Something smells phishy
Phishing attacks are on the rise. Truth be told, it’s really getting out of control. What used to be an annoyance for companies is quickly becoming a major security risk. To make matters worse, phishing attempts are also becoming more complex. Attackers are leveraging social media and hacking to engineer realistic communication schemes designed to engage and trick employees. It’s becoming more difficult to distinguish between fake and legitimate emails. More employees are becoming victims and more companies are losing thousands. The good news is that you can manage the risk. This guide is designed to inform your employees of this growing threat and identify steps to take to protect your company.
What is phishing?
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies or known contacts in order to induce individuals to either reveal personal information (such as passwords and credit card numbers) or to request some form of financial transfer. Pronounced as “fishing”, it’s a digital take of an angler casting a baited hook into the ocean, hoping to get bites. The practice was originally used to cheat AOL users to voluntarily hand over sensitive information. Ultimately, phishing attempts are designed to get your money – either directly or indirectly. Today, phishing attacks leverage spoofing, hacking, and social engineering to maximize the chances of fooling you.
So what is email spoofing? It’s a tactic where scammers forge a sender’s email address or display name so that a message looks like it’s from a legitimate person or organization. The objective of spoofing is to trick the email recipient into thinking that a message is coming from a known contact or reputable source in the hopes that they’ll open and take a specific action. A spoof message will have a legitimate name and email address in the “from” field and a non-matching-bogus name and/or email address in a “reply” field and It can cover a wide range of tactics to make an email look legitimate, including using real logos from a spoofed organization as well creating an email domain name that closely resembles the legitimate one (e.g., [email protected] and [email protected]…. notice an extra “l” in example?). See more on Phishing Scheme illustration below.
Email hacking is different than email spoofing. In spoofing, someone sends an email from a fake email account pretending to be a legitimate or reputable account. With email hacking, the perpetrators obtain the username and password of a real account and they send a real email to an unsuspecting colleagues or business contacts in order to trick them. Needless to say that an email coming from an actual account is much stronger than a spoofed email address – it is very difficult for the recipient to identify that message as a phishing message. A common scenario that we see in phishing schemes is a two-pronged attack where spoofing is used to obtain login credentials which are subsequently used to hack an email account and ultimately send a real message to an unsuspected victim requesting some sort of payment.
Phishing campaigns are also using Social Engineering to become more and more targeted. There’s a growing trend where hackers are using publicly available information on social media sites (Linkedin, Facebook, Twitter, Instagram, etc…) to engineer highly targeted and relevant phishing messages. We’ve seen instances where hackers create and organization chart to understand the hierarchy in a company and to identify who the key players are to devise a realistic phishing scheme.
The Phishing Scheme
Let’s put it all together to see how Social Engineering, Spoofing, and Hacking are combined to create a classic phishing scheme. Scammers study various social media sites and company websites to identify key players in an organization. In this case, let’s use an organization called, Example Inc. as a target. Through Social Engineering they identify: Linda (the CEO) & Bill (the CFO).
With a little bit more research they quickly identify their email addresses as [email protected] and [email protected] The scammers then purchase a domain name called, examplle.com – a very close match to the original (noticed the extra “L”?). In turn, they create [email protected], a bogus email account for Bill (CFO) using the fake domain name they purchased. It looks like it’s as authentic enough to send Linda (CEO) a spoofed email pretending to come from Bill’s account; and in the email body, masks itself by sharing a finance spreadsheet with a link to a shared document.
The email appears to be legitimate and Linda is directed to click on the link to view the document. Upon clicking the link, Linda is taken to a fake Office 365 login page and is prompted for her username and password to retrieve the Excel file. The site looks legitimate along with its official Office 365 logo(s), color themes, and typeface. Linda thus enters her username & password and voila…the scammers get the needed information to hack into the CEO’s email account.
Once in control of Linda’s real account, they move in and send a “real message” to Bill’s real account arranging that they pay a bill for a vendor. Bill sees and clicks the link for the invoice payment.
The link sends Bill to a portal where he needs to complete the transaction. With full confidence from his CEO, Bill pays the fake invoice. And just like that, Example, Inc has become a victim of a classic phishing scheme. In this particular example, the loss was a direct financial hit. In other examples, the loss can also affect client data resulting in damaging and immeasurable loss in reputation.