A Phish Tale
by Jesus Espinoza
This phish tale is not about the one that got away. Our tale is a more sinister tale that plunges into the dark sea of digital information and sheds light on a computer hacking method known as “Phishing”. The term itself is a comparison to the “fishing” definition in that it is an attempt to “Phish” for sensitive information such as user accounts, bank accounts, and credit card information. This hacking method or attack usually comes in the form of an email message, or phone call. In most situations, the attack is not a sophisticated one because it does not make use of malicious software like worms or viruses. The average phishing attack comes in the form of a simple email made to look like it’s coming from a friend or legitimate source asking you to provide information or click on a link. The body of the phishing email will often contain text like below:
“…we suspect unauthorized activity in your banking account. Please click on the link below to access your account and verify your balance”
“…our accounting department has been performing an audit and need your account information to verify our data”
“…we are seeing unusual activity on your credit card, please follow the link below to access your account and check your transactions.”
“…we suspect your email has been compromised, please provide your login and password to update your account.”
As can be seen from the above examples, these types of phishing emails often look very legitimate and are made more convincing by adding bank or credit card logos in the body of the email. The email source or “sender” of the phishing email is often a fake email address, or compromised hacked email account from an organization. The attack becomes more sophisticated when a fake or hacked email account is used. Here is how it is normally done. The hacker will first case the organization to identify high profile users like department heads or IT personnel. When the target user or group is identified, the hacker will then either compromise that email account or impersonate it using a fake one. That fake or compromised email account is then used to target other users in the organization to phish for information. For example, the hacked or fake email might look like it’s coming from your security team asking a user to provide their account information due to a security breach. The hacker can also use the hacked email account to target a high profile user like the head of accounting or finance or even a CEO. High profile accounts usually have more access privileges on information systems and are more lucrative to the hacker.
What Are The Things To Look For In A Phishing Email?
- Grammar. Studies show that many email phishing attacks come from countries outside the United States and this makes them easy to spot because of spelling and grammar errors in the body of the email. A legitimate company or organization would not distribute email with such errors.
- Links in the Body of Email. If there is a link in the body of an email you suspect to be a phishing email, do not click on it. Inspect the link closely and look for spelling errors or anything unusual. For example instead of “www.bankofamerica” it might read “www.bankofamerika”. The differences are subtle and at times can be easily missed.
Threats for Not Responding. Phishing attacks will often come in the form of an email threatening to close an account or legal action if the victim does not respond with the sensitive information being asked or “phished” for.
Here is an example of what a threatening phishing email might look like with a fake IRS address as the source of the email:
Our records indikate that you or your family did not file a federl income tax using form 2040w for the privious year. Please click on the link below and provide your current adress, fone number and social number as soon as possible to verify your records. If you do not reply imidiately your account will be audited.”
It is easy to see the spelling and grammar errors in the example above and the clues like the IRS form or the IRS link ending in .com as opposed to .gov. Phishing emails are not always that easy to spot and the best thing to do is call the sender of the email directly to ensure it’s a legitimate request.
Questions to Ask Yourself If You Suspect an Email Phishing Attack
- Is the sender of the email someone you know? If the sender is unknown, do not reply or click on anything within the email. Contact the helpdesk or your security team for assistance. If the email is from a friend or someone you know but looks suspicious, call the sender directly to make sure the email came from them.
- Are There Email attachments? Sometimes the phishing emails come with attachments. Do not click or open any attachments in the email. Contact your Helpdesk or security group and have them check the attached files for viruses.
- Are they requesting specific information? Do not reply if the email is requesting specific information such as a bank account, credit card number, or personal information. Most organizations will not request this type of information over email.
- Does It Make Sense? Does the information being requested or the way it is being requested make any sense to you? Some things to look for are words or phrases that your friend or known sender would not use in a regular expression. Another clue is offers or promotions directed at you specifically from stores you have never visited or purchased items from.
The Phone as a Phishing Rod
Email Phishing is not the only method a hacker uses to trick a user into providing sensitive information. Another not so common method is known as Phone Phishing. In a phone phishing attack, the hacker calls a user in the organization pretending to be someone with authority and requesting sensitive information. For example, a user might get a call from the hacker pretending to be the head of Technology Department asking for the user’s account information to update his account. Another example might have the hacker pretending to be a bank or credit card representative asking for the user’s bank account information. If you suspect a phishing phone call, simply tell the caller you are too busy at the time and get a phone number to call back or in the case of a bank, look up the bank phone number yourself to verify the call.
As we pointed out in the beginning, phishing attacks are usually not sophisticated and simply require a bit of awareness and vigilance from all users in the organization. Don’t be too quick to reply to suspicious emails and look for clues like the ones given in the examples. Always call your helpdesk or security group if you’re not sure about an email.