Phishing and Its Many Forms
Phishing is the use of email communication, appearing to be from a legitimate source, in attempt to obtain sensitive information. There are additional forms of phishing, such as spear phishing, which targets a smaller number of targets compared to an ordinary phishing attack. Spear phishing is tailored to the targets and often attackers conduct research to learn about their targets to heighten chances of success, while ordinary phishing emails are generic. Whaling is a form of spear phishing but targets high level executives within an organization. Vishing is a form of phishing that uses the phone or voice while smishing uses cell phone text messages.
How Phishing Works
Phishing is a form of social engineering. Social engineering is manipulation of people to provide confidential information. Attackers try to play on the emotions of their targets and either invoke fear, urgency or sense of trust by impersonating trusted sources within your life, in order to increase the chances of you taking the action they desire. A legitimate source that an attacker may impersonate include your place of work, school, bank, social media platforms, family, friends, coworkers, technology companies or even organizations associated with your children.
Relationship Between Phishing and Sensitive Information
Phishing is usually focused on collecting credentials, i.e. username and password to access your accounts, such as email, work, social media, bank, etc. However, other sensitive information that may be sought by attackers include social security number, date of birth and credit card numbers, along with the expiration date and CVV/CSV code (last 3 digits on the back of credit card).
Sensitive information can be sold on the dark web. However, user credentials can be found on public facing websites on the Internet that anyone can access or view. The more sensitive information attackers obtain, the more leverage an attacker can have on impersonating you. An attacker tries to build a profile with all identifying information about you, called a fullz. With the information being available for purchase, identity theft can occur.
How Phishing Targets YouA phishing email may ask you to:
- Reply via email with the sensitive information requested
- Visit a website via a link included within the email – The link included in the email directs you to a website that appears to be legitimate and imitates the website of an organization familiar to you. On the webpage, you may be prompted to enter your credentials.
- Download an attachment – An attachment may seem harmless, related to what your job role entails, named as a topic of interest to you, and often is a Word, Excel or PDF document (which can be opened by common programs installed on a computer). When the attachment is downloaded, malicious code is ran in the background on your computer either installing a backdoor to allow attackers access to your computer and files and/or malware to infect your computer and files, ability to spy on your computer use, or steal passwords. Once an attacker has access to your computer, they can also try to access other computers in your organization or home, or use your computer to attack other computers on the Internet.
The Goal of Phishing
The goal of phishing is to harvest information in order to gain access to a user’s account and gather identifying information about a user. In gaining access to a user’s account, the attacker can also attempt to expand their attack by targeting other people associated with you (your email contact list, personal or business, and/or connections on social media), directly targeting the organization to which the account belongs or compromising devices used to access the phishing link. In many cases, the ultimate goal is money.
The sensitive information harvested from phishing can be sold for money. Sensitive information is bought by cybercriminals to conduct transactions in your name, which can affect your personal finances, credit card charges and credit. Attackers can also gain money by logging into your account and making changes to your direct deposit information by updating the account to theirs or accessing your W2 form to file your taxes and receive your tax benefits/refund.
How to Spot a Phishing Email
To identify a phishing email, look for the following:
- Vague Salutation – The salutation is often generic in a phishing email and is not specifically addressed to you. For example, the email may be addressed as “Dear Customer.” Legitimate sources would address the email with a personal salutation, including your name.
- Sender – The display name of the sender can be edited by the attacker to read anything they like. For example, the display name of the sender may read your bank’s name. Instead of only reading the display name of the sender, you should also check the sender’s email address. If the sender’s email address does not match, for example, your bank’s email address or domain, the email should be considered a phishing email.
- Misspellings or Poor Grammar – Misspellings and poor grammar is often noticed within phishing emails. Legitimate sources are highly unlikely to have misspellings or poor grammar within their emails as special care is taken for branding purposes.
- Content of the Email – Beware of emails invoking fear, urgency or sense of trust. For example, an email stating that you must update your personal information or failure to do so would lead to bank account closure. Another example include receiving an email from a relative asking you to wire transfer money to them out of the country. If the email sounds too good to be true, it likely is. For example, an email notifying you that you won the lottery but you never played. As enticing as the email or prize may appear, do not take the bait.
- Subject of the Email – Like the content of the email, the subject may also contain sensational or threatening language.
- Link – The link can also be masked by the attacker to read anything the like. To verify the actual link, hover over the link to see the address or URL but do not click the link.
- Attachments – As interesting as the name of the attachment may sound, attachments should not be opened or downloaded. If you do not know the sender or was not expecting an email from the sender, do not trust the attachment.
- Signature – The signature of phishing emails usually provide little to no details as a legitimate source would.
Despite if the identifiers are not apparent within the phishing email but it still seems suspicious to you, treat the email as a phishing email to be cautious.
What Not to Do If You Suspect a Phishing Email
- Never send your sensitive information (like your SSN) via email
- Never give out your password
- Never click on links in a suspicious-looking email. Although the link may redirect you to a webpage requesting your credentials and you do not enter yours, clicking on the link and visiting the malicious webpage may still lead to your computer being compromised since malicious code can be running in the background.
- Never download attachments in a suspicious-looking email
- Never reply to the email to ask if the email is legitimate, even if the email is sent internally from an FIU email address. Instead of replying by email, contact the user by phone to ask if they are aware of the email. A phishing email from an FIU email address indicates that the account has been compromised. By replying to the email to ask if the email is legitimate, you run the risk of receiving a response from the attacker encouraging you that it is.
Remember that FIU will NEVER ask for your username, password or sensitive information via email.
Looks Phishy but Uncertain?
If you suspect a phishing email, send the suspicious email as an attachment to firstname.lastname@example.org. Steps on how to forward an email as an attachment. Remember to delete the phishing email.
You Took The Bait…Now What?
If you took the bait, you should:
- Notify the Information Security Office
- Change your password – This not only refers to the credentials for the account provided to the attacker but all accounts that you may have reused the password. Reusing passwords can put other accounts at risk for unauthorized access by attackers after taking the bait of a phishing email. This highlights the importance of not reusing the same password for multiple accounts. It is recommended to change your password on a different device rather than the same used when you took the bait.
- Scan system to check for malware in order to ensure the system is not compromised.
How Phishing Affects Your Computer, Files and Others
Although phishing is usually focused on harvesting credentials, the attacker may have other intentions and can use phishing as a vehicle to accomplish more malicious acts. Malware can be installed on your computer to allow the attacker to perform any action they desire. Some of the ways your systems and files can be affected include:
- Infected with malware
- A backdoor may be installed to allow an attacker future access to the system
- Your computer can be included in a botnet along with other computers allowing the attacker remote control
- Your computer can participate in attacks against other computers or organizations
- Your passwords can be stolen
- Your email account may be used to spam or send malicious email to other users
- At risk for ransomware – Your system and files may be encrypted causing you to lose access to your files and ability to use your computer. The attacker will request payment to decrypt or allow you access to your system and files again. Phishing emails are often the carrier for ransomware.
The attacker may attempt to multiply the attack, and target more individuals and systems within your organization. If the attacker has access to your computer, the attacker can attempt to gain access to other computers on the network and even the organization’s servers. If the attacker is able to compromise an organization’s servers, enterprise-wide damage can occur such as encrypting network drives or utilizing the server’s resources to host a website to gain money or storage. Since the effects of phishing can be widespread, it is important to do your part as cyber security is a shared responsibility and you are the best defense we have against cyber attackers.
Precautions Implemented by FIU and What To Do Next
As a precaution, FIU may change your password if your account is suspected to be compromised. Your account may be suspected to be compromised if:
- Your FIU credentials are found posted on a public website on the Internet
- Suspicious activity was noticed on the account, such as hundreds of spam or malicious emails being sent from your account
- Detection of you taking the bait of a phishing email that targeted FIU
If your account is compromised, you should change your password, including for other accounts that you may be reusing the password, such as your bank account.