Dave’s note: Our guest author this week is Kevin McDonald, Executive Vice President and Chief Information Security Officer at Alvaka Networks, a network services and security firm in Irvine, California. He is a trusted technology and security consultant and public policy advisory to some of America’s most influential people and organizations.
By Kevin McDonald
Phishing, a play on the word “fishing,” is a dangerous form of executive or CEO email fraud, and is negatively impacting individuals and companies worldwide. You certainly have seen some form of this social engineering – where criminals pretend to be an organization or individual such as the IRS, a creditor, partner, CEO/CFO or other key executive.
The goal is to “phish” a person into taking actions they shouldn’t. An attack may involve a call demanding payment to the phisher for past due invoices from a legitimate supplier, or verification of credit card data to create facilitate the fraudulent transaction. Phishing can hook you through infected emails – or links to a fake website containing malware – or information capturing forms you are asked to complete.
Many websites are compromised and have been hacked with or set up with embedded nefarious software. A successful attack can lead to you or one of your associates providing highly sensitive personal details of self, customers or employees – including social security numbers, usernames, passwords, and/or banking information. Phishing victims have been known to transfer large sums of money as a result of appeals, threats, or claims.
[Email readers, continue here…] Some attacks are rudimentary, but watch it! Sophisticated attacks fool highly astute users. “Spear phishing” is directed at specific individuals or groups and is especially effective. From IT staff to controllers, many comply with a phisher who has done homework. Attackers use social media and professional pages to understand their targets. Being rushed to respond and clear a task, aiming to please when seemingly appropriate, or fearing threats to leadership or the entity under attack can easily lead to mistakes.
So what does phishing look like? You may recognize some obvious attempts yourself. For example, you receive a PayPal email revoking your credit, but the email contains obvious grammar and spelling errors, and you don’t have a PayPal account. You may have received a notice of default for some critical service you do or don’t have – along with a request to transfer money outside of the normal payment channel.
Attacks have resulted in losses from a few dollars to hundreds of millions. Anthem Blue Cross for example could be a phishing loser. It reportedly suffered a phishing attack that exposed an estimated eighty million patient records. The attack is believed to have started with custom malware sent to Anthem IT staff. Unfortunately, patients were further victimized when they were then targeted with fake Anthem emails offering credit protection. According to a recent lawsuit filed by a New York U.S. Attorney, another unnamed company was phished for nearly $100 million and luckily, so far recovered much of that. FireEye has reported Apple phishing campaigns using fake Apple domains to lure victims into providing Apple Store IDs and passwords. The list goes on and becoming a victim is not difficult.
So, what can you do?
- Slow down and pay attention with skepticism when something seems “not just right.”
- Use email clients or services with pre-delivery scanning.
- Don’t open emails from unknown sources.
- Never use an administrator account to surf the web or open email.
- Read URLs very carefully to be sure they are legitimate (microsoft.com is not www.microsft.com.)
- Read email addresses carefully and verify (email@example.com is not Joel@outlok.com.)
- Look for improper grammar and language patterns that appear to be foreign or don’t fit the person or organization represented.
- Avoid account verification, updates or other requests for you to click a link, log into a website or provide information.
- Never enter data into a pop-up.
- Never open an unsolicited attachment or link.
- Use secondary authentication and two party authentication (code to your cell phone after entering your name and password) for financial transactions.
With all of these precautions, you’ll be unlikely to go on an unwanted and dangerous phishing trip.