Don't Take the Bait: Understanding and Preventing Phishing Attacks

Scammers and hackers are increasingly using email attacks to commit identity theft and steal sensitive information.  While the popular portrayal of a hacker is someone exploiting defects in software and hardware to steal information, the truth is that most breaches are the result of a person unwittingly handing over the keys to the castle without a shot fired.  A report by Verizon shows that two-thirds of data incidents can be traced back to an email attack known as “phishing.”

Phishing attacks are attempts to trick the recipient with an email that appears to be from a trustworthy person or company.  Phishing emails either seek to trick the recipient into disclosing personal, sensitive, or financial information or installing malware on the recipient’s computer.  Phishing emails usually share many of the same characteristics, to wit:

  • They often look in large part like an email from either a person or company you know (Microsoft, Facebook, a bank, a family member, etc.)
    • The scammer will often use the graphics and logos of the site from which the email claims to originate
    • The email will use a name on the “to:” line that looks legitimate (e.g. “Facebook Administrator” or “Microsoft Helpdesk”)
  • They often contain one or more web links and attempt to get you to click on the link(s) for some reason
    • The links will appear to be legitimate, but actually route you to phony or scam sites
    • The links can lead to the downloading of malicious software on the users computer or a phony website that will ask for the recipient’s information
  • They often contain a sense of urgency, a threat, or indicate that a response is needed immediately (e.g., if you don’t send the requested information, your account will be permanently blocked)
    • The threats are designed to get the user to fall into the trap
    • Such messages may also state that an unauthorized transaction is being reported regarding a bank or other sensitive account in an effort to get the recipient to respond quickly with personal information

Because phishing attacks rely on tricking people, the only way to combat them is to educate email users on these attacks.  Some warning signs are:

  • The email asks you to go to a website to verify personal information
  • The email conveys urgency and is trying to get you to act quickly to avoid some kind of negative consequence
  • The quality of the email is poor in terms of spelling and grammar
  • The links in the email are invalid or mismatched
  • The email is not addressed to you personally, but is more generic, such as “Dear Customer [Account Holder, etc.]”
  • The email is not from an email that is associated with the company or organization that is claimed in the message

Though many of the foregoing are easy to spot, some attacks can be quite sophisticated.  Because users have learned to be suspicious of unexpected requests for confidential information (such as the Nigerian Prince scam), would-be scammers have become more clever.  Many now use a variety of tactics called “social engineering.”  Social engineering refers to using manipulation to trick users into divulging confidential information, usernames and passwords, etc.  Some common tactics of social engineering:

  • Spear phishing – the messages appear to come from a trusted individual (e.g.,  your mother, friend, boss, or coworker), not a company
    • Such attacks require more time and research by the scammer
    • Information that could be used in such an attack is often available online (e.g., biographical information from online profiles, obituaries, etc.)
    • If an individual falls prey to a spear phishing attack, the scam artist may be able to masquerade as the person who fell for the attack to target others in that person’s circle or organization
    • The appearance of trust is very effective
    • This power is also known as the “Colonel effect”—a security agency sent out a message to 500 West Point cadets claiming to be a “Colonel Robert Melville” and providing a phony link asking the cadets to click it to “verify grades,” 80% of the cadets fell for the ruse
  • Pretexting – claiming to be something the scammer is not and inventing a scenario in which to target the user
    • Bank’s fraud department representative inquiring about a suspicious transaction
    • IT representative needing to reset your account
  • Baiting – promising something desirable in exchange for usernames or passwords to some site
    • Bait can be promises of free books, movies, or videos
    • Not only limited to email as some scammers will leave behind USB drives with malware loaded on them hoping that someone will pick one up and put it in their computer
  • Scareware – tricking the user into thinking the user’s computer is infected with a virus or downloaded illegal content, then offering a solution to the problem which is actually malware

So how can you lower the risk posed by phishing attacks? Some suggestions:

  • Explain the threat to anyone who uses your network and instruct them if they are unsure to not click on a suspicious link
  • Organizations should have a policy regarding suspicious emails that instructs users to report suspicious emails and delete them.  Chances are if you have been targeted, others within the organization will be too
  • Communicate to your employees if anyone you do business with has reported a breach so that they can scrutinize emails from that person or entity
  • On emails that appear to be reputable, hover over any links contained in the email to make sure it will take you to where it says it is directed and google the entity to make sure the web address is the proper one for the entity
    • You can get more information on a link in an email by hovering your mouse pointer over the link to see what site it will take you to
    • The information that pops up as a result of hovering is called a “hover box”
  • Never give out personal information, financial information, usernames, or passwords over email
    • Reputable sites will never solicit this information from you via email
    • Email is not a secure method of transferring that type of information in any event
  • Be cautious about opening attachments and downloading files from emails
    • Be leery of attachments you receive that are unexpected or unsolicited
    • Always make sure that the sender is known to you and hover over the name in the “to:” line to ensure that the email address is the correct one for the person allegedly sending the email
    • Files from trusted persons can still be malicious if that person was compromised
    • Note that phishing attempts can even appear to be from someone you know by name but may not be from their real account (check the email address in the to: line to confirm)
  • Confirm sensitive details over telephone
    • Many times telephonic confirmation can expose a fraudulent scheme before it is too late
    • If you receive payment information or wire instructions, call the intended recipient to confirm
    • If an email from someone you trust is asking you to do something suspicious, call them to confirm and address your concerns first
  • Never put found USB drives into your computer, they can infect your computer with malware

Obviously, prevention is the preferred method of handling data security and privacy issues.  Given the escalation in the frequency of data breach incidents, we recommend that you review your security measures regularly and develop a comprehensive plan for responding to a data breach incident.  If you suffer a breach, you may have a duty imposed by law to report the breach.

If you need assistance creating a prevention program, a response plan, or evaluating your current policies and procedures for responding to a data breach incident, please contact us. If you have already been the victim of a data breach incident, and need assistance determining how to proceed, we will be happy to assist you with this as well.

          Author:   Keith J. Fernandez
          Practice Area:   Technology Law
          Date:   May 23, 2016

Disclaimer: The information provided herein (1) is for general information only; (2) does not create an attorney-client relationship between the author or the author’s firm and the reader; (3) does not constitute the provision of legal advice, tax advice, or professional consulting of any kind; and (4) does not substitute for consultation with professional legal, tax or other competent advisors. Before making any decision or taking any action in connection with the matters discussed herein, you should consult with a professional legal, tax and/or other advisor who should be provided with all pertinent facts relevant to your particular situation. The information provided herein is provided “as is,” with no assurance or guarantee of completeness, accuracy, or timeliness of the information.