What’s the Risk, How to identify them & Deal with them
Espionage group “Pawn Storm” sends out a fake email to Gmail users with the subject line: “Your account is in danger.” The email claims there have been several unexpected sign-in attempts into the user’s account and suggests the user install the “Google Defender” app.
The email is a ruse designed to get the users to give up their special access token for their Google account. Victims who fall for the trap will be directed to an actual Google page, where they unknowingly authorize the “Google Defender” app to view and manage their email.
Even though the victim hasn’t given up a login password to their account, they have still handed over what’s known as an OAuth token. An OAuth token allows Gmail users to grant actual useful third-party apps access to their Google accounts. However, this is only one of many methods con artists can use to dupe unwitting victims.
Even employees of large internet firms are not immune to phishing attacks. CNBC reports Google and Facebook were victims of an elaborate phishing attack that targeted employees at both companies. The employees were tricked into sending upwards of $100 million to overseas bank accounts.
Lithuanian bad actor Evaldas Rimasauskas allegedly impersonated Taiwanese electronics manufacturer Quanta Computer by sending phishing emails to employees at both companies, requesting payment for goods and services.
In related news, former Secretary of Homeland Security Jeh Johnson, speaking at the Financial Crimes and Cybersecurity Symposium in New York in November 2016, told his audience the threat his department fears most is the lowly phishing email.
Phishing in 2016:
The Risk of Phishing Emails
“Phishing” is the term used to identify an identity theft scam designed to target unsuspecting users of electronic communication methods, specifically email and text messages, and trick them into giving up sensitive personal or business information that can be used to steal a their identity, raid their bank accounts and more.
Crooks use fake but authentic looking-emails and websites to convince users into supplying information the bad actors can then use to make your life a living hell.
Emails and other online communications can appear to be coming from a reputable source. These include the victim’s bank, an online payments processor such as PayPal, an auction site, a law enforcement agency or even the IT department where the victim works.
Phishing puts individuals, companies, educational institutions and others at risk due to the possibility of allowing the bad guys to gain access to financial information, personal data, proprietary company information, health information, student data and much more.
In some extreme cases of being victimized by phishers, internet or financial services companies can blacklist companies and educational institutions, causing the entities and their employees to lose the ability to communicate with the outside world and pay for goods and services.
Phishing can also use the valuable time of staff members, such as those employed in the IT and HR departments, to divert their attention to fixing the damage caused by phishing, in place of their usual productive tasks.
Types of Phishing Emails
There are three main types of Phishing. These are Spear Phishing, Clone Phishing and Whaling. While each type targets a different group of users, they all have one thing in common: they want to steal your personal and business information.
Spear Phishing is a phishing attempt directed at a particular individual or company. The attack is designed to gather information about the target, raising the probability of success for the attempt. This type of phishing accounts for the vast majority of online phishing attempts today.
Clone Phishing is where a legitimate, and previously delivered, bit of online correspondence is used to create an almost identical or “cloned” email. The cloned communication will include malicious links or attachments, which will likely be trusted by the victim due to the previous email communications.
Whaling is a phishing attempt directed specifically at a senior executive or another high-profile target within a business. In a whaling attempt, the counterfeit email communication or website will be crafted to fit the target’s role in the company or organization. Such content could include legal content, such as a subpoena, a customer complaint of some sort or another issue fit to be addressed by an executive.
How to Identify Phishing Emails
While phishing emails can be convincing, there are also a number of ways you can identify possible phishing communications. As usual, the old adage, “If something seems too good to be true, it probably is,” applies to many phishing communications you might encounter. Believe it or not, African kings do not give away their vast treasure troves to complete strangers on a regular basis.
In this section, I’ll guide you through a number of ways to detect and identify phishing emails. I’ll take a look at the obvious, and sometimes not-so-obvious, methods of detecting when you’re being phished.
Look Closely at the Actual Email Address
Perhaps the most popular tactic used by phishing cybercriminals is to spoof an email address so that it appears to be coming from a reputable domain. As an example, you may receive an email purporting to be from “Bank of America Customer Service” or the “Federal Reserve Bank.”
This email may, at first glance, appear to be legitimate. However, if you look at the actual email address, it reads something like, “federalreservebank.”@blake.ocn.ne.jp.” Believe it or not, the Federal Reserve doesn’t make use of the “lake.ocn.ne.jp” domain for their email communications.
If you receive an email from your bank, a credit card issuer, PayPal or any number of other seemingly reputable senders urging immediate action, always take a closer look at the actual sender address. It just might reveal that something is up.
Check for Spelling and Grammar Mistakes
At first blush, this may seem a bit weird, but major corporations are pretty strict on their employees using proper spelling and grammar. If an email you have supposedly received from a major banking concern or government agency contains a number of misspellings, grammar errors and awkward formatting, it’s likely a phishing email.
You would think that phishers would take the time to make sure spelling and grammar are correct in their fraudulent emails, but a couple of factors likely contribute to the mistakes.
While bad spelling and incorrect grammar aren’t always an accurate indicator that you may be looking at a phishing email, it’s a good enough reason for you to take a closer look at things.
Review the Email’s Salutation
When reviewing an email for a possible phishing scheme, also take a closer look at how the sender of the email addresses you. Is it sent to “Dear Customer,” “My Dear,” “Dearest” or one of numerous other odd-sounding salutations?
A legitimate business that you have had dealings with before will likely use a personalized salutation, such as “Dear Jeff,” “Mr. Lebowski” or simply “Jeff Lebowski” instead of a generic “Customer” greeting.
Phishers count on you not being aware that a major company you’ve dealt with will have your information on file and will be able to access that for such a simple thing as an email greeting. It’s called mail merge, and it’s great.
Review the Email’s Signature
Another telltale sign of a phishing attempt is a lack of information included in the supposed sender’s email signature. A legitimate representative of a company will always provide contact information in their signature.
Information will usually include their full name, official title within the company, their return email address, and even their phone number and direct extension.
Also, look closely at the email address. A Chase Bank officer won’t be using a “gmail.com” email address to communicate with you.
Don’t Trust That Link!
If the body of an email contains embedded links, do not click on them.
Hover your mouse pointer over them first. Many email clients will display the full text of the link somewhere in the viewing window. Or, you can right-click the link and copy it. Then paste the link into a text file.
Once you can see the entire link, look at it carefully. If something is up, it should be apparent.
First of all, never click a link in an email that has been shortened. Shortened links make it easy to hide the link’s actual URL from prying eyes. A shortened link may appear similar to this: “http://bit.ly/D8h6TZy.” (Don’t worry, all you’ll get from that link is an error message from Bitly.)
Also, be on the lookout for malformed links that may appear to be sending you to a legitimate website, but is instead forwarding you to a location where you may be tricked into giving up your login credentials or other personal information.
This attack makes use of a malformed URL, which, even when copied and pasted into a browser’s address bar, appears benign. Even Google Chrome’s built-in security doesn’t catch it.
One hazard of clicking links in phishing emails is ransomware.
Ransomware can be installed by clicking a malicious link or visiting a website which installs software on the victim’s computer. The ransomware then either locks out access to the user’s files or threatens to publish the data unless a ransom is paid.
What it comes down to is this: never click on a link in an email.
If the email claims to require action on your part, find the actual website address for the company and retrieve their customer service contact information from that site. Call them. They’ll know if any action is actually required on your part for a supposed security breach or account change.
Links in emails can also lead to a rogue website, which will claim there has been a security breach, or another emergency, and ask the user to give it Open Authentication (OAuth) access to a user’s Google or other type of online account. This allows the offender to access an account as if it were their own.
OAuth is a convenient way of authorizing third-party applications to use an account for social media, gaming and other purposes without the need to reveal your password to the requesting party. Unfortunately, it can also be used for evil, allowing miscreants to wreak havoc using your personal or company accounts.Luckily, it’s easy to revoke OAuth access to your account for any app you’ve granted access to. Most providers offer a page that lists all of the applications you have authorized to have access to your account. For example, Google’s OAuth Access page can be found here. (Check it out sometime, you might be surprised how big the list is.) You can revoke access here.
Don’t Open That Attachment Either!
In addition to malicious links, the bad actors of the world love to include attachments in their phishing emails. These attachments appear for all the world to be an innocent PDF or Microsoft Word document.
However, they could contain viruses and malware designed to damage files on your computer, grab administrator status so it can make changes, steal your passwords or otherwise spy on your every online move.
The attachment may be posing as an invoice for an unpaid bill or a schedule for a corporate retreat. Malware-powered documents can take many forms. You’ll particularly want to be vigilant for emails that appear to be from known sources, such as your child’s school or your bowling league, that may actually send you unsolicited attachments.
Don’t Give Up Your Personal Information
A legitimate email from a bank, credit card company, college or other institution will never ask for your personal information via email. This is particularly the case for banking and credit card account numbers, login credentials for websites or other sensitive information.
As soon as you see an email request any of the information above, it’s time to make a call to their known, actual customer service phone number for a chat. There’s an excellent chance that customer service might be aware of this scam and can give you more information on it.
I have found credit card companies seem to keep particularly good track of schemes that affect their customers.
Don’t be Intimidated by Threatening Language
Always beware when you see an email with a subject line that claims the email needs your immediate attention. Beware of subject lines such as, “Your account has been frozen…” or “Unauthorized login detected on your account.”
The first thing the tricksters behind any phishing email want to do is make you feel as if urgent action is needed to keep your world as you know it from falling apart. In actuality, quick, unthinking action on your part is what removes the first piece of the Jenga puzzle that is your security.
Phishing emails will often include language in the body urging you to take action to avoid your account being closed or frozen, and even supply a “helpful” link in the body of the email to make it convenient for you to take action.
How to Deal With Phishing Emails
When (definitely not if) you receive a phishing email, do not respond in any way. Do not supply any of the information the emails may ask for. Never click on any website links or call any phone numbers that are listed in the email.
Do not click on, open or save any attachments that may be included in the email. File attachments can contain malware, viruses or a link to a website that could facilitate the download of such malware.
Do not furnish any personal, financial or login information to the senders of the phishing email. If you want to check if the communication is actually from the company the email purports it to be, contact the company using a known, official method, such as their known email address, website URL or customer support phone number.
Be sure to review all banking and credit card statements as soon as you receive them. Make sure there are no unauthorized withdrawals or charges. If you notice suspicious account activity, contact the institution’s customer support department immediately via the contact information provided on the bank or credit card statement.
If your banking or credit card statement doesn’t show up within at least a few days of its usual date, call customer service to confirm your billing address information and check your current balances.
Smartphone and tablet users can also usually view their account information, including recent transactions and current account balances, via an app on their mobile device. The apps are available in your device’s app store. Check with your bank for more details.
This method would allow you to keep track of your transactions on a day-to-day basis, enabling you to catch suspicious activity much faster.
Immediately report phishing emails to the bank, company or organization being misrepresented as the sender of the email. Furnish as much information as possible to the company you report the email to.
If you have any reason to think your email accounts, online banking, credit card, shopping, or other login credentials have been compromised, immediately change the password on all of your online logins. Be sure to use strong passwords that are at least 8 to 10 characters long and include a mix of letters, numbers and symbols.
If you have opened an email attachment from a suspected phishing email, immediately install or update the antivirus and malware scanners on your computer. Then, immediately scan your machine for viruses and malware.
You can also report the phishing email to the Anti-Phishing Working Group at [email protected]. This group includes ISPs, financial institutions, security companies and law enforcement agencies. The group was formed to fight phishing of this type.If you reside in the United States, use the FTC Complaint Form to report a phishing scam. Canadian citizens can get support and more information from the Canadian Anti-Fraud Centre. Residents of the United Kingdom can report fraud and unsolicited phone calls.
Document all conversations and other communications you have concerning the phishing incident. Be sure to note all names and phone numbers of everyone you speak with, and keep copies of all correspondence.
Uh-Oh! I Was Tricked Into Supplying Information! Now What?
If you were tricked into supplying personal or financial information by a phishing email, immediately contact the Federal Trade Commission. Using the commission’s website, you can report the following types of scamming activity:
If you disclosed credit or debit card information, immediately contact your bank or credit card issuer via the toll-free number on the back of your credit or debit card. This will allow you to cancel your cards and request new ones, or even close the accounts and open new ones that the phishers don’t have information about.
Maximum liability for unauthorized use of your credit card is limited to $50. However, liability for an ATM or debit card varies, depending on how quickly you report the loss or breach of your card and its information.
If you gave out checking or savings account information, immediately contact your bank via the toll-free number on your bank’s website or your monthly statement. Close your compromised bank account and open a new one.
Contact the major credit bureaus (Equifax, Experian and TransUnion) and place an alert with them, which will signal to potential lenders that you may have been a victim of identity theft. This may make it a bit more difficult to open a new legitimate line of credit in the future, but it’s worth the hassle to keep a bad guy from opening a new account in your name.
If you gave out your eBay information, immediately attempt to log in to the auction site and change your password. Keep a close eye on your eBay account for any unauthorized activity. If you are unable to log in, immediately contact eBay via the special link they offer for suspected account theft.
If you gave out your PayPal login information, immediately attempt to log in to the payments service and change your password. Keep a close eye on your account for any unauthorized activity. If you are unable to log in, immediately contact PayPal via the special link they offer for suspected account theft.
Also, don’t forget that if you were tricked into giving OAuth account access to a rogue app, you can revoke OAuth access to that account for any app you’ve granted access to. Check with your service provider for more information on how to revoke OAuth access.
Beware of Other Types of Phishing Scams
Email phishing isn’t the only method the miscreants of the world will employ to steal your personal information. They will also make use of other methods.
Phishing Phone Calls
Always beware of any phone calls that involve a cold call from Microsoft - or any other well-known tech company, such as Apple or Google - offering to help you solve your computer problems or sell you a software license.
None of the major software or hardware companies will make an unsolicited call and charge you for helping to shore up your computer’s security or fix any issues you’re having with the machine and its operating system or applications. (No company has perfected the method of ESP support, and probably never will.)
Once a criminal has gained your trust, they might ask you for your computer’s username and password, ask you to visit a particular website to install software to allow them to remotely access your computer, or ask you for a credit card number to pay for their “services.”
Never accept any “help” that is offered in this manner. Again, none of the major software or hardware firms will call you out of the blue about your computer. Always treat any such calls with complete skepticism. Never provide any information about yourself, your computer, or your credit card or bank accounts.
Amazon, which is the largest online seller of goods in the world, is not immune to phishing attacks. Recent reports reveal sellers in the Amazon Marketplace have been hit with hijacking of their accounts. The hijackers then use the account to fleece customers of their hard-earned dough.
The hijackers get an Amazon seller’s login and password the old-fashioned way - via a data breach or an email phishing attack, and then use that information to hijack the account and start the financial pain for the seller.
Once they have gained access to an Amazon seller account, the imposters then do one of two things.
Why hit Amazon sellers? Because there are so damn many of them, and they make so damn much money. This makes for an incredibly attractive group of potential victims.
A lawyer who represents Amazon sellers told The Wall Street Journal that over a dozen of his clients have had their accounts hijacked, and many of them lost around half their monthly sales ($15,000 to $100,000) to the schemes.
Amazon sellers are advised to keep a close eye on their account and to report any Amazon-related phishing attempts to Amazon customer service. Amazon buyers are reminded that if something seems too good to be true, it most likely is. A reputable Amazon seller is not going to sell you a new MacBook Pro for $300.
What We’ve Learned
When it comes to phishing emails, it's a matter of when, not if, you'll get one. Let's review what we've learned about phishing attempts.
Main Types of Phishing Emails
There are three main types of phishing emails. Spear Phishing targets a particular individual or company. Clone Phishing is where a "cloned" email is used to put a recipient at ease. Whaling is a phishing attempt directed at a senior executive or another high-profile individual in a company or organization.
Ways to Identify a Phishing Email
You can identify phishing emails by looking closely at the email address, checking for spelling and grammar mistakes, and considering the email's unusual salutation or signature.
NEVER Click a Link or Attachment in an Email
NEVER click a link in an email, especially a suspicious one. Links in phishing emails will send you to an authentic-looking website designed to collect information from you.
Attachments, too, can contain viruses or malware designed to steal your information or damage files on your computer.
Never Give Up Personal information
Never give up your personal information. Any legitimate bank or credit card representative will never ask for your personal or financial information via email. Protect your account numbers, login credentials and other valuable information.
Don’t Let Phishing Emails Intimidate You
Phishing emails will often include language designed to push you to take action immediately. You'll see subject lines such as, "Your account has been frozen," or "An unauthorized login attempt has been detected on your account." Don’t be intimidated into falling for the trap.
Keep an Eye on All of Your Accounts
If you believe you've been the victim of a phishing attempt, be sure to keep an eye on all of your accounts. Make sure you don't see any unauthorized withdrawals, charges or purchases. Change the password on all of your accounts. Immediately report the phishing attempt to the bank or other organization that was misrepresented in the email.
Contact Your Bank, Creditors and Credit Bureaus if You Do Get Tricked
If you were tricked into giving up information, immediately contact your bank, credit card issuer, store or other lender and report the activity, close your old accounts and open new ones.
Contact the major credit bureaus and place an alert with them. This will make it tougher for anyone to open a new account under your name.
Change eBay and PayPal Passwords if Needed
If your eBay or PayPal information has been compromised, report the incident to the company involved. Then change your password and keep a close eye on the account for any unauthorized activity.
Beware of ‘Cold Calls’ from Callers Claiming to be With Software or Hardware Vendors
Phishing attempts aren't limited to email. Beware of unsolicited "cold calls" from anyone claiming to be with Microsoft, Apple, or another software or hardware vendor offering to help you solve your computer issues.
Beware of ‘Too Good to be True’ Prices in Online Stores
When shopping on Amazon or other online shopping sites, beware of vendors who offer an unusually low price for popular items. If you're an Amazon seller, watch out for attempts to hijack your seller account.