What is Phishing? If you have never heard of this term before, it is time to get caught up and quickly. As defined by Meriam Webster, phishing is a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly. With the new reality of working from home due to COVID-19, there has been an alarming increase in the number of attempted phishing attacks.
For some time now, phishing schemes have been hacker’s go-to method of cyber-attack, partially due to the ease in which existing emails, text messages, and other communications can be mimicked. COVID-19 has created an environment of uncertainty and an increased number of access points, which bad actors have already and will continue to exploit. We at Capsicum are focused on serving your needs and we want to provide you a playbook on how to identify and avoid phishing attacks.
Types of Phishing Attacks:
While phishing attacks are most commonly known for being in email form, that isn’t the only way bad actors are presenting this method of cyber-attack:
If you have heard of the term phishing before, it was more than likely email phishing. This style of attack is by far the most common due to its ease of creation and ability to distribute to the large numbers of people. Bad actors will send emails from what appear to be familiar domains, but will have minor changes hoping to trick the individual into thinking this is a trusted email. An example of this might be receiving an email from Susan@gmail.co instead of Susan@gmail.com. If you are not paying attention, you might not realize that ‘m’ missing in the first email address and end up believing you are communicating with a familiar source.
Like the above-mentioned email phishing, this type of attack also occurs through email, but with an added layer of sophistication. These attacks target a specific individual, often with the bad actors having some personal information about their target. An example would be an email addressed to a recipient that appears to be from a retail store the individual recently has ordered from; however, the retail brand and logo are spoofed and the email is designed to harvest login in credentials.
This form of phishing attack targets “bigger fish,” often senior executives who have increased levels of decision-making power. While the end goal is the same as an email or spear phishing attack, these attacks are often more thought out using items such as tax forms in attempts to gather PII (Personally Identifiable Information). With access to executives and high-ranking individuals, bad actors believe they will be able to inflict maximum impact.
Though many of the attacks you are probably familiar with involve emails, this type of attack involves hackers sending text messages to their targets. Sometimes these come in the form of payment requests; other times, these come in the form of promotional offers asking you to share your information or the information of your contacts.
This type of attack leverages social media in an attempt to have you access fake URLs, cloned websites, posts, etc. For instance, a customer of a restaurant, retailer, or banking institution airs a grievance about the company over social, a hacker using angler phishing tactics, can masquerade as a customer support agent for the company. They can then message the disgruntled customer in an attempt to deceitfully elicit the customer’s personal account information. Angler phishing is a newer method of attack being used by bad actors, but it cannot be ignored. Social media isn’t going away anytime soon, if anything it is becoming more prevalent in our everyday lives.
How to Identify and Evade Phishing Attacks:
Now that you are familiar with the different types of phishing attacks, let’s dive into some best practices you should follow in attempts to handle them:
- Always check the sender: A good habit to get into is checking the sender each time you receive an email, text message, or other form of communication. While this may seem like an unnecessary and cumbersome task, it has the potential to pay enormous dividends. As mentioned earlier, hackers will often mimic commonly used email addresses and change just one character in attempts to trick you.
- Hyperlinks: Checking hyperlinks prior to selecting or sharing them with others is also crucial. First ask yourself if you were expecting to receive a link from the sending individual. Next, review the actual link to make sure there are no misspellings. You can also reach out to the sending party and ask them if the communication or link is legitimate.
- Sense of Urgency or Too Good to be True: Offers or requests that are too good to be true probably are. A common tactic is to create a sense of urgency by placing an expiration date on said offer in attempts to get us to act without thinking. As an example, I received an SMS message earlier this week from an unknown third party claiming that they were offering a $100 gift certificate to Starbucks for sharing the message with eighty-five other individuals. This promotion attempted to raise a sense of urgency by noting that it would expire within the hour, with the goal of gaining access to contacts of mine.
While we have provided you some tips and techniques on how to identify and avoid phishing attacks, it is important to continuously enhance your knowledge. As hackers continue to evolve their techniques, we have a duty to enhance our knowledge. Monitoring various trusted government sites such as The Cybersecurity and Infrastructure Security Agency, The Federal Trade Commission, The National Cyber Security Centre, The Australian Cyber Security Centre, and others for updates is a valuable way to self-educate in an effort to stay ahead of hackers.
Should you have any questions or believe you have been a victim of a phishing attack and need assistance, please contact us at 215.222.3101.
Capsicum was founded in 2000 within the law firm of Pepper Hamilton, LLP. Charged with providing technology consulting support to their clients, we soon realized that the need to understand, collect, and forensically analyze digital data went far beyond what we were handling: We began our journey as general technologists, but quickly became specialists in digital forensics. Our areas of expertise soon evolved and expanded into forensic investigations, cybersecurity, discovery, electronic and paper recovery, security, regulatory compliance, and incident response retainers. In 2002, Capsicum became the independent consulting company that focuses on these core services. Employing high-caliber experts and a unique understanding of data, technology, and the law, we support organizations that need technological proficiency to run their companies and when they come face-to-face with difficult tech, legal, and regulatory situations. Capsicum is headquartered in Philadelphia, PA with offices in New York, Florida, Texas, and California.