Let's go Phishing

Simplicity Security Self

We all hear from our IT departments, the government and the press to stop clicking links, attachments, or images sent to us from unknown email addresses, fake company addresses with odd looking domains (like 24f9d9@uf8.companyname.com.ru), or in SPAM, but I want to write a solid, practical guide on phishing. One which treats you as a reader with a balance of respect and inexperience.

Government info bits and IT department emails literally send out emails stating nothing other than ‘if it looks suspicious, don’t click, and tell us’. This provides no context for phishing scams. Context enables learning. And learning is the key to ensuring your security. How can you be expected to protect yourself against phishing, when there is no understanding on the basic principles? This is what infuriates me about those IT dept emails.

In 2017, phishing scams continue to be effective. This is because of a lack of information that is digestible. On one end of the spectrum we have little to no information as warning, and on the other end we have technical write-ups that require a Bach of CompSci to decipher.

Phishing is, essentially, sending out bulk emails containing harmful malware that requires the user to accept or click or be fooled before it is in fact harmful.

This means that a little bit of knowledge can go a long way in relation to phishing attacks. By being aware of their nature, you will be incredibly more protected that the average user.

Phishing attacks can look like an email from your bank. They work on quantity, not quality. And it very much is a fishing expedition, hence the name. A majority of the time, it might not even be an email from your bank. You may be with Bank A, whereas you received an email advising you to change your password from Bank B. In this case it is easy as pie to delete the email. But that same email will eventually hit a user which does in fact use that Bank. They may click through, and within a few minutes (yes minutes; [cite 10 min report]), they have lost out.

Phishing has developed into somewhat of a complex art form. A couple in US had their emails hacked. The attacker waited. Watching their inbox. They were to buy a house. And the attacker sent an email containing a document on their lawyer’s letterhead. It advised of a bank account. And just like that, they had sent $200K to the attacker’s bank account. This is on the more sophisticated, targeted end.

I illustrate that phishing works. It is easy to be fooled, and the attacks are getting better.

Phishing is then, attempting to deceive by manipulating a person into opening a file, hand over money, or hand over information.

Protecting yourself with some easy rules

1. Check the sender email address

It sounds very innocuous, and it sounds perhaps condescending and insulting. However, do not take it that way. I check the sender email address carefully on all inbound emails which regard any sensitive information. Admittedly, I should be doing this on all emails period, but just as phishing really shouldn’t be a thing anymore, I am just as human as the next user. But by check the email address, particularly the domain of the sender, I can ensure any “paypal.3dios.fake.com” addresses are ignored, and the real addresses are carefully examined and cleared.

2. Do not open SPAM

Retrain your brain. Any SPAM, even if the offer in the advertisement looks great, should be promptly ignored or deleted. The attacker’s goal is just to make you click. Their ‘deals’ are made to look amazing. It is all just for the click. Before you know it you’ll be downloading a fake .pdf catalogue to push malware to your device. Or you’ll be clicking through to an infected shop. Just delete it or ignore it. If the deal is too good to refuse, then jump on you search engine and check it out that way.

3. Be wary of anything or anyone soliciting information of any kind.

It sounds perhaps ultra paranoia, but I would be failing the Security principles of Emptology if I did not project protectionary advice. On the internet, and in our world, data is the most valuable commodity. Information Giants know this, and act accordingly. You, too, should instil this ideal within. Protect your data by deciding who you give it to, and why. Give this information out sparingly and with care and caution. Do not click onto a bank website, with URL “www3.bankA.78d9.com”, which looks just like Bank A’s website, and start filling out forms or ‘password resets’. You are a like phish on the line, and you’ve taken the bait.

4. Do not be intimidated.

Some phishing scams use ‘time limits’ or ‘deletion threats’, stating within emails that a users account will be deleted if they do not update their password, or they only have x minutes to click through an update their information. This exists to cloud the mind and judgement; enough to ignore the URL which take you to a fake site. Do not be intimidated. If in serious doubt, just call your service provider. Remember; when you call your service provider, you can be sure it is them.

5. Anti-Virus software can’t help you, (too much).

I’ll dive into the pros and cons of anti-virus (AV) software another time; for now, I’ll simply say that your anti-virus software doesn’t help you if you commit to a web form, or start entering sensitive information into a foreign website. You’re not very protected if you think installing AV software makes your system invincible. Get out of this frame of mind. Run from it. Be cautious, always.

With these 5 rules kept in mind you’ll elevate yourself above a huge majority of phishing attacks. By knowing what phishing attacks are, what their purpose is, and why they succeed, you’ll have a far better chance of avoiding them. Next time you get that email from IT advising to ‘not click’ and ‘inform us’, you can have a nice little chuckle to yourself, knowing that IT can do nearly nothing if you inform them you’ve received the email, and really, they are asking to be informed so they can isolate your computer on the assumption you’ve clicked everything within. Of course, this is only responsible, but the condescension just marginalises, where education would strengthen.