Phishing is a common social engineering threat.

This is Part I of a three-part series on the cybersecurity risks presented by social engineering.

In this era of social distancing, we’ve become more reliant than ever on technology to communicate. In this environment, social engineering techniques are creating heightened risks from a cybersecurity perspective. Social engineering is broadly defined as the use of deception or manipulation to lure others into divulging personal or confidential information. Cybercriminals use social engineering to harvest access login credentials, financial information or other personal data that can then be used for profit, ransom, or as a wedge to open even further security holes.

In Part I we discuss phishing, one of the most common social engineering threats. Phishing involves sending fraudulent emails purporting to be from trusted, reputable sources in order to trick or coerce individuals into revealing sensitive personal information. A birth date, a userid/password, a credit card or bank account number: in the wrong hands, any of this sensitive information can cause great loss and inconvenience.

“Simple” phishing usually comes in the form of a general email to a wide range of targets. There will be little personalization specific to the recipients, but the message will try to play to the emotions of the reader. In these times of heightened anxiety, a stress-inducing message may cause people to let their guards down and react quickly without thinking. Links are provided in the email that appear real, but actually are hosted by the scammers, who use the sites to harvest personal information. In other cases, phishing emails will bear malware-infected attachments. Some actual reported examples from just the past few weeks:

·      Membership/subscription cancellation: An alert that a service will be terminated unless a response is received in a tight timeframe. With streaming services and telecom data usage at record highs, people may be tricked into clicking a link to check on their account status or respond immediately, divulging account information or passwords.

·      Courier delivery notification: A delivery is on hold awaiting confirmation of personal details. With more people at home, residential deliveries are becoming more and more frequent and
time-sensitive. The scammers hope to trip people up who are genuinely expecting a package, and are too quick to enter passwords or financial information on a dummy web page.

·      Messages from the office: Homeworkers are getting fake emails pretending to contain training materials, remote software upgrades, security patches, or password reset confirmations. For some, working from home is a new experience and they may not know what to expect.

·      File-sharing/videoconferencing invitations: With many people working from home during the pandemic, secure file-sharing services and video conferencing tools are being used extensively. Surprise invitations to collect secure documents or join conferences are actually malware or hacker sites in disguise.

·      Breaking pandemic news: Bulletins about the COVID-19 outbreak are delivered in a video or attachment via email. With news changing literally by the hour, people are anxious to see the latest information and may unwittingly download malware instead of real content.

·      Financial institution warning: An urgent message is received from the bank advising that an account or credit card has been compromised. Finances are stretched for many during this difficult time, so there may be genuine concern about account balances or activity.

·      Tax audit or return. People are anxious about getting their tax returns, or worse, being audited or unduly delayed in having their documents processed. Bogus CRA and IRS emails have
spiked recently, preying on these victims.

Recommended Defenses:

·        Watch for awkward phrasing, typographical errors, or impersonal generic language. These are all red flags of a fake phishing email.

·        Double check the sender’s address – don’t rely on the “display name”, as this may be spoofed – check the actual reply email address and validate it.

·        Hover over links in the email to validate that any links are pointing at a valid website. Again, displays can be spoofed, but hovering will show the true destination. Never assume that if one link is valid, the rest will be as well: scammers will often leave a handful of valid links in a spoofed email, but the “call to action” link will go to a fake website.

·        Locate contact information from outside the email message (e.g., from a separate web link or a known contact centre phone number) and reach out independently to validate the message.

·        Never enter personal information into a pop-up window in an email. If you have concern about an account or service, open a new browser window and log into your online account separately to check status or information. Do not rely on links in the suspicious email.

A more targeted phishing attack is called a spear phishing attack. Here, the hacker will typically have a little bit more information about an individual, or will make a concerted effort to breach a single target instead of using a broad assault like a regular phishing campaign. The term “whaling” is gaining traction, referring to a spear phishing attack against a top executive or senior official in an organization. Spear phishers may compile information about corporate events, recruitment news, or other specifics related to a company or individual, then weave them into the email. This gives the spear phishing attack an extra measure of realism. The emails can come from spoofed addresses, or are particularly effective if the user’s email account has been breached. These emails will usually have an air of urgency or immediacy to them, in order to try to heighten the emotions of the recipient.

Spear phishing is more labour-intensive for the attacker, but is launched against higher-value targets. And the personalization of spear phishing can make it a more effective method of attacking for the hacker. The attacker may be looking for an immediate payday in the form of compromised financial information, or could be seeking a deeper penetration into the target company. Armed with personal information about a senior company member, the attacker can attempt to drop malware into the organization, or pivot to attack others in the company, or other sites used by the original target.

Here’s a typical example: an email is sent from an executive to a subordinate, seeking forgotten login credentials, financial information, or a “rush” on a funds transfer or payment outside of normal business practices. The email insists that the sender cannot be reached by phone for some reason. The email relies on the supervisor/staff relationship to coerce cooperation in revealing information or executing a bogus transaction. Scammers are trying to capitalize on today’s “remote working” atmosphere and the exceptional circumstances that are changing standard operating practices.

Recommended Defenses:

·       Again, watch for awkward phrasing, typographical errors, or impersonal generic language. Does the message “sound” like it’s coming from the person?

·       Double check the sender’s address – don’t rely on the “display name”, as this may be spoofed – check the actual reply email address and validate it.

·       Insist on a phone call so you can confirm instructions by voice. If the sender refuses to speak, assess the reasoning and consider asking follow-up questions or challenges to test the sender’s knowledge. For particularly sensitive matters, a previously agreed-upon passphrase or safe word can even be used as a defense against phishing attempts. A secondary email address can also be used to touch base to confirm instructions on an alternative channel.

The bottom line: Maintain a healthy skepticism and don’t panic or over-react when receiving emails. These are stressful times for everyone; don’t let a phishing scam trip you up.