PhishingPhishing is a social engineering technique that uses various subterfuges to make victims believe that they are dealing with trustworthy individuals or entities in order to steal personal information, such as passwords, payment card numbers, birth dates, etc. Usually, the perpetrator’s objective is to commit fraud using the stolen personal information (identity theft or fraud, intellectual property theft, etc.).

A scammer uses fake emails and websites for phishing or the theft of personal data. It involves sending rather generic mass email messages to the most users possible. These emails are designed to trigger a knee-jerk reaction from the user, by announcing upsetting or exciting news and demand an immediate response under false pretenses. For example, a victim may receive an email, supposedly from his bank, explaining that there are problems with his account and asks him to click on a link for verification. By clicking on the link, the victim is redirected to a bogus website, virtually identical to that of his institution. When that person enters his authentication information (e.g. card number and password), the information is recorded by the fake site. The victim can then be redirected to the legitimate website, leaving him to believe that there was an authentication error.

Criminals use various means to attract or lure their victims. In addition to emailing, phishing techniques exploit the phone (“vishing”). For example, a technician, supposedly working for Microsoft, may call a victim pretending to help solve a computer problem. He then asks him to perform some commands which, in fact, allow him to take over the computer, enabling him to retrieve sensitive information or install malware (e.g. spyware that records keystrokes). Other phishing techniques involve text or SMS messages (“SMShing”). For instance, a victim receives a text message on his phone stating that he has just won a prize.

Recently, cybercriminals have refined their technique targeting specific users, especially businesses, instead of sending generic messages. This technique, commonly known as spear phishing, involves sending a customized email to a user using distinct business lingo. The perpetrator drafts his message by seeking information about individuals through easily available sources of information, such as social networks or business websites, etc. The customized message will gain the victim’s trust more easily, convincing him to open the email and provide sensitive information (customer data, intellectual property, etc.).

According to the FireEye white paper on spear phishing, spam has decreased from 300 to 40 billion between 2010 and 2011, but the number of spear phishing attacks has tripled for that same period. Another interesting statistic is that spear phishing messages were opened in 70% of cases versus only 3% for mass emails. In addition, 50% of recipients who opened a spear phishing email also clicked on the embedded links, which is 10 times higher than with mass emailing.

Here are some recommendations to protect yourself from phishing and spear phishing:

  • Restrict Internet access and the use of personal email;
  • Use anti-spam software and other malware protection tools;
  • Enforce the use of strong passwords;
  • Restrict shared public information on social networks (e.g. date of birth);
  • Examine the URL before clicking on it and refrain from selecting URL shortcuts;
  • Educate employees on the social engineering techniques and develop their vigilance in detecting suspicious emails;
  • Test employees and assess their knowledge on phishing or spear phishing.

For more information on spear phishing, please view the following links:

https://searchsecurity.techtarget.com/definition/spear-phishing

https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf

https://www2.fireeye.com/wp_spearphishing.html

To learn more about Terranova’s awareness solutions and phishing simulations, please visit: https://phishingawareness.com/

By Patrick Paradis, Information security advisor