect and then any information you type in is copied.

Phishing is differentiated from spam emails in that spam is a general call to action to everyone that receives the email. Phishing is much more selective and generally uses an indirect approach. Many people that receive it will simply discard it, because the request doesn’t make any sense or apply to them.

Spear-phishing is an even narrower type of scam. Often targeting a specific company or even specific individuals. 

A recent high profile spear phishing event happened after individuals in the accounting department of a company received what appeared to be legitimate requests from suppliers to make changes to the suppliers’ accounts. After the changes were made, payments to those suppliers disappeared into the bank accounts of the hackers.

The interesting thing about this type of hack is it generally depends on a very sophisticated understanding of the individual or company being targeted. In the example above the hackers knew the individuals targeted were not management, but did have account updating capability. In other words, a lot of time was put into investigating this firm long before the phishing attempt.

This is typical of spear-phishing. Often some useful piece of information has been gleaned from an online post, a group email, an answer to a survey, etc. which provides the hacker with a way to make their attempt appear legitimate.

What can you do to protect yourself and your company?

Whenever there is any doubt, however niggling, that an email request doesn’t look right, contact the organization directly to confirm. Do not click on a link in the email. Pick up the phone and call them using the number you would normally use, not the one in the bottom of the email. In other words, assume that all the communication information in the email has been compromised.

What can set off that niggle? Well, almost always legitimate communication will include a piece of information that is not publicly available: perhaps your login ID. Legitimate emails do not contain “Dear Customer” greetings.

Know the practices of the organizations you deal with. No bank anywhere is going to send you an email telling you to log in and confirm anything. Banks send information by email, but collect via phone or letter.

If you receive an email from an online entity such as PayPal or Amazon, do not use the provided link. Open your browser and type the URL in yourself. This simple step will defeat almost all phishing attempts. The URLs in phishing emails look legitimate, but there many ways to disguise a URL such that it doesn’t take you where you want to go. (As discussed in a previous column.)

Use different passwords for different websites. Phishing is not a direct money grab. It’s a way to collect information to be used later. The login and password that you use to log in and see “Netflix Upcoming Movies,” in a phishing email, will then be tried on every pay site on the Internet to see if they work there.

Use Two Factor Authentication if it’s available. Some sites with sensitive information, such as Gmail let you setup your mobile phone to be used to confirm that it is you logging in. Then when you don’t get a request for the code sent to your phone to log in, your spidey senses should go off.

Report phishing attempts to Google at safebrowsing.google.com They and other browser makers are constantly improving their browsers to filter phishing attempts.

Also, the RCMP has an excellent page on identifying phishing emails and locations where suspected phishing attempts can be reported: rcmp-grc.gc.ca/scams-fraudes/phishing-eng.htm.

Happy (and safe) Computing.

p.s. If you have any specific questions for the Answer Guy send them to info@clarismedia.com. Chances are good that if you want to know others do too.