At the beginning of the COVID crisis the vast majority of employers sent their employees home and instructed them to work remotely, this in turn has opened up those employers to a lot of cyber risk. The biggest threat targeting remote workers are phishing attacks which have jumped by a staggering 340% since the start of the crisis. This is a huge problem, because according to the Verizon Data Breaches report, 70% of cyber attacks use a combination of phishing and hacking to breach businesses. 65% of attacker groups used spear phishing as the primary infection vector and a whopping 94% of malware was delivered via email, indicating a clear threat trend that absolutely needs to be taken seriously.
Phishing attacks occur when a criminal sends you an email that looks like it comes from a legitimate source but is malicious in nature. They come in many forms and typically want to infect you with malware or harvest your credentials by tricking you into:
- Opening a document.
- Clicking on a link.
- Installing some software.
- Entering your credentials into a fake website.
The Different Kinds Of Phishing Attacks
Credential HarvestingSneaky phishers trick you into giving them your username and password by sending you a link that looks familiar and legitimate but is actually a link to their fake service. These are sometimes hard to spot, as phishers conceal their fake links using clever combinations of letters that are slightly off the real URL, usually replacing a letter or two. For example, netflix.com becomes netllix.com, and if you only scan the URL without looking, you can miss the subtle difference.
When you click on the fake link, it directs you to a webpage that looks like the real Netflix login page, but isn’t. If you aren’t paying attention, you can very easily enter your credentials on that fake page. Some of these fake login screens look very authentic, and it can be tough to tell the difference from the real ones unless you spot small things. If you do try and log in through them, the attackers will have your credentials.Before you type any passwords in online services (especially ones that somebody sends you a link to), it is always best to check the address bar and inspect the URL, which will always show the real domain name.
Remember, just because a page looks like the real thing, it doesn’t mean that it is.
Those fake URLs can be tricky; lots of phishers use domains that look just like the real ones to try and trick you. For example, https://wwwgmail.com is not the same domain as https://www.gmail.com even though at a glance they look almost identical. Another common tactic is to use URL shorteners, which are great at making long URLs easier to type or read, but a devil for hiding the real URLs. It’s also really easy to fake email addresses that look like they come from a legitimate domain. Even checking the address of the email is sometimes not enough to confirm the email was sent to you by the actual organization you think it is. Always remember to check the URL in the address bar carefully!
Spear PhishingSometimes spearphishing attacks are based on something unique to you, something that the criminals know about you personally. This is where the term ‘spearphishing’ comes from, and here’s how it works. Let’s say you get an email from a female coworker, one that you have been publicly flirting with on Twitter (which was noticed by the phisher). The email subject line says NAKED SELFIE OF ME and it looks like it’s from that girl’s email address. What do you do? You open it, of course. Many have already been spear phished this way. The email contains a PDF called selfies.pdf, so you click on it. There may very well be some sort of naked pictures in that PDF, but there is also a kind of malware that would quietly install itself on your computer. This malware can be used to spy on you, everything you type, and even your webcam and microphone.
The best way to prevent this from happening to you is to NEVER click on any links or attachments in emails. However, this is not realistic advice. So let’s talk about the sensible ways you can defend yourself from these attacks.
How To Protect Yourself Against Phishing
Always Verify A Strange EmailA quick and easy way to check the authenticity of an email is to call the person who sent it to you and ask them if they sent it. So if that pretty coworker you like sends you what appears to be some photos, quickly check with her that she emailed you before opening them. If your bank sends you something with an attachment by email, don’t open it until your bank has confirmed that they sent it. Your bank will rarely email you asking for your credentials or send you an attachment, but it’s still best practice to verify before trusting a strange email.
Always Use A Password ManagerThe great thing about password managers is that while a fake URL could fool you, your password manager will never be fooled by a fake URL. It will simply refuse to auto-fill the login page with your credentials. If a password manager doesn’t auto-fill, then you know you need to double-check. If you are on the right URL, your password manager will work correctly and fill in the login. If you also consider that a password manager allows you to easily generate and use unique and complex passwords which further improve your security, its a no brainer.
Open Suspicious Attachments With Google DocsIf you receive a strange attachment in an email, you can probably open it in Google docs without actually opening it on your personal computer. Google Docs will open Word, Excel, and Powerpoint files in a way that will not open the file locally. Open Google Docs, import the file into Sheets, Docs, or Slides, and the file will safely open in the Google cloud so that you can read it.
Remember, if you ever get a strange email with a suspicious link, attachment, or instructions, verify before clicking. It's the only real way to be safe in the face of the increasingly crafty and cunning phishers with their plausible looking emails. If you need some help gettign to grips with phishing emails, come and talk to ITSEC. We have deep experience helping organizations defend themselves against phishing and spearphishing attacks.