In this, my new series of blog posts, it is my aim to make IT Security issues accessible to all. A kind of “…. For Dummies” series. I hope these are useful and that they will be helpful to business users in particular.
We begin with “Phishing”.
Phishing is a term which is a play on the word “fishing” – the analogy holds well. The “hackers” (fishermen) cast their line and nets (typically by sending mass email) into their online “ponds” of large email lists where their prey await (unwitting online users). These emails sound enticing to some and like a trout fisherman’s fly or pike fisherman’s lure, they appear to the targets to be to all intents and purposes something they are not. Beware: for they hide a very barbed hook.
The way these cyber attacks work is usually the emails contain a link or button which they try to entice you to click. Clicking on the link will take you to a website which is usually a pretty good copy of a legitimate website asking you to verify your account information, for example. When you enter your account details and password, this information is recorded on the fake site and then the hackers have it. They may use it to log into your legitimate account which they faked. Worse still, they can then potentially access other accounts where you use the same login details. Indeed, these days virtually all our accounts are online and instead of having different passwords and user names for each, it is all too tempting to use the same details across many accounts. So if a Phishing attack is successful, often you don’t only give them access to one account but they will try the same details with multiple sites. For example, if you have an EBay account and you inadvertently release your password to a Phishing scam, they may now also have access to your email, amazon, apple, google, bank account, etc., if you have not protected yourself by having different login details for each account or at the very minimum enabled “two-factor authentication” (covered in a future post).
As an example, in 2003 a successful phishing campaign was conducted against eBay customers. Millions of emails were sent out to potential eBay customers stating that they needed to verify their details immediately or their account would be suspended and thousands if not millions of people clicked the link and gave their details away. That same year the U.S. government reported that 9.9 Million U.S. residents were the victims of “Identity Theft” (to be covered in future post), the cost to businesses was $48 Billion and the cost to customers $5.5 Billion.
Something else that can occur when you click on one of these links, is that software created by the attackers can be downloaded onto your computer and can sit in the background without your knowledge. This software can have almost endless capabilities, anywhere from recording every key press (this can also capture you login details for everything you login to) to giving full remote control of your computer to an attacker – allowing the attacker to use your computer as if he/she was sitting at the keyboard.
I am aware of many companies that have been compromised in this way.
What to Do?
If you receive an email or text message purporting to be associated with one of your accounts, do not ever click on any links, go to your browser and browse to the actual company website referred to in the message, not through URLs contained in the email, but by internet searching for the company’s official web page. Find the section that refers to Phishing and Scams (most reputable companies have details of the latest phishing scams as well as an email address where you can forward the message that you have received). Also check the companies email policies – many will say “we will never ask for your details by email”, for example. If you are still concerned about your account, contact the company directly using the contact information provided on their website. I strongly recommend that you do forward the information onto the company, as they will use the information from the message you received to help protect other customers and as potential evidence when/if they manage to track down the attackers.
In summary: read the message received carefully and if it is encouraging you to click on a link verify it with the company before you do. Make it part of your online routine to keep checking the scams page of companies that you use often. This will also help you to grow more familiar with the types of emails in circulation and help you more quickly recognize Phishing scams and suspicious messages when they arrive. Indeed, there is rarely any reason for clicking directly on a link in an email, and if there is any doubt, it is advisable not to do so.
If you found this informative or useful, as my first go at this I would appreciate it if you would share it.
Thanks to Gary Sharpe for his editorial assistance.