Welcome to the second part of our #SecureChristmas, keeping you in the loop regarding security challenges for your business. Today we discuss Email and the human vulnerability often associated with Phishing.

 

Phishing and Whaling

 

The simple explanation for phishing is the act of baiting an email that falsely claims to be an established legitimate enterprise, in an attempt to scam the user into surrendering private information that will be used for identity theft.

Phishing emails will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organisation already has. The website, however, is bogus and will capture and steal any information the user enters on the page.

A common example of this type of scam is the eBay scam, whereby users received emails supposedly from eBay claiming that the user’s account was about to be suspended unless he clicked on the provided email link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a website look like a legitimate organisation’s site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information.

There are however a couple of steps you can take to verify the legitimacy of a sender.bogus email

  • Senders pretend to be someone they are not, but when you reply the address in the To: field will display the crook’s address. When replying, make sure you are sending to the correct address.
  • When there is a link in the email, even though it looks legitimate once opened, double check the URL and make sure the domain is correct.
  • If an email has gone to the junk folder, 99% of the time it is because your email provider knows it to be spam.

A regular occurrence in phishing scams are scare tactics where the user is warned that their account will be suspended if they fail to update their information in a short amount of time.

Recently there has been an influx in a new practice called whaling. Whaling is a specific form of ‘phishing’ meant to target upper managers in private companies. The objective is to swindle the upper manager into divulging the confidential company information on their systems, most notably financial information.

Where phishing emails are blindly sent to thousands, if not millions of recipients; whaling emails take a more serious executive-level form. The content will be crafted to target an upper manager and the person’s specific role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue.

Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority or even as an internal email address. In a recent FBI subpoena whaling scam: 20,000 corporate CEOs were attacked. Approximately 2000 of them fell victim and clicked on the whaling link, believing it would download a “special” browser add-on to view the entire subpoena document.

In truth, the linked software was a key logger that secretly recorded the CEOs passwords, and forwarded those passwords to the con men. As a result, each of the 2000 compromised companies was further hacked in some way, a few of them were particularly damaged by the attacks.

According to sources for the subpoena scam, nearly half of the antivirus software failed to detect the trojan horse malware – illustrating how important is to keep software up to date, ensure security software is up to date and running frequent spyware and malware checks – our team would recommend Spybot S&D, Malwarebytes and F-Secure AV. One thing to look out for is irregular or poor use of language – grammar and spelling is often low down on the priority list for these crooks, if something doesn’t look or feel right, or has been sent from a previously unknown sender, check it out before clicking.

If you are ever unsure of an email for any reason, please forward it to help@techrelate.co.uk and we shall confirm the authenticity. If you are convinced an email is genuine and want to action on it why not check out Hoax Slayer 1st the best place for documented scams.