If the last year is any indication, the world is in need of a crash-course on phishing. One of the latest ransomware attacks on Lake City, Florida was due to an employee falling for a phishing email. Lake City has gotten a significant amount of attention due to the large ransom of about $500,000, which they paid after the incident on June 10th. Lake City is not the only organization to fall prey to social engineering: 95% of all attacks on enterprise networks are the result of successful spear phishing. As the data has proven, human error will always be an organization’s weakest link, so here are 7 need-to-know facts about phishing to get you ahead of the game, and ahead of the hackers.
7 Need-to-Know Facts about Phishing
1. You can’t be hacked by just opening an email (most of the time).
Why? Emails are (mostly) written in HTML and plain text. Plain text and HTML generally cannot do your computer harm because they don’t contain code that your computer can execute. In a plain text email, the only things in the email are text and attachments. For emails using HTML, they also contain formatting (i.e. your email has colors and pictures), but besides that, it’s mostly just text. While emails can also contain JavaScript, most won’t because email clients will strip the emails of JavaScript, anyways, before putting it in your mailbox. If they did not, JavaScript could automatically download a virus to your computer, without you having to do anything. So while those pop-ups that say, “Should we trust content coming from this source?” are annoying, they are saving your behinds.
Otherwise, you have to click on a link in the email in order to get hacked. Still, it is important to be cautious. Consider changing your email settings to ask before allowing content. And if you see an email that looks suspicious, don’t open it!
Source: https://www.us-cert.gov/publications/virus-basics
2. Phishing isn’t limited to email.
You can also be targeted through text messages, phone calls, ads, websites, apps, social media platforms and more. Recently, we have seen a rise in the number of infected phones because people assume their phones are safe. Because people assume their phones are safe, they are not as careful as they would be with their email or computer about what they download onto their phones.
A report from Wednesday, July 10th, said that over 25 million android users have been infected with malware named “Agent Smith.” The malware was found in multiple apps on a third party app store. Once the apps were downloaded, the hidden malware would silently replace the other apps on the phone, disguising the changes as an update from the google app store. This is just one example of the many means hackers employ to steal your data.
3. There are multiple possible points of compromise in phishing scams, beyond just the initial clicking of a link.
One option is the more well-known: the virus is downloaded to your computer, and the hacker is in. That is not the only option, however. The link could also take you to a website, instead of downloading something. The website could be a compromised, legitimate website, or just a fraudulent website (in this case, watch out for miss-spellings of the URL). Or it could even be a link to the correct website, but then redirect to the fraudulent website–see what they did there?
4. A website secured by HTTPS does guarantee safety.
It is becoming more and more common for fraudulent websites to contain SSL certificates–the little lock symbol next to your website’s URL signifying you have a secure connection to the website. While an SSL does create a secure connection for data passing between your browser and the website (so others cannot read the information being sent between sources), that only keeps the hackers who don’t already own the website from reading your data while it is in transit. Your data is decrypted once it arrives at the website, so if a hacker is the one who owns the website, they have your data. This is misleading to the visitor by giving them a false sense of security that the website is safe and secure, when if fact, you are giving the bad guys your information.
5. There are multiple levels of phishing, varying in how targeted they are.
Some hackers use a “spray and pray” approach, sending out a message to a large group, hoping for at least a few recipients to click on the link. While the group may have a couple things in common which may appear in the messaging (like they all have Netflix accounts, or subscribe to the Wall Street Journal), these messages are normally general, with little personal information about each individual. Hackers can make these messages more personal, by adding information they’ve collected about the user into the message, to make the message seem more legitimate.
There is a whole range of targeted-ness: the more targeted attacks are generally harder to spot. The other side of the spectrum is spear phishing, or whaling. After researching their target, hackers tailor the message specifically to the person, which makes it hard to distinguish as phishing. Some common spear phishing messages include impersonating company leadership or coworkers, asking for specific information, or that they follow a link, etc.
Source: https://blog.syscloud.com/types-of-phishing/
6. Google, PayPal, and Apple are the most commonly impersonated organizations.
Financial institutions are also commonly impersonated because of the amount of sensitive information they require from their clients. A good rule of thumb is to check your account directly on their website if they send you a notice, instead of following the link in the email. If the notice is legitimate, you will also be able to find it on your account portal, or by contacting the organization directly.
Source: https://www.itgovernance.co.uk/blog/4-eye-opening-facts-about-phishing
7. Phishing websites can appear in search engines.
Have you ever seen an ad that is advertising a website with unbelievable low prices? Odds are, it is a scam. Phishing websites are on the rise, attracting people with impossibly low prices, or fake job offers and tricking them into providing personal information. The hitch? They are still crawled and indexed by search engines until enough users report the fraudulent sites to the search administrators for them to take action. One trick: the average phishing website lasts about 15 hours, so if you’ve never seen it before, you may want to stay away!
Source: https://www.itgovernance.co.uk/blog/4-eye-opening-facts-about-phishing
This is not an exhaustive list of everything you need to know about phishing. This list is meant to better inform our readers of some not-so-well-known phishing facts to help them improve their awareness and knowledge base. We know how critical being aware of security issues is to the success of businesses as well as success in your person life, which is why we are dedicated to helping our customers stay secure, both by the services we provide and the content we publish.
Sources:
https://www.zdnet.com/article/florida-city-fires-it-employee-after-paying-ransom-demand-last-week/