This year’s cyber security awareness month provides a timely reminder of the increasingly dangerous threat landscape facing organizations and individuals. The accelerated shift to digital during COVID-19 has dramatically expanded the attack surface for cyber-criminals; therefore, the general public needs to learn, and learn fast, about the digital threats they face and how to mitigate them. This year’s theme of “Do Your Part. #BeCyberSmart” captures this concept nicely.
One attack vector that has exploded in the past 18 months is phishing, with cyber-attackers taking advantage of the growing number of people using the internet for everyday services and work. It is why week two of this year’s cybersecurity awareness month was dedicated to this vector, under the slogan of ‘fight the phish.’
So for cybersecurity novices, what exactly is phishing? In essence, it revolves around malicious actors sending messages that aim “to trick unsuspecting users into interacting with a fake website or download malware that can steal sensitive information or money,” explained Bindu Sundaresan, director of AT&T Cybersecurity.
The attackers rely on the recipients taking actions for this technique to work – typically, clicking on a malicious link or volunteering personal details, such as payment information. To trick individuals into taking these steps, the messages aim to induce the user into making rash and often panicked decisions. Trevor Morgan, product manager at comforte AG, commented, “It may be an email saying that your antivirus software (that you don’t own) has been renewed at an outrageous annual cost. Or, it may be one of those “You’ve won!” messages. Each approach tries to elicit an emotional reaction which then causes the user momentarily to do something without fully thinking it through.”
"While phishing attacks are common throughout the year, hackers are opportunistic and will look for high-profile events or disasters to increase their attacks"
The COVID-19 crisis has proved to be particularly effective at producing such reactions. Sundaresan noted, “While phishing attacks are common throughout the year, hackers are opportunistic and will look for high-profile events or disasters to increase their attacks. For instance, when relief was being set during the pandemic, scammers were targeting well-wishers with unsolicited messages with fake charity appeals.”
Recently, a study found that nearly a quarter of Brits received phishing emails asking them to download their ‘proof of vaccination’ in the past six months.
There have also been a number of new phishing trends emerging during the pandemic, aside from the increased volume of attacks. While email is the method most commonly associated with phishing, other forms of digital communication are increasingly being utilized for this purpose. Hank Schless, senior manager of security solutions at Lookout, explained, “People traditionally think of phishing as an email-only problem, but in recent years there has been a massive increase in phishing across SMS, social media platforms, third-party messaging apps and even dating apps.”
Another concerning trend is the general improvement in the quality and plausibility of phishing messages. For example, “these campaigns can be difficult to spot as they use very similar verbiage and branding to the company they are trying to mimic,” according to Sundaresan.
Anurag Kahol, CTO at Bitglass, added, "Modern phishing attacks are very well targeted, can be difficult to detect, and aim to grant malicious individuals broad permissions over user data, user devices and online services. The days of basic phishing schemes have more or less passed. Attacks now rely on advanced forms of infiltration that better disguise malicious intent.”
Given this landscape, the general public must be better educated about detecting phishing messages and what they need to do when they come across one.
Think Before U Click
As mentioned, phishing messages are designed to elicit an emotional response that generates immediate action on the user's part. Therefore, a fundamental piece of advice is to pause and consider whether the message may be trying to trick you or not. Jakub Lewandowski, global data governance officer at Commvault, pointed out, “The theme for this year’s cyber security awareness month is ‘think before u click,’ and a simple message has never been so important.”
Some basic checks should be carried out to look for indicators of phishing during this process. This should begin with the sender’s email address. “Pay attention to subterfuge such as strange sender email addresses that resemble common ones but are slightly modified,” said Morgan. Bad grammar and spelling mistakes are another suspicious sign. “Be very wary of oddly phrased language, especially in greetings,” continued Morgan.
“A language that creates urgency, spelling mistakes, and generic salutations are also suspicious signs that should alert the recipient that the message might be a scam,” added Tim Erlin, VP of strategy at Tripwire.
Additionally, users should check the URL of any link in a message before clicking on it. If the link appears to be going to an address that differs from the organization the message is purportedly from, steer well clear. Erlin commented, “Users are invited to always inspect links received via email by hovering over the URL and to never download attachments from unknown senders.”
However, sophisticated phishing messages won’t give away such tell-tale signs, especially those tailored towards specific individuals. Erlin said, “Other types of phishing scams, such as spear phishing, are more targeted and are more likely to make it into an employee’s inbox. These are emails that use a more ‘personal touch’ and therefore look more legitimate. Fraudsters will customize the email with their target’s name, position, company, work phone number, or any other personal information they might have gotten their hands on.”
In these instances, recipients are advised to undertake more extensive research. Schless said, “You can always validate communications by reaching out to the organization that the message claims to be from.
“For example, if you get a message claiming to be from the IRS or your bank, look up their number online and call to see if someone can confirm that the message came from them.”
Don’t Send Sensitive Data
People also need to be aware that legitimate organizations should never request any personal information via mediums such as email. Morgan stated, “Know that most organizations won’t ever reach out to you and ask for sensitive information through email – the social security administration, for example, would never ask you in an email to resend your social security number.”
Therefore, you should take on a suspicious attitude when any information is “requested about people, accounts, customers or anything of a sensitive nature,” advised Morgan, adding, “Do not transmit sensitive information, account information, payment information or anything else via email.”
Always Report
After undertaking the above checks and measures, it is strongly recommended that people report any suspicions they have about messages to an appropriate body. This is an important element of the wider fight against phishing, helping prevent others from becoming victims.
"Do not transmit sensitive information, account information, payment information or anything else via email"
Jamie Akhtar, CEO and co-founder of CyberSmart, explained: “The most important thing you can do is to report the phish. By making the authorities or your organization aware of the threat, they can take the necessary steps to remove the email from circulation and warn others. Therefore, preventing more people from falling for the trick.”
If a suspicious message is received in your work email, for example, your organization’s IT team will be the obvious party to inform. If received on a personal email, “delete the email but also consider alerting an anti-phishing organization. The FTC is a good place to start,” outlined Morgan.
How Should You React to Making a Mistake?
Given the sheer scale of phishing attacks, no matter how careful and vigilant you are, there is always a chance of making an error and clicking a malicious link or downloading a malicious attachment. There is no shame in being duped, and steps can be taken to mitigate the potential damage caused. Sundaresan advised, “As a consumer, if you happen to make the mistake of clicking on a phishing link or downloading a malicious attachment, follow these steps to minimize the repercussions – disconnect the device, scan for malware, change your credentials, set up fraud alert and set up email and web content filtering at the minimum.”
If possible, try to obtain the help of security professionals to undertake such tasks. Niamh Muldoon, global data protection officer at OneLogin, said: “Disconnect your device from the internet and seek help from an IT professional who can assist in scanning for viruses or malware.”
Time is of the essence in these situations, and there are several quick steps users can take themselves. Schless said: “If you accidentally click on a link and fall victim to a phishing attack, immediately change all of your passwords and notify entities like your bank and healthcare provider. Attackers often go to those places first in order to steal funds or valuable personal data.”
Implement Security Solutions
There are also proactive measures users can take to help protect their data and devices in the event they are phished. One is ensuring you do not lose your system’s files and data if a malicious file is accidentally downloaded on your device. This can be achieved by “ensuring all your data and files are backed up, whether in the cloud or on an external hard drive,” advised Muldoon.
In addition, as phishing attacks often result in credential theft, it is important to set up multi-factor authentication across all online accounts. “This ensures that even if your credentials are stolen, cyber-criminals will have a harder time accessing your accounts as they will have to verify their identity through an alternative method,” explained Muldoon.
Online users should also consider setting up a sandbox, essentially a security mechanism for separating running programs in a safe, isolated environment. This will enable any email attachments to be opened without the danger of it affecting the overall network. Paul Bischoff, privacy advocate at Comparitech, commented, “You can set up your own sandbox, but many email and webmail clients now come with sandboxes built in. Gmail users, for example, can take advantage of Security Sandbox, which allows you to customize scanning rules for attachments.”
It is important to remember that despite the rising threat of phishing attacks, most attempts can be spotted by following some pretty simple practices. These should revolve around the principle of ‘think before u click,’ ensuring you are never rushed into doing anything a message is prompting you to do, especially if it entails clicking a link or giving away personal data. Educating the population on this will undoubtedly go far in tackling the scourge of phishing that is currently plaguing all of our emails, texts and social media accounts.