What is phishing?
First of all, what is phishing? We hear the term branded about daily by the media but what does it actually refer to?
Phishing is the fraudulent method of sending emails, purporting to be from someone trusted by the recipient in order to deceive them. This can be an email that appears to be from your bank, energy supplier, a social networking account you have or even a friend or relative. The main motivator is financial in one way or another, sometimes it’s a link that appears to be from your bank that requires you to enter your personal details in order for the cyber-criminal to steal them. Other times it’s an attack vector, a method for the cyber-criminal to put harmful software such as a virus or ransomware on your machine.
There are also a couple of other terms that closely relate to phishing that you may see used, vishing – trying to achieve the same goal through a voice call and smishing – again the same tactics but via SMS text message.
A phishing attack is usually a widespread campaign sent to hundreds of thousands of email accounts at once, hoping for someone to fall for victim to the attack. If you got an email from Natwest but your bank is RBS you are unlikely to click it, but for someone who banks with Natwest it may be enough to make them click the link. Because of the volume in which the email attack is sent there is always likely to be some success with it.
What is spear-phishing?
By contrast to a normal phishing attack, a spear-phishing attack is very targeted and laser focused on its target. The target could be a business or an individual.
A spear-phishing attack is one that requires a lot of planning, but if done correctly can almost guarantee that the victim will fall for the cyber-criminal’s ploy. This can be constructed to phish a user’s password, bank details, plan ransomware on the computer and much more.
As a company we create phishing attack simulations for our clients, if they wish to test their employee’s responsiveness to an attack. We would research the employees on social media, finding out what they like, where they go and what they do. For example, let’s say employee x regularly checks in on Facebook at Costa Coffee, perhaps every Saturday lunch time. A perfect scenario for this target would be to buy a web address such as www.costacoffeeoffers.co.uk which as you can see from the screenshot below is available to buy for £13.98 for 2 years.
With a little time spent in Photoshop I could quickly mock up a believable looking email and send it from email@example.com to my intended victim. Attached to this email would be either a virus, a remote administration tool allowing me to access the machine whenever I like or a piece of ransomware. Obviously for the purposes of testing clients I wouldn’t actually attach anything malicious just a tracking object that allows me to check if they have opened the email or not. This email would be perfect to send either on a Friday afternoon or Saturday morning when I know the intended victim is due to visit their favorite coffee shop. Below I have put a screenshot of an email I crafted to illustrate the point. The customer service telephone number is genuine if someone wants to Google it and check, it is using an official Costa banner at the bottom of the email and the spelling and grammar is all correct. There is a big difference with a spear-phishing attack as opposed to a more generic phishing attack, everything is checked to ensure it is believable.
If you are someone who thinks they wouldn’t fall victim for this type of attack as you don’t have a social media presence or if you do you have a restricted account with very little public information, then another method would be used to phish you. Let’s say your car, a well-crafted email pretending to be from the manufacturer of your car about an urgent safety recall notice. If you don’t drive how about an email about a family member, a cyber-criminal will use any method possible to execute a phishing attack successfully. So they will stoop as low as telling you that a family member or friend is in trouble. Obviously for the purposes of a social engineering/phishing test we have ethics and rules to follow and wouldn’t use a scenario such as that for testing. However, the point being that everyone unfortunately is susceptible to an attack.
What do we look for?
A cyber-criminal will usually use either a link or an attachment to obtain the victim’s details or offload a malicious payload onto the victims computer.
First of all, lets break down the below email into elements we can check, this email isn’t a spear-phishing email it is a generic phishing email as you can see by the nature of dear customer.
We have a name of the sender which is Natwest. Sometimes that is all our email client says, in this case it actually shows the email address next to it. If your email client doesn’t show this either hover over the sender’s name or click on it to find the email address it has been sent from. This email address should match that of the company’s website, so from a quick google search we can see that the Natwest website is www.nwolb.com not www.natwestsecure.com which is where this email has come from. This is immediately a red flag and shows that the email is suspicious.
Next we have how the email is addressed, it is addressed “Dear customer”, most businesses now would address you by your name, they have software that does this very easily and makes your email personalised, so the generic nature of the email should stand out as a warning flag. Maybe not something to say conclusively this is a phishing email but something that you can add to other factors.
You can’t see it in this email, but look at the to field, who is it addressed to. Is it addressed to your email address or to “undisclosed recipients” or even the companies own email address. This would suggest that your email address is hidden because the email hasn’t just gone out to you but to a whole host of potential victims of the cyber criminals.
Have a careful read of the language of the email, in most cases the emails are sent from abroad and written by non-native speaking English cyber criminals. This can be identified in the mistakes made in the email. A large organisation such as Natwest wouldn’t send an email out with mistakes like this in it.
Another method used to make you think the cyber-criminal is on your side is to show you that it isn’t a phishing email, some actually put in the footer we take phishing and fraud very seriously and if you receive an email you feel that might be a phishing email report it to this address. Someone attempting to scam you wouldn’t give you such information, so the email must be genuine, right? In this case they are saying, “please go to our SSL secure link below” which as people are getting more savvy online a lot of people would recognise the https:// as being a secure place to be.
Finally, we look at the link, the cyber-criminal in this case has made use of a technique known as masking. The written URL on the screen is https://www.nwolb.com/Login.aspx now if you check that is the genuine URL associated with logging into your online banking with Natwest, so everything seems above board. However, if you hover over the link you will see that it doesn’t in fact take you to www.nwolb.com at all, it in fact takes you to a website that has a very good looking Natwest imitation page setup ready to steal your details.
Below you can also see an image of a site that has a very believable URL and looks just like the Natwest site ready to steal your details.
How to avoid being Phished
So the threat is out there, we have all had the generic phishing emails, hopefully most people don’t fall for them due to some of the bad techniques deployed as shown above in the Natwest example email. But if the cyber-criminal wants our machine, access to a company we work at, etc, they will go to extraordinary lengths to ensure they get there.
- Are you expecting an email, of course we get emails that we were not expecting all of the time, but should they contain an attachment or a link? If we get sent a regular invoice from a supplier, we could get caught out by them, but as long as its name follows a convention and we are used to receiving them then follow these checks and make a decision. However, if we get an invoice off a person we haven’t heard of or a contact that doesn’t usually send them, question it. Give them a call, send them an email to an address you have for them not by replying to the email and check they did actually send you an invoice. If they did they will be fine with you checking, if they didn’t you have saved yourself from a whole world of pain.
- Always check the email address behind the sender’s name if the email has an attachment or link in it. It takes seconds and provides a quick verification that the email is from who it says it is.
- Check the domain name of the sender or link very carefully, there may be an extra letter in it or a number where there should be a letter. For example, www.facebook.com vs www.faceb00k.com or www.hsbc.co.uk vs www.hsbcc.co.uk these are the sort of tricks that the cyber criminals use as they are simple and people miss.
- Hover over any links or right click and “copy link”, paste it into your web browsers address bar and don’t press enter. This allows you to study the address before navigating to it. A malicious URL could lead you to a malicious website to steal your details like in the Natwest scam above but it could also send you to a website that as soon as you visit it you get a virus or Ransomware infection.
- Think about what is attached to an email, would Costa Coffee attach a PDF with your voucher in or would it just be a code or QR code as part of the email. Probably the latter. Would your bank send you a copy of your bank statement to read? The biggest threatening attachment we see is either a word document that contains a macro or a PDF document that contains a virus. If you are unsure forward it to your IT department or a specialist for analysis before opening any attachments, if you are not expecting it don’t open it!
- If you receive an email from someone you have an account with, a shop, your bank, a website saying that they need you to confirm something, check your details or simply a link to their site so you can see their latest offers, Do Not click the link. Even if it is genuine, you don’t know that. Instead browse to their site by going to your web browser and typing in their address or typing the business into Google. Then login if required as you know you are on the genuine website.
- Cyber criminals use urgency, panic and emotions to get you to click on something. Remove all of these from the situation when looking at your emails, if you are think you are being told by someone authoritative within your organisation or wider society that you must act now, 10 minutes won’t matter. If the request is genuine and you explain why you are checking they will be thankful they have an employee who performs due-diligence rather than one who acts out of panic. If you are told some shocking news, relating to your business, private life or something in the media, take a minute to validate the source and think about it before opening any attachments or clicking any links.
If you use email you are a target, you may think that your company is too small or insignificant to be the subject of an attack. But cyber criminals have different motives, it could be a grievance with an employee or the company, it could be to prove they can target you and succeed, maybe you are just someone in a list of people they stumbled across and would like to extort money from or maybe you are local geographically to them and they drive past your place of work every day.
Whatever their motive you can be a target, by taking the steps mentioned above when you receive and email with a link or attachment you will put yourself in the best position possible to avoid being caught out.
2016 and 2017 have seen a huge rise in Ransomware and phishing is the perfect way to facilitate the attack. For more information on Ransomware and how that can affect your business please see our blog post on Ransomware here.
If you require any assistance or awareness training for your business and employees please get in touch here and we would be more than happy to help.