Phishing - big pond or secure pond? Your choice!
Phishing is now THE most common tool used by cyber criminals and is something we prioritise in any cyber security awareness campaign. If you have just emerged from a cryogenically frozen state, and are blissfully unaware of phishing, here is a brief overview…
The attacker creates an email full of lies and trickery in the hope you will fall for it and click a link, open an attachment or carry out some other kind of action. Phishing isn’t just limited to emails. Smishing (SMS) and vishing (telephone) scams also on the rise. All three forms could be classed as an old school confidence trick, however, it usually combines technology to make it seem more believable, such as URL masking and email address/website spoofing.
When the unsuspecting recipient clicks the link or opens the attachment it delivers its nasty payload, usually in for the form of malware which might allow them access to your device, encrypt your data, steal your bank details, harvest username and passwords etc. The list of consequences is only limited by the attacker’s imagination and coding skills, or in most cases the ability to run scripts. Google ‘script kiddies’!
It’s a really big pond.
So now we have brought you right up to date, we should look at why it is the most common method of attack. In short the target audience is HUGE. A generic phishing email can be easily created and then sent out to mailing lists of thousands of people. Statistically 30% of phishing emails get opened and around 25% of those opened result in a clicked link.
So what does that look like in real life?
Take this obviously fictitious example…I have created an email that looks like it is from a popular auction website stating that your account has been suspended due to suspicious transactions. I ask that you click the link to resolve the issue before your account is closed permanently. There is a deadline that instils panic which, along with greed, is an attacker’s favourite emotion to evoke. Now, I deliver this email to 100,000 people. Let’s say that 25% do not have an account with said auction site, they ignore the email. Let’s say that 25% of the accounts catch this email in the spam filter, these guys never even see the email. Finally, for arguments sake, let’s say that a further 20% recognise this as a scam. That leaves our 30%! Or in real terms 30,000 people.
Now if the figures are to be believed the number of successful clicks from this large pool will be 7500. That is potentially 7500 devices compromised, 7500 usernames and passwords collected, 7500 ransom demands. All of these outcomes have a price on the dark web so this is a pretty lucrative day for me given this was a speculative attack on people I did not know really existed.
Can we make the pond smaller?
The pond is only getting bigger and bigger. More people come online, more email addresses are registered, more people are targeted. The question should be; can we make the pond more secure? Yes, of course we can and it is all about basic cyber security awareness. Knowing what the threats are and knowing how to recognise them when they appear is the first line of defence.
My top 3 tips:
· Learn to inspect a URL thoroughly. Do you know the true destination of the link you are clicking? Hover over it to find out. ALERT – do not accidentally click it! Do you know what different files extensions mean? Can you spot a legitimate sub-domain in a website address?
· Make a cup of tea before you click a link! When something triggers an emotion there is a chemical in your brain that starts flowing rapidly and it drowns the section that enables you to make rational decisions. Do not panic as there is a cure! Time. If you feel yourself becoming emotionally charged after reading something in an email, take 5 minutes away from the screen and re-read it. You will be amazed how differently you now see it.
· Critical thinking. I am normally a very happy-go-lucky chap but every now and again I do like a bit of cynicism. If you receive an email you are unsure of simply put your cynical head on for a bit. Think about who sent it? Were you expecting it? Is the request reasonable? Is the content plausible? Has it got your emotions flowing? Is it too good to be true? You may well become a grumpy old goat but at least you’ll be a grumpy old goat with your online integrity well and truly intact.
If you would like to learn about how simulated phishing attacks can be used to educate people in a safe environment please get in touch.