You are not immune.
Millions of people get their personal details stolen every day – 91% of cyberattacks
and their resulting data breach begin with a spear phishing email. Once attackers
decide what information they intend to steal, which is usually personal or client
payment information, they target everyone that has access to it. That means even if
you aren’t someone who was unsafe online, you could be targeted by the attackers of
someone who was. This means nobody’s e-mails are free of threats – and not
everyone has filters and walls to protect them. Even when they do, phishing techniques
constantly evolve to get around them.
Tactics & Techniques
You’re used to getting e-mail from your bank, your vendors, your clients, your realtor,
your credit card company, your lawyer, and so on. You know them, and you are
comfortable sharing information with them – and cybercriminals know that. They
target those communications far more often than others, and can mimic them in pretty
sophisticated ways. They can spoof e-mail addresses, use subjects you’re familiar
with, and even write somewhat like the entity they’re trying to emulate. Cybercriminals
also use both basic & advanced social engineering techniques, making it difficult
even for more aware internet users to tell them apart from the real deal.
Links & Spoofed Websites
More often than not, a phishing e-mail will send a link to a spoofed website rather than
ask for details directly. “This is why you should never click on a link in an email from
your credit card company, even if you think that it is legitimate. It only takes a few extra
seconds to open a new tab in your browser, manually type in the credit card company’s
URL and log into your account.“ This advice carries over to similar examples as well – 1
e-mail from PayPal, banks, and even coworkers can be emulated, spoofed, or
cloned. Being vigilant can help you make smarter decisions, and will ultimately make
these phishing & data theft attempts less successful.
Some of the spoofed websites those phishing links can take you to will look extremely
similar to the real website it’s trying to copy. Everything from the layout to the URL
could look close enough for most people not to notice. Add a pinch of urgency, and
suddenly you’ve fooled enough people to meet quota – so pause for a second before
Current Event Tactics
Since the spread of COVID-19 in the United States, many companies are seeing an
increase in successful phishing & data theft attacks against their employees. 30% of organizations have been the victim of phishing scams since the pandemic, and cyber criminals are taking full advantage of it. They will send e-mail in a “shotgun blast” style, containing urgent wording about current events and how they may personally affect you or your workplace – being more aware of this will help you not fall victim to it.
An extremely common theme is e-mail attachments containing harmful content, more
often than not hidden as a type of injection into your system. “Let’s assume a target
clicked on the link, and the bad guys were able to place a keylogger on their machine.
Now it’s a matter of waiting for the hourly burst of keyboard data back to their server,
and monitoring for the credentials they are after.” (Spear-phishing @ KnowBe4) And just like that, they have your clients payment details, and potentially even administrator access to your company’s server. Explaining that to the boss isn’t a fun situation to be in.
Wire Transfer Clones
If you are in a transaction with someone who is waiting for a completely legitimate
transfer from you, that e-mail can be cloned, and you may send your money to a
thief. If this happens, the potential reality is that you’ve had an intruder in your network or machine for some time. A scary thought, but a harsh reality. Awareness is the first way to protect against this.
JULY 27 2020
Authored here @ hello internet.