Saturday, December 12, 2015

What is Phishing?

We have probably heard of Phishing.  Phishing is a very big risk in today's world.  It is imperative that we understand what it is, and how to NOT fall for it.  

Phishing is basically when someone tries to get you to think that they are legitimate, and then tries to get you to do something detrimental to your own or your company's security.  An example of phishing is when you get an email that says it's from FedEx - it says there is a problem with your account and you must log in immediately to fix it.  There is a link in the email - when you click that link it may look like you're going to the FedEx site, but you're not.  You're going to a fake site, and then you put in your username and password.  You're giving your username and password to the hacker.

Another example is when you get a phone call - they say they are from technical support and are calling to help you fix your computer problem.  We've all had computer problems, so this call might be welcome.  The caller often has an Indian accent.  They want you to perform some actions.  When you connect to their website, you are compromised.  Or they convince you to type in your username and password, and then they have your login information.  

I recently connected a landline through my cable provider.  Within 2 days, I received a phishing phone call.  The caller was a female Indian (think Chennai, not teepees...)  she advised that I was having computer issues and said she was calling to help.  Of course I told her I appreciated the call and would cooperate.  She wanted me to open the Run line - she told me to type in iexplore followed by a website address (the address was 121usahelp - dot - com) - IF I had done so, the instant my browser hit their web server I would have been compromised by some sort of malware or rootkit.  OR, once I connected, I would have had to approve their remote access into my computer, and then I would have been compromised.

So instead of actually typing this in, I started asking about the company - WHO was I allowing to connect by typing this in.  She immediately suspected that I was on to her, and she began cussing me!  She called me a "bloody F#$KER" and told me to "F$@K OFF" and then hung up.  Once I stopped laughing, I told my wife that the call was a fake tech support scam, and my wife, the wife of a computer security guy, said "how did you know?"  So I knew right then that I had to publish something to raise the level of awareness.

These people are looking for non-savvy people - people who may really need the help, people who may in fact be having a lot of computer problems.  The first thing to do is:

1. Think - did I request assistance?  
2. Can I verify that this caller is in fact from a company I trust?
3. Will my company ever call me and ask for my password?

When in doubt, don't give them any information, and DON'T connect to them with your computer.  There are several ways they can get you to connect:

1. Browser - if they ask you to open your browser and connect to a website - DON'T!  The instant you hit enter, you may be compromised.
2. Open/Run - if they ask you to go to the Windows button and then type in iexplore followed by a website, DON'T do it.  This is the same thing as opening up your browser and typing in a URL.  It calls the Internet Explorer program with their website address.
3. Giving them your username and password - this is the most obvious phishing attack.  Your employer, Microsoft or any other vendor will NOT ask you to divulge your username and password.  Anyone who does is likely trying to steal your credentials.  No legitimate technical support or service provider needs this.  

Remember, you are likely using the same username and password for multiple accounts, including your bank, credit cards, etc.  Although this is a bad habit, if you at least don't divulge your username and password in these scenarios, you're ok.  If you DO divulge it, you are divulging the login to multiple accounts.

The only reason Phishing is such a lucrative criminal business is that the victims do not suspect that they are being phished.  If everyone would ask the 3 questions above and be very suspicious of any caller or email asking for information, Phishing would be almost impossible to do.  

For those companies wondering how to address the risk of Phishing, there are a few things you can do:

1. Ensure your security awareness program covers the risks of phishing, how to spot it and how to prevent it.
2.  Use a tool which checks any links in email and quarantines potential phishing attempts.
3.  Use a phishing program - there are vendors out there who can perform phishing attempts on your users - if they actually click the links in an email they are re-directed to a security awareness training link and you can gather metrics on what percentage of users actually fell for the phishing.

Technical controls combined with user security awareness training can greatly limit the effectiveness of phishing.  There will always be ways to compromise our computer systems.  Phishing can be prevented through awareness - if you just realize there are people out there looking to take advantage of your lack of awareness, and always be suspicious of any caller or email asking you to do something like divulge your username and password, we can put the Phishers out of business.

1 comment:

david durisko said...

Great read. Thank you. I personally can relate. My mom had excepted a call and was working with someone regarding computer issues and she handed me the phone and asked me if I could help them further. I continued to talk to them on the phone and within the first few words I knew right away that this was a phishing attack. Not sharing this with my mom prior to her leaving the room not knowing that this was a phishing attack and her returning back to what she was doing prior to that call. Later when she saw me again she asked me how did the conversation go and was I able to help out the folks on the phone. At this point I knew right away that she would've been compromised if I was not there. Education and awareness or a plus to stop these types of attacks thanks for the read Randall.