Gone Phishing?

October 18, 2021

Email has changed our online lives forever and transformed how we communicate to such an extent that it is quite rare to receive a letter in the post. With an estimated sixty-one and a half trillion emails sent this year alone, it is easy to understand how technology has become ingrained in our daily lives – without much thought being spared on the matter. Except, we really should be thinking about it.

Email not only acts as a convenient delivery mechanism for communication, information, and documents. It is also a gateway for thieves, fraudsters, and other miscreants to establish a foothold in our digital lives. The use of email as a vector to attack is termed “Phishing” – an analogy of throwing out a baited line to get an unsuspecting victim to bite. Phishing is a cybercrime which is relatively easy and low cost to commit. Fortunately, one of the best defences against phishing is simply, awareness.

Phishing is a form of social engineering which translates to the use of deception and manipulation to coax a victim to willingly divulge confidential information, such as usernames and passwords.

Being aware and able to spot a phishing attempt will put you at an advantage over the attackers.

More than half of phishing emails aim to trick you into divulging your credentials so that the attacker can use these to bypass security, and access sensitive and critical information. This kind of attack is called “credential theft”. This is often done with an email that claims someone has shared a document with you and contains a link, or an attachment, that the receiver is urged to click on to view. Clicking on the link will present you with a login screen that looks completely legitimate ‒ except the page is fake and once you have entered your username and password the page will display an error, or say that the password is incorrect, however your username and password have already been stolen, and most likely an automated system has used them to login to the legitimate service and change your password, effectively locking you out. These kinds of attacks often mimic the Office 365 suite, and the login screen will often be an exact copy of the real Office 365 login page, or reference a service such as Onedrive, Dropbox or other file sharing services. Two “spin off” dangers of being compromised in this fashion are: once an attacker has access to your mailbox, they can email other parties on your behalf, compromising the safety of your contact list. Secondly, it is not uncommon for attackers to use a stolen username and password and successfully access multiple user accounts using the same login detail.

Another form of phishing attack often encountered is called CEO fraud. This is not as easy as the previous example because the attacker needs to do some research first. The attacker would compromise a senior employee’s email, use a similar email address, or spoof the legitimate address, to send an email to other employees or departments requesting them to divulge confidential information, transact, pay fake invoices or even purchase gift cards or airtime. Often these attacks are aimed at junior or new employees who may not be as familiar with the processes, checks and balances in place within an organisation. While this approach may seem simple there is a lot of science and psychology behind them. The attacker would use specific words in a CEO fraud attempt to trigger an emotional response, which in turn could lead to the recipients letting their guard down, or to act irrationally. Phrases such as “I have a serious personal problem I need help with”, “This is urgent”, “Please don’t tell anyone”,” I’m embarrassed to ask”, “I can’t trust anyone else” etc, are often used.

The psychology of CEO fraud is also used in the body of other phishing attempts, often you will find scare tactics implemented in emails urging the recipient to act quickly. The attacks are fear driven and carry a sense of urgency with the goal of creating panic and a call to act. No matter how urgent an email seems to be there is always time to scrutinise it, or ask someone else what they think about the matter.

There are a few simple strategies one can implement to safeguard against these cunning phishing attacks. Let us look at a few of these in closer detail:

[info_list style=”circle with_bg” icon_color=”#1e73be” font_size_icon=”24″ eg_br_width=”1″][info_list_item list_title=”1. Be mindful of all emails you receive, check that the sender address matches the name in the ‘from’ field.” list_icon=”Defaults-envelope-o”]Often (on poorly executed phishing attempts) the name would be someone known to you, but the email address would be something completely different. Check the address very carefully as attackers would use characters in the email address that look correct at first glance i.e. @domain.com and @dornain.com are not the same even though “r” and “n” together may look like a “m”. Another tactic is to use another domain completely, you might know someone@domain.com but the email is sent from someone@domain.net.[/info_list_item][info_list_item list_title=”2. Check for grammar, spelling, or unexpected tone.” list_icon=”Defaults-envelope-o”]Scam emails are often terribly composed with incorrect spelling and grammar. This is often done on purpose to make sure the people who reply are more likely to be drawn into a scam. Most people would discredit the mail based on the poor spelling and grammar, those that don’t make for easier targets.[/info_list_item][info_list_item list_title=”3. Be wary of attachments and links in emails” list_icon=”Defaults-envelope-o”]especially when you land on a suspicious website that prompts you to enter your personal information.[/info_list_item][info_list_item list_title=”4. Practice good password hygiene.” list_icon=”Defaults-envelope-o”]Use strong passwords and make them unique for each site that you visit or subscribe to, if there is an option for MFA/2FA (multi or two factor authentication) where you can receive an OTP when signing into the system, use that. This makes it exponentially harder to gain access to your systems with a stolen set of credentials. Change your passwords often.[/info_list_item][info_list_item list_title=”5. If you are unsure if an email is legitimate” list_icon=”Defaults-envelope-o”]always call the sending party to confirm, there is no shame in this and senders are used to receiving these calls. Do not contact the sender using the contact details in the email, visit the sender’s website and get the contact details from there.[/info_list_item][/info_list]

If you receive a dubious email internally, from a colleague or manager, contact them first or contact the IT department to confirm that it is genuine. Note that many CEO fraud emails will state that the sender is not able to take phone calls (phone is lost or offline), to try and prevent you from confirming.
It is good practice not to send sensitive information via email, unless you encrypt it. Should information be shared with a scammer, and it was encrypted, they would not be able to use the information without the password. There are many free tools available to encrypt documents before sharing them over email.
Email is indispensable – yet as it is used to help, it will likewise be used to harm.

The best way to protect yourself is to be aware and to be savvy. There are many expensive technical safeguards available to protect your inbox but when these fail, as they sometimes do, and that odd phishing email does come through, nothing beats a smart user that is able to spot the scam.