May 25, 2020 by Tim
2020 has already seen more than its share of cyber-attacks, and the flood doesn’t seem to be slowing. In fact, due to the massive increase in employees working from home, some experts are predicting that the worst cyber-attack in history could occur this year.
With that in mind, it’s time we discuss one of the most common cyber attack vectors: phishing.
At its heart, phishing tries to trick users into giving up their sensitive information, such as passwords or credit card numbers. Most commonly, attackers will publish a fake website under their control that’s meant to imitate a legitimate site. The hope is that the target will be fooled into entering their information into the fake site, allowing the attacker to capture it.
Phishing scams are fairly basic. Attackers may use different methods of spreading the links to their phony sites, but most follow the same general pattern. Let’s break down an example of a classic phishing scam.
Phishing could be considered a type of social engineering attack, which we’ve talked about here before. Social engineering relies on human psychology instead of (or in addition to) technical skills. Just like fishing for real fish, phishing can’t work if you don’t take the bait!
You should also be aware of two special types of phishing: spear fishing and whaling.
Spear phishing is a phishing attack with a specific target. Unlike normal phishing, which tries to catch anyone who will bite, spear phishers gather as much information as possible on a certain person, company, or group, and use that information to launch a targeted attack.
For example, let’s say your company manager is named Cindy Campbell. The attacker could create a fake email address such as cindy.campbell@gmail.com, then send you a message from that account:
Hi! This is Cindy. I’m home sick today so I’m sending this message from my personal email. I don’t have access to Quickbooks Online since my password is saved in my office PC. Can you tell me what your password for Quickbooks is so I can log in?
Convincing, isn’t it? Because spear phishing messages may contain specific information or appear to be from people you know, they can be especially difficult to detect.
Whaling is the name for phishing that goes after a big target, usually upper management. Since whaling is targeted at a specific person, such as the CEO, it is really just a special case of spear fishing. Whaling attacks use the same tactics as spear phishing, but attackers may put in extra effort to make their scam as convincing as possible so they can capture top-level information from company executives.
You should be especially conscious of phishing attacks because they are so prevalent. Some experts say that phishing is the most common type of cyberattack, and I would tend to agree. If you can learn to recognize phishing attempts and not fall for them, you can give your overall cybersecurity a major boost, simply because there are so many phishing attempts out there.
The number one way to stop phishing scams is to always check the URL (Uniform Resource Locator) on links and pages you visit, especially those that come from email. This is really just a fancy way of saying to check the web address that shows in the address bar at the top of your web browser.
For instance, notice that in our earlier example, the URL shows face-book.net instead of facebook.com. If you aren’t sure what the legitimate URL is, it’s a good idea to search Google first to find the real website. For example, if you search Google for “Microsoft support”, you will find that the legitimate Microsoft Support page is support.microsoft.com. If you have an email that links to microsoftsupport.net, it may be a phishing scam.
Fake-book.net is NOT facebook.com
You can also check the URL of a link before you click it by using the mouse to hover over a link to view where it goes. Remember, links you find on websites and emails can show text that is different from the actual page that is being linked to. For example, this link shows the text “this link”, but the target URL is greenmtnitsolutions.com.
You can check a link’s target by moving the mouse cursor over the link and just hovering there for a second. The link’s target URL will appear, sometimes in a small text box and sometimes at the bottom of the browser window
By hovering over this link, we see it points to en.wikipedia.com.
Similarly, always check the From address on an email. In the latest versions of Microsoft Outlook, you can double-click on the sender’s name to see his or her email address. Other email clients typically allow you to view the sender address by double-clicking the sender’s name, or by hovering over it.
For example, in this email I double-clicked the name “Tim West” to see that the email is from my legitimate email address, tim@greenmtnitsolutions.com.
Double-click or hover over the sender’s name to see the From email address
Even if you check the sender’s email address, it’s always a good idea to verify further any requests that seem unusual. It’s possible that the sender’s legitimate email has been compromised and is being used by an attacker. For example, if your boss sends you an email telling you to send a check for $5,000 to a new vendor, you should probably call him or her to confirm. Another example would be if you get an email from the IT department stating that your password is expired and needs to be reset. Again, a quick phone call to double-check is an excellent idea.
Another preventative measure you can take to stop phishing is to make sure you have a strong spam filter set up on your email system, which will stop many scam emails before they ever arrive. Green Mountain IT Solutions recommends using Microsoft 365 for email, which includes strong spam filtering by default. Other email systems may have their own spam filters, or you can use a third-party filter, or better yet, contact us today to ask about migrating to Microsoft 365.
365 also includes additional technologies to help reduce email fraud, such as DKIM and SPF. Though these are important, a full description of how they work is beyond the scope of this article. A trusted IT professional like those at Green Mountain IT solutions can help you set up these additional measures.
If you’re been reading this blog for a while, you know we can’t get through a post on cybersecurity without mentioning the human factor. As we’ve mentioned repeatedly, users should be trained not only on technical measures but also on maintaining a culture of cybersecurity vigilance.
At the end of the day, go with your gut. If an email doesn’t seem right, don’t reply or click any links. Just delete it. Also consider forwarding it to Green Mountain IT or your IT department when possible.
If you do accidentally delete a legitimate email, the sender will always have another chance to reach out again for whatever they needed. If you are caught in a phishing scam, however, you may not have a second chance to prevent a major cybersecurity incident.
Be vigilant. When it doubt, throw it out!
