Phishing attempts by hackers are getting more personal. With the advance of mail filtering and antivirus software, large-scale attacks and phishing campaigns are being detected earlier and are shutdown quickly for those with managed security products. This has created a shift in phishing attempts from the brute force approach to more nuanced and targeted campaigns against C-Level types who possess the keys to the business and the bank accounts.
Phishing for your information
The intent of phishing emails is three-fold:
- Get your credentials;
- Install malware; or
- Use you as their robot.
In many cases the phishing email will look like it came from a legit source like PayPal or your bank. It will include a disguised link for you to click which will bring you to a convincing looking webpage designed to harvest your information. You will be prompted for your credentials or personal information and then the hackers have the keys to your account.
The best way to spot these bogus links is by looking for type-o's in the email and hovering over the button or link to see if the web address is legit. Often the text on the screen will look legitimate but the hovered link will show a different address. This is a giveaway to a phishing attempt.
Should I click that?
That button or link can also be used to download and install malware or execute malicious code. If your computer has good antivirus that is managed and updated, the malware is often of a canned variety and should be blocked. But with spear phishing and whale phishing, the code may have been written just for you and your antivirus may not be able to detect it. So again, with the hover of the button/link, look for a legit web address before clicking.
Also under the malware avenue is the good ole attachment. Hopefully your email is setup to block executable attachments right off the bat which leaves macros and embedded malware inside of allowed file types. The best defense is to not open attachments unless you are expecting it. A good cautionary measure to take if you are unsure of the attachment is to fire off a new email -- don't reply -- to the sender asking if they sent the message. Obviously a reply will go to the phishing sender who will no doubt encourage you to open it.
This one may sting the most as it is typically the most targeted. Using social networks and legit business tools, it is possible for hackers to do their homework and identify C-Level people in your company that may send requests to move money and have the access to actually move the money.
Here is how it works:
- Hacker uses information from your company website, social media pages, and legitiate business research and marketing tools to identify your C-Level people.
- Hacker creates a legit email account with Gmail or Yahoo and uses the C-Level persons name.
- Hacker sends an email using this account to a CFO or Controller saying they need some money moved and asking what info is needed to move the money.
- As this is a legit email account and doesn't contain anything malicious other than intent, it is often allowed through mail filters.
- If the CFO/Controller responds saying "OK, give me the account number, routing number, etc.", then the phishing attempt has set the hook into a whale and the transfer goes through.
You have just become an unwitting robot doing the work for the hacker.
To defend against becoming the hackers own personal robot, consider establishing air-tight procedures for moving money. It is a bad idea to do this over email -- as convenient as it may be. If an unscheduled transfer is needed, use the phone or make the request in person. If you get a request by email, DO NOT RESPOND TO THE EMAIL. Instead, pick up the phone and confirm it directly.
Education is the Key
Many phishing attacks are personal. Hackers are doing their homework on you and your company through social media, your company website, and legitimate business research tools like Dun & Bradstreet. As these attacks are one-on-one, personal, and appear legit, the technology put in place to intercept these messages are sometimes not enough. Your analog employee has become your cyber-defense so arm them with information about how to spot phishing attempts and test their abilities to avoid traps through internal phishing campaigns.