By Roberto Cecchini (INFN – GARR)
What is phishing?
Phishing is one of the many social engineering techniques used to deceive users. It is a type of fraud used to obtain sensitive information from a person or a firm, such as passwords and credit card details. The perpetrators, using electronic communication – typically email, instant messaging or text messaging – disguise themselves as a trustworthy entity, like a bank, a lawyer or a colleague and invites the users to give their personal data to solve a problem, e.g. technical or related to their bank account, or accept a very good promotional offer. Usually the victim is directed to a fake website – which mimics the look and feel of the legitimate one – to enter his or her data.
If the phishing attempt uses email (email phishing), sometimes it tries to lure the user to open an infected attachment – a fake invoice, a letter from a lawyer – that loads malware into the computer (remember: even if your antivirus is up-to-date, you are not 100% safe!).
When the phishing is targeted to a specific person or firm, it is called spear phishing, if the person is a high level decision-maker, we speak of whale phishing.
Some numbers
Here are some numbers to give you an idea of the relevance of phishing in the malware environment. If you are interested in more details, please visit Verizon Data Breach Investigations Report 2020, Symantec Internet Security Threat Report 2019 and Proofpoint State of the Phish Report 2020.
- 88% of organisations experienced spear phishing attacks and for 55% it was successful;
- 96% of phishing attacks are by email;
- 94% of malware was delivered via email and 48% of malicious attachments are Office files;
- 65% of attackers used spear phishing as the infection vector;
- 3 M € is the average cost of a data breach (IBM Cost of a Data Breach Report 2020);
- data more frequently compromised in a phishing attack are credentials (passwords, usernames), personal, company internal, medical and bank.
Email phishing checklist
The simple rules below, if carefully followed, will help you to detect the vast majority of email phishing attempts. Keep in mind, however, that if the phishing is of the spear kind, its detection could be very, very difficult.
- Personal information
Legitimate companies don’t ask for your personal information by email or invite you to open a link which points to a page where you can insert them. - Links
First of all, important legitimate mails don’t contain clickable links. If there are some, move the mouse over them without clicking and verify that the addresses that will appear are equal to those in the mail (if they are different, many email clients will warn you). Even if they are, check that they aren’t “strange”, like appple.com or even without any reference to the name of the real site. - Sender
Remember that, unless the email is digitally signed, the sender can be very easily falsified. So, just because it seems that the email is from a person you trust, it doesn’t mean that it truly is. Look very carefully at the sender’s address: it could be very similar to the right one (e.g. trustedperson@company.ir instead of trustedperson@company.it), or even could be correct if the villain doesn’t need an answer from you (e.g. he wants that you open a malicious attachment, see below) - Attachments
Attachments can be very dangerous (look at the numbers above). In this case the fact that the sender’s address is correct isn’t significant, so, even with a minimal doubt, call to verify. If the attachment, when opened, asks to enable macros (you should always keep them disabled) all kinds of alarm bells should be ringing. And don’t be too confident on your antivirus software: none are perfect and there always is a concrete possibility of infection. - Urgency or wonderful offers
Beware of urgency or incredible offers! Scammers want that you behave haphazardly without thinking. Typical examples are smartphones at incredible discounts, warning that your account is about to expire or that showed suspicious activity and so you need to provide information to avoid lockout (note that some reputable sites, e.g. Google, may ask you to reset your password, but they want you to login outside of the email interface, certainly not by clicking on a link inside the email). - Spelling and grammar
Phishing emails are often full of spelling and grammatical errors or, worse, the evident output of Google translate or a similar service. - Signature
Most legitimate senders include a signature block at the end of their emails. - Salutation
Treat with suspicion generic addressing, like “Valued customer”, “Hello everyone” or “To all employees”.
Last but not least…
If you have a doubt, even if minimal, contact your System Administrator immediately!
No matter the time of day, every sysadm worthy of his name would greatly prefer to deal with a false alarm than to put the organisation at risk of a breach.
About the author
With a Degree in Physics achieved ‘too many years ago’, Roberto Cecchini has been working in the security field for over 20 years. He created and managed the Italian National Institute for Nuclear Physics (INFN) Certification Authority and GARR-CERT, the CSIRT service for the GARR Network. In his spare time he loves reading, gardening and trekking.
Read more on the GÉANT Cyber Security Month 2020: https://connect.geant.org/csm2020
