Phishing is a type of Social Engineering that tries to trick you into compromising yourself and/or your company. It can take the form of malware-infected email attachments. It can also take the form of links to spoofed websites designed to directly steal credentials or to install malware that infects first the victim computer, and then spreads to the rest of the company network, potentially giving a hacker complete access and complete control. These phishing links are often delivered via email, but they are also commonly found in chat, text messages, or even posts on social media sites like Facebook and Twitter.
New Phishing Statistics
The good news is that according to the Symantec April 2015 Internet Security Threat Report overall email phishing actually decreased in 2014, as did phishing links in social media posts. The bad news is that this decrease was only noted in generic wide-net phishing attacks not targeting a particular individual, group, or company. Targeted spear-phishing attacks, which are often very sophisticated, increased by 8% in 2014, and 91% between 2012 and 2013.
How much damage can spear phishing do? The recent Target breach that resulted in credit card and personal data on more than 110 million consumers being exposed has been traced to a single employee at a Target subcontractor who clicked on a link in a spear-phishing email.
While the Symantec report notes that large businesses are still the primary target for spear-phishing, accounting for 31% of all 2014 spear phishing attacks, it also emphasizes that attacks on small businesses are steadily increasing. While accounting for only 18% of attacks in 2011, they grew to 30% in 2013, and now account for over a third of all spear-phishing attacks.
An Ounce of Prevention
A 2014 Tip Post, Can You Spot SPAM, Phishing & Other Malicious Email?, provides tips on spotting these phishing emails. It includes a link to the SonicWALL Phishing IQ Test, which is still a great way to test your phish-spotting skills.
Honing your skills is important, because one little slip can send you down a rabbit-hole of compromise that can result at best in your paying for services you don’t need, and at worst your financial accounts being hijacked and your identity being stolen.
A Phishing Scam in Action
The following video, while not specifically a small business attack, shows the potential result of falling for a phishing email.
Note that this example was done in a controlled environment specifically created to engage the hackers. You should NEVER do this yourself, and you should NEVER engage with hackers or let any untrusted person take remote control of your computer.
A step-by-step analysis of the attack can be found here. At a high level, here’s how the scam works:
- A “victim” receives a phishing email, purportedly from Netflix, that directs clicking a link to login to their Netflix account.
- The “victim” clicks the link, and is taken to a spoofed Netflix login screen.
- The “victim” enters user credentials (in this example, the credentials used were fake).
- The page is designed to transmit the Netflix credentials to the hackers, and to display an error message telling the “victim” that his account is locked. It provides a help number to call.
- The “victim” calls the number (which is not a true Netflix support number).
- A fake Netflix support person tells the “victim” his account is locked because there “are foreign hackers in his computer.” And offers to take remote control of the computer to investigate.
- “Victim” says ok, and clicks a link provided by the “support person” that installs a remote desktop program that gives the “support person” full remote access to his computer.
- The “support person” now truthfully says that he has confirmed that hackers have control of the computer. He then offers to transfer the “victim” to Microsoft Support to fix the problem and provide needed security to the “victim’s” computer. A special Netflix discount for this service is even provided.
- The “victim” agrees, and his call as well as control of his computer, is transferred to a different “support person.”
- “Support Person 2” claims to run a scan on the computer that shows it to have weak security and shows it to be compromised. In actuality, the hacker is displaying pre-programmed results to the “victim” while actually scanning his computer and stealing files of interest—such as those that might contain passwords or financial account numbers.
- “Support Person 2” creates an onscreen invoice (via accessing notepad on the victim’s computer) detailing the fees for software “required” to fix the problem, and even takes off the Netflix discount.
- To pay this invoice, “Support Person 2” instructs the “victim” to provide a photo of his ID and credit card. This is supposedly necessary to make sure that the “victim” has the card in hand and is the named account holder, since Internet transactions are unsafe.
- The “victim” claims not to have a scanner– and so “Support Person 2” offers to take the picture himself if the victim will simply hold the card and his ID up to the computer’s webcam.
- Since the lab-controlled environment has the webcam disabled the call is ended, presumably because the thieves know something is up.
The goal of this con is multi-pronged, and the hacker’s bounty is upped each time the victim falls for another piece of the scam.
- At step 3, the hackers get Netflix Credentials.
- At step 7 the hackers get control of the victim’s computer, and can steal any information or files stored on it.
- At step 14– had the “victim” actually sent a photo of a credit card and a photo ID, the hackers would have everything they need to steal his identity.
Protecting Yourself and Your Small Business
So, what can you do to protect yourself and your small business?
First, let technology help. Use robust SPAM filtering to keep phishing messages out of inboxes in the first place. Also make sure that you have anit-virus/anti-malware software installed on all computers. And, make sure that you have anit-phishing security settings turned on in your browser.
- Chrome: Settings > Advanced Settings > Privacy > Check the “Enable phishing and malware protection” box.
- FireFox: Settings > Options > Security Tab > Check the “Block reported attack sites” box” and the “Block reported web forgeries” box.
- Internet Explorer: Tools menu > SmartScreen Filter > Turn on/off SmartScreen Filter… > SmartScreen Filter screen > select the “on” option, and click “OK.”
- Safari OS X: Safari > Preferences > Security > Check the “Warn when visiting a fraudulent website” box.
- Safari iOS: Settings > Safari > “Fraudulent Website Warning” setting to “On” (green).
Unfortunately, many phishing attacks sneak through these defenses. For example, in the Netflix scam above the browser security may have warned the “victim” about the spoofed website before any credentials were entered. However, once the “victim” called the fake support number, he began assisting the hackers by giving them legitimate access to his computer.
Thus the very best defense is knowing (and training your small business team to know) what to look for so that if you encounter phishing emails and texts, or phishing links on social media, you can identify them up front and not take the bait. It is also important to establish safe computing rules for your team so that they don’t inadvertently put your company at risk.
Safe Computing Basics
- Inspect all Links before clicking.Don’t click unknown links in Email, Chat, Text or Social Media.
- Don’t open unexpected attachments.
- Never use login links from emails. Always use a saved bookmark, or type in a known login URL yourself.
- Don’t call phone numbers in emails or on-screen error messages. Independently locate a support number for the company on its official website. (Note that scammers often manipulate search engine results to highly rank their bogus support hotlines.)
- Never allow anyone to remotely access your computer unless you are 100% positive of their identity and you completely trust them. (For example, remote access is a great way to enable your in-house IT team to troubleshoot computers for teleworkers.)
- Never disable anti-virus software or browser security settings.
- Use common sense, and stay vigilant.
Telltale Signs of Phishing
- Poor grammar and spelling.
- Spoofed email “From” addresses.
- Hidden or group email “To” addresses.
- Masked links (Click Here links, Login Buttons, etc.)
- Unexpected attachments.
- Not quite right website addresses.
- Requests to provide personal or financial information via email.
- References to Hot Current Events with links to videos.
- References to recent data breaches with requests to provide credentials, financial account information, or other PII for validation.
- Messages from friends or coworkers with nothing but a link, or a short strange sounding message and a link.
Unfortunately, this really is a case of phish bites man. Don’t get hooked. For more information about common phishing schemes and how to defend against them, download the Symantec UK whitepaper Phishing – The latest tactics and potential business impacts.