Phishing: It’s Not What’s for Dinner
Phishing has been in use in one form or another probably a week after the first email account was used by consumers. Phishing has become glaringly prevalent in today’s society. This clogs up the Spam folders daily across the U.S. The attackers have operationalized phishing as a vector to compromise the user’s information, data, email, credentials, and any other facet that has value. This has become so popular and used as much as it is due to the ease of application. The technical requirements for this are minor. The phisher has to create a moderately believable email generally without significant grammar or spelling errors, which is not difficult. This may involve a bank, sale at a retail business, sale on pharmaceuticals, or any other possible email that is appropriate.
The more productive and revenue generating phishing scams or campaigns have involved ransomware or the executive wire scam. Most are familiar with the ransomware phishing exploit, as it has been in the news more frequently. With this the user opens a link or attachment that appears to be fine, however is actually malicious in nature. The system, network segment, network, etc. is encrypted. The attackers later offer to provide the decryption key…for a fee.
The executive wire scam has predominantly taken the form of someone in accounting or finance receiving an email directing them to wire funds, varying per target from a few thousand to millions, dependent on the target, what was encrypted, the industry, etc. The usual email is rather demanding, stating the person has to wire the money in the next few hours, the executive sending the email is in a meeting or would not be accessible, and it is imperative that this be sent. These both are very low tech attacks, which work on the user’s oversight and willingness to do the job and keep the executive happy.
All is not lost though. There are many options the users need to be aware of in order to limit the risk of this continuing to happen. For instance, the bank is not going to send the user a link in an email with a message directing the user to click on a link or to provide the credentials on the email. Generally, an invoice does not need to be paid within a few hours or a discount would be lost. As a rule of thumb, the discount period is a few weeks, not hours. Although pet pictures are wonderful, strangers are not going to email these to you. Users generally don’t purchase pharmaceuticals online from a firm they have never heard from and their workplace is not associated with.
One tool that works wonders is simple communication. If an email arrives and demands a payment within a very short amount of time and the sending party directly, aggressively states that they are not accessible, simply check if they are actually on vacation, if they are in a meeting, send a quick email to the person while not replying to the email that was received for authentication, or just make a quick call. This only takes a moment and has the potential to save a large amount of money and embarrassment.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.