What is phishing, how it works and what you can do to stay safe from it.
You roll out of bed and turn on the coffee maker. While you wait, you open up your laptop and check your email. You notice that your boss sent you an email overnight. It looks important. There are lots of exclamation points. Still groggy, you quickly click on an attachment in the email.
Something about the document seems strange and now things are starting to look suspicious. You go to close it, but it’s already too late. The document had a hidden malware “payload” that has already infected your computer. The coffee maker dings.
In the few minutes it took to boil and percolate, you fell victim to a phishing attack. Maybe you should have had that cup of coffee first…
Alright, that was a dramatization, but real phishing attacks happen in similar ways all the time. You have likely heard about phishing – and if you have an email address someone has almost certainly attempted to phish you – but you may not entirely understand what it is.
What is Phishing?
Phishing is a type of fraud that involves impersonating a person or company with the purpose of extracting information from the victim. Phishing can happen over almost any medium – including physical mail and phone calls – but is extremely popular online, where many methods of communication are anonymous or hard to track. Phishing attacks want to trick you into taking an action that you would normally only do with someone (or some website) that you trust.
Phishing is a medium for an attack, but not a weapon itself. Phishing attacks often require the victim to open an attachment, download a file, or click a link to a site. Those actions will trigger the “payload” – which is the actual weapon of choice – likely malware or ransomware. Other phishing emails may ask you to visit a site to update, confirm, or change account information and passwords. Attackers then use that information to access important accounts or networks.
You likely know the age-old “Nigerian Prince” emails, wherein some unfairly displaced royalty needs your help to recover his fortune, and if you just hand over some personal banking info he will give you a cut. That is one of the most widely known phishing attacks – executed by hundreds of scammers over the years.
You may have scoffed at such an obvious scam. But you would probably be surprised to learn that thousands of people have been defrauded by the “Nigerian Prince” scam. The psychology behind phishing has made it a pervasive and effective tool for criminal activity.
Why Does Phishing Work?
Many phishing attacks rely on “social engineering” to be effective. Social engineering involves using social expectations, instincts, and interactions to obtain information. For example, an email might appear to be from a company claiming you have an overdue invoice and include an attachment of said invoice that secretly contains malware. Or a website may impersonate a popular service like PayPal or Apple ID and ask you to reset your password or provide other important account information.
These attacks work because they take advantage of our expectations. I have gotten legitimate emails telling me about some recurring service I forgot to cancel, requiring me to open a receipt or login to a site; and in the wake of dozens of high-profile breaches, who hasn’t received an email from a company telling you that you need to reset a password?
Social engineering also takes advantage of our goodwill and human nature. Most people take things at face value and don’t expect to be scammed. In the last few years social engineering has become an extremely popular method for attackers. Many of the high-profile breaches lately have involved social engineering tactics.
RSA, a well-known computer security company, was hacked because an employee decided to open an email labeled “junk” and follow the instructions inside because it appeared to have an important attachment. If an email has been flagged as “junk” or “spam” there is probably a reason for that. And just because your coworkers also received an email, don’t assume it’s legitimate. A popular strategy for attackers involves mass-emailing an entire company and quickly using any information they receive before anyone even realizes what is happening. By the time an IT department intervenes, it may already be too late. If a website or email seems suspicious – stop.
Sometimes, it’s personal
Spear-phishing is a tailored form of phishing. Instead of just throwing in a lure and hoping to catch anything, spear-phishing targets a specific person or organization. The Sony Pictures breach in 2014 started with a spear-phishing email, as did a U.S State Department breach in 2015.
You may not have had any personal experience with spear-phishing, but it’s incredibly important to be able to recognize it. Spear-phishing attacks may impersonate a coworker or another department in your organization – frequently the IT department or Finance/HR department – asking you to provide login credentials or reset your password. The scenario at the top of this article – an email from a seemingly panicked boss – is an example of a spear-phishing attack.
Before you hand over any potentially valuable information, make sure you confirm the email or website is real. It can be as simple as asking a coworker who you think has a particularly good sense for internet security. Or reaching out to your IT department – they can determine if a message is authentic or not by looking at “metadata” in the email. For websites, the “green address bar” next to the URL displays the company name that operates the website (sensitive sites like PayPal.com and BankofAmerica.com use this). The green address bar indicates that company is the confirmed owner of the website, which you can use to ensure you are on the official site and not a phishing site.
Attackers may do personal research on an especially valuable target, using public information on the Internet and their social media accounts (such as Facebook and LinkedIn) to craft an email or message that looks like it’s coming from a friend, trusted colleague, or someone else in their organization. Remember, phishing does not always happen through email – any method of communication is an avenue for phishing.
You should always practice good security hygiene, which will help protect you from any type of Internet threat. Good practices including regularly updating software, which will make sure any known bugs are fixed and can’t be exploited on your computer. Ask your IT department – they will be very happy to see you are concerned with security.
Also, avoid opening attachments from unknown sources. A popular phishing attack involves sending attachments that appear to be invoices with attached .pdf’s which contain malware. Make sure you – pay specific attention to files with a “.docm” extension, a variant of the Microsoft Word format that allows dangerous code execution. These .docm files have recently been used in a series of attacks.
Once you act on a phishing attempt, there is no undoing it. Attackers often conceal their location/identity or are located outside of your jurisdiction, so there is almost no legal recourse or chance you will recover the compromised information.