Scott Algeier
Executive Director, IT-ISAC
Phishing is among the oldest and most common techniques used by cyber attackers, as it is a cheap and highly effective method of stealing data, identities, and money. It is important to know how to spot and stop these attacks.
A phishing attack baits potential victims with fraudulent emails, using compelling subject headings, often related to current events, designed to get the recipient to open the message and click on a link or attachment, installing malware onto the machine. Many phishing victims are the random result of cybercriminals blasting millions of emails at once, with the expectation that someone will be fooled into clicking the link.
Other victims are targeted through “spear phishing,” when an attacker sends an email to a specific person with an apparent legitimate reason for the email. For example, attackers frequently pose as senior executives at an individual’s workplace, sometimes by taking over the exec’s real email address, with messages tailored to the recipient. So, a phishing email sent to an accountant might request money transferred to an outside bank account. Of course, this account belongs to the attacker and the victim never sees the money again.
To pull this off, attackers use personal details gathered from social media accounts and basic internet searches. Searches can reveal places of residence, family relations, and dates of birth. Cyber criminals also scour professional networking sites to identify the right targets for a spear phishing attack.
Phishers may also lure victims by linking to a scam website in the message — controlled by the attacker — that mirrors that of a trusted business like a bank. You can spot these frauds by the domain address, which adds a special character or an extra letter in the domain name, making it similar but distinct from the legitimate website. The goal is to get recipients to enter their credentials or personal information into the attacker-controlled site.
There are ways to prevent being victimized by such attacks. First, do not click on unexpected links or documents. Second, pay attention to the email domain of the sender and the websites you visit. If your bank’s domain is “.com” but you receive an email from your bank from “.co,” you have a phishing email. Third, if you receive a suspicious email from someone you know, call them. Since the attacker is sending an email from an account they control, using the “reply” function to confirm their request is of little value. And finally, protect yourself by leveraging anti-spam technologies.