Phishing – The Easiest Way to Breach a Company

Sep 30, 2021 | Uncategorized

Phishing is where someone attempts to get sensitive information from you or gain access to your networks by posing as a trustworthy entity. Phishing is different from other forms of attack because it initiated by communication, such as email or phone call. Traditionally, these attempts were designed to get you to willingly share bank information so they could drain your account. The most common scenario was an attempt to transfer money out of a country and needed to use your account to do that. They promised they would pay you some large sum of money in return.Things have progressed considerably since then, although this type of phish still happens. Phishing remains a staple in the bad guys’ bag of tricks and the success rate for it is generally higher than any other attack vector. Education is the best defense against phishing, although a decent spam filter on your email comes a close second.Phishing is part of a billion dollar industry and it targets individuals as well as businesses of all sizes. Don’t think that you are immune from this because of your company size. Also, don’t think you are immune because you use a Mac; this attack vector crosses computer usage boundaries.

Some Examples

Phishing emails can appear to come from anyone, including complete strangers, your bank (Regions, Wells Fargo, etc.), a major shipping company (FedEx, UPS), large online retailers (Amazon, Walmart), a major email provider (such as Yahoo or Google), or even from someone inside your company.

Traditional

An example of phishing

The above screen shot is of an actual phishing email I received recently. I actually had to go into my spam filter and release this message manually so that I could screen shot it for this article.This is an example of a more traditional phish and they are trying to get my banking information so that they can drain my accounts. This is clearly a case of if it sounds too good to be true. The address the email comes from is a stranger and it doesn’t pretend otherwise.

Shipping

DHL Phishing with Link

This email claims to be from DHL, but there are versions that come from FedEx or UPS. They want you to click on their link to download some malware to your computer. This email was NOT caught in a spam filter. Some of the indicators that this email is a phish are:

  • The email address it is from is not an actual DHL email address (number 1 in the picture). This sometimes happens because if it pretends to be from an actual DHL address, and it really isn’t, it is more likely to get caught in spam filters. It was able to evade the spam filter, in part, because it did not pretend to be from a DHL email address.
  • The “to” email and the name don’t match (numbers 2 and 3 in the picture). This almost always is a clue that it is spam. Also, the “to” address is not an address that would receive shipping notices.
  • The actual URL for the “CLICK HERE” link is shown in number 4. I just hovered my mouse over it in Outlook to see the link. While there will often be valid links that are not going to the domain you would associate with the email, be VERY careful of them. Commonly you will find valid links with different URLS in newsletters or marketing emails. Still, be VERY careful anytime a link URL does not match the domain of the email address, in this case DHL.com.

Here are some other things that are generally indicators that an email is a phishing attempt:

  • Bad spelling and odd phrasing – Often the people creating these emails are not native English speakers, so a large number of these emails are riddled with bad grammar and spelling. Bet you wish you’d paid better attention to 5th grade English and sentence diagraming now, eh?
  • Urgent action required – The bad guys will often try to get you to feel a sense of urgency or panic so you don’t think about the email too hard.
  • Generic greetings – The greetings may not have your name, but may instead say something like “Dear Customer” or “Valued Client.”

The more sophisticated the phishing email, the harder to recognize it for what it is. You need to be cautious, no matter the source of the email. Never give out your password, banking information, or Social Security number over email. Also, it is always better to type in the web address of the place you want to go instead of clicking on links inside of emails, especially if the place you are going contains banking information of any kind.

Phone Calls

You may now also experience the amusement of a phishing phone call. These calls generally sound something like “Hi, I’m calling from Microsoft Windows tech support and we’ve detected a problem with your computer. We’d like you to go to [some website] which will then connect you to us and we can get on and fix the issues.” If you follow their instructions, then they will gain access to your computer and either implant malware or actually hold your computer hostage until you pay them, or both. Do not ever let anyone you do not know on your computer!

Spear Phishing – Like Phishing but even more fun!

Phishing relies upon quantity to generate hits and revenue. The more people they send to, the greater the chance an unsuspecting victim will take the bait. Spear phishing is a more targeted attack, generally targeting one specific company or even a division of that company. Just like phishing though, there is no company too small to which this can’t happen. This can even happen to certain people, generally those with a high net worth.The Target breach was the result of a spear phishing campaign against a HVAC firm that worked for Target. Another company lost almost $47 million in wire fraud due to spear phishing. There have even been reports of spear phishing being used to cripple infrastructure.Spear phishing requires more research for criminals to successfully pull off. Depending on the target and aims, it can actually take months to orchestrate and execute. Attackers will use social media and internet searches to select their targets inside a company as carefully as possible and will take pains to make the email as “real” as possible.

What can I do about this?

Just reading this post will give you a leg up, but you still need to practice CONSTANT VIGILENCE! You need to be wary of all emails. If something seems off, pick up the phone and give that person or company a call. Do not click on links or download and open attachments in emails unless you are very sure they are legitimate. Also, you should have some good spam filtering.

Spam Filtering

Spam-Filter

The above is a report on spam messages that I receive from our email provider several times per day. It shows things that it thinks are spam and it will also scan incoming messages for viruses. The two emails outlined in red are likely attempts to spear fish as they appear to come from an internal email address. Notice that they purport to be notices about the IRS, to help generate that sense of urgency. Also, notice how IRS isn’t capitalized, remember bad grammar is a red flag.Sawyer Solutions can help you with you security and we offer employee training to help train your workforce on phishing and other topics. Contact us [Link] for more information.