Episode 3: Social Engineering – Phishing

What is Phishing?  

Phishing is the most common type of social engineering. The first reference to phishing was as early as 1996. Phishing is defined as any fraudulent attempt to get sensitive data or information.  It is called phishing because hackers throw in a line and hope to get a bite. They don’t succeed in every attempt but enough people do respond. These hits are lucrative enough for the hackers that it is worth it for them.

There is also spear phishing. When an attacker spends time gathering information and potentially developing a relationship over time via email before launching the actual attack. Spear-phishing emails may appear to come from a friend or family member or work colleague.  The attacker then request information or money. This targeting of their attack, increases the chance that they can get a lot of sensitive information or money. In the business world spear-phishing is used to gain access to the internal network of a business or paying fake invoices.

As more and more people become comfortable with the internet, phishing attempts have gotten much more sophisticated. It is harder to detect when an e-mail is actually from the businesses it appears to represent. E-mails that are sent look legitimate. They use the real logos, and formatting so similar to the real thing that everyone is vulnerable to these attacks. These e-mails will have links that send users to spoofed websites that look almost identical to the real thing. Users then enter their information – either login credentials or credit card information. The hackers harvest that information and use it to exploit the user.

With these phishing attempts looking so legitimate, how can we avoid falling victim to them?

Here are examples of phishing emails received by my colleagues that we will discuss to answer the question above —

Let’s analyze the four signs of phishing in these e-mail messages;

  1. Note the email address of the sender. One indication of a phishing email is the sender’s email address isn’t from the sending business. In the first message example the sender’s address is a cox.net email address not M&T Bank.
  2. Note the grammar and spelling in the body of the email. 
    • The first example email has many grammar errors including incorrect wording, missing punctuation. The wording gives the idea that it typed in a translator to get the English. One way I like to check grammar is to read it out loud.
    • The second example has spelling errors including the name of the supposed sending company.   One error may not indicate a fraudulent email, but multiple errors makes it more likely to be a phishing email.
  3. An email gives only one way to contact the company.
    • Both email messages have no phone number or alternate way to contact the company. Only the link. DO NOT CLICK THE LINK.  If there is only a phone number, DO NOT CALL THE NUMBER.  The link or phone number will likely send you to a website or person who will then harvest what ever information they can get from you.
    • When checking the link in the email, as you hover your mouse curser over the link, the URL (website address) associated with that link will pop up. Check to make sure it is sending you to the address of the company. Be aware that if there are numbers that look like 123.123.123.123 before or after the companyname.com, it most likely a spoofed website.
  4. The emails use generic greetings or no greeting.
    • A legitimate email will most likely include your name if you have an account with them. The use of “Dear Customer” or “MCDanld’s user” or another generic greeting is a sign that you aren’t known to the sender.

Phishing attacks often make things seem urgent. You will be locked out of your account if you don’t respond immediately. Your credit card or bank account has been compromised. Your Amazon account is going to be closed if you don’t reply.  Or they will offer a free item or reward. 

Any official looking notice from a bank, or company, or an official government agency beware.  Very few if any governmental agencies contact you via email if there is a problem. If there is actually a warrant for your arrest they don’t send an email about it.  The best thing to do is to double check everyone and everything.

How do you double check?

  1. Go to the official website for the company, click on the Contact Us link (99% of websites have one). Call that number directly and ask about the email. Also log in to your account the same way you usually do. Do not use the link in the email in question.
  2. Look on the back of your credit card or on your bank statement and call the number listed and ask about the email.
  3. Go to the official governmental agency website and get the number from there.
  4. Call your state Attorney General and ask if they have reports of similar emails.
  5. Call your friend or family member and ask if they sent an email asking for information or money.

It is ALWAYS better to double check.

No one is exempt from phishing attacks. Everyone gets these emails and everyone is vulnerable.  The perpetrators of these attacks are very crafty and good at what they do. They get better every day. If you fall victim, know that you are not alone.  If you are in the United States, remember to report these phishing attempts to your State Attorney General, as well as the FTC (Federal Trade Commission). In Europe, you can find your reporting agency on the Europol Website.

Be safe out there in our digital world!

Discuss on Facebook

More information can be found on these websites

FBI – Scams and Safety

AARP – Money Scams & Fraud

Federal Trade Commission Fraud Reporting

Leave a Comment