This is part four in a seven-part series regarding security concepts for small businesses. As an owner or principle of a small to medium sized business, you have the ability and the responsibility to understand security basics and ensure they are implemented for you.
- Part 1 of 7: Who has your back(up)?
- Part 2 of 7: Be on the Alert
- Part 3 of 7: When to (NOT) be an Admin
- Part 4 of 7: Gone Phishing
Phishing. Heard the term? If you search for it, you will find multiple definitions from multiple sources, not all of them in agreement. The term is meant to describe a certain type of email scam.
My definition is this: An attempt by a cybercriminal to lure a user of a computer system into assisting in causing damage by posing as something the criminal is not.
I have seen three main types of Phishing. The goal of all three is pretty much the same, and that is to gain control of a system in a malicious manner and do you and others harm.
1> Email Phishing: An email which claims to be something it is not, in order to get you to take an action. The action is almost always to click on a link or open an attachment.
2> Web Site Phishing: A webpage which is designed to look like something it is not. Also designed to get you to take an action, most often entering your password. This is often in conjunction with Email Phishing which leads you to the Web Page.
3> Phone Phishing: This is sometimes called “Vishing” or other names. The concept is to either call you out of the blue, or, in conjunction with one of the first two phishing types, get you to call them. Again the goal is to get you to take an action, usually clicking a link or entering your password.
More Detail on Phishing Types
Email Phishing: This can range from extremely crude and simple to very sophisticated. The simplest one i have seen was just this: ”Hey! click on this.” in an email. Believe it or not the user did and started a nasty malware attack.
There are also very sophisticated emails which are nearly impossible to tell from the real thing. Typical things the email pretends to be are; your bank, a company you do business with, the IRS, FedEx, UPS and Amazon. They can also appear to come from other people you know such as friends and family.
These change all of the time, and yes, they can quite often be catered to you personally. It is not difficult to find your interests and affiliations and creators of malware are just as capable of target marketing as anyone else.
Website Phishing: These are often what comes up once you click on a link from an email phishing attack. They also are impossible to tell from the real thing, unless you look in the address bar and then the http://googal.com link can be a giveaway. BUT just having the correct domain in the link is NOT enough to guarantee safety. There are methods of attack beyond the scope of this blog but the bottom line is a legitimate site can still do you harm and it happens all of the time.
One such method is a growing problem called “Malvertising” which allows attackers to plant bad things in legitimate ads on legitimate sites. Sites which recently admitted to unknowingly hosting Malvertisng and handing out viruses are The New York Times, Huffington Post, MSNBC, MSN, Amazon and the list goes on.
Phone Phishing: This one is the hardest one for me to believe, yet I encounter it on a frequent basis. Your phone rings out of the blue and you are told it is your internet provider, Microsoft, the IRS, or some other organization and they have reports of issues with your computer. The other method is when during an Email or Web Phishing attack a number pops up and you call them.
They offer to help. People often let them. This is bad because since they have you on the telephone they really have your full cooperation in a way they do not get in an email or web attack. Typically, they will get securely anchored in every computer in the house as well as gain access to your WIFI device, router or other equipment. Since this attack can be so deeply ensconced there is really no other solution then to literally wipe or replace every piece of technology in the network. They can sound knowledgeable, helpful, even charming. Most reports state that if you do not do what they want the person on the other end of the phone will become threatening, hateful and even violent, pulling out all of the stops to coerce you into assisting.
What to Do
Although my descriptions may seem all doom and gloom, and yes, these attacks are very much on the increase, the solution is actually fairly simple. Don’t take the action. All of these attacks are “over the wire.” Nobody is standing in your physical presence threatening you, so focus on NOT opening the attachment or clicking on the link.
1> Don’t open attachments from emails unless it is something you have specifically requested or have verbally confirmed with the sender that it is legitimate.
2> Don’t click on links from emails. Pretty much ever. If you do feel a need to take action you can go straight to the website of the alleged sender if you happen to know if or can find it from and independent source, such as a bank statement.
It is also relatively safe to “Google” an organization and go to the link which comes up in the search. For example, if you search for your bank name on Google, you are most likely going to find a link to your actual bank website, not a Phishing page. Although this is not guaranteed, it is fairly safe as Google watches for such things, and Google has the clout and resources to find them and eliminate them from search results.
3> Don’t blindly follow phone instructions. Microsoft, your cable company etc., will pretty much never call you and tell you to start doing things to your computer. You can again use Google to look up the phone number of your bank, etc. and then call that number if needed, not the one in the email or on a pop up or a fake website. Oh, also Caller ID is easy to fake too, so don’t go by that.
4> Make sure everyone else on your network knows this. It is important to make sure everyone in your company understands what Phishing is, how it happens and what NOT to do. Frankel Zacharia Tech Services offers employee security awareness training and we recommend this on an annual basis and as part of new employee training. On a home basis, make sure all members of the family are also in the know.
5> Consider Testing: Frankel Zacharia offers Phishing testing. This basically creates fake Phishing emails and examples to send to employees and monitors the response. If links are clicked on which could cause malicious results, the recipient is instantly informed and results are logged for you to review.
Protecting yourself, your company and your family against Phishing attacks is a tall order, but these types of attacks have all but replaced traditional “hacking” attacks simply because they get frequent results. You can’t eliminate the possibility, but you can drastically reduce it by starting on the steps listed. If you would like more information please contact me and our organization will be glad to assist.
Thanks and remember, you can and should understand your own technology.
Tim Weidman is the Director of Information Technology at Frankel Zacharia Tech Services, a department of Frankel Zacharia, LLC. Tim has a technology career spanning over 25 years and holds professional certifications in Certified Ethical Hacking and Penetration Testing, Security+, A+, Network+ as well as Microsoft, Apple, Linux and Novell technologies.