Detect Phishing and Protect Your Information
Phishing techniques are changing all the time. A phishing attack might not even be trying to get more money – the scammer may use their illicit access to impersonate you and scam someone else. Learning how to detect phishing is the first step in defending yourself.
See Attack Techniques Scammers are Using with Joel Hollenbeck for a complete transcript of the Easy Prey podcast episode.
Joel Hollenbeck is a cybersecurity expert and Director of Engineering at Check Point Software Technologies. He has worked entirely in cybersecurity for the past two decades. His interest in cybersecurity started when he was young and the internet was new. The early internet had bulletin board systems, and it was a game to hack others’ bulletin boards and get hacked in turn. Learning how to breach systems got Joel thinking about how to protect them.
Even the Experts can be Victims of Phishing
Joel has a household Amazon account that everyone in his house has access to. His sixteen-year-old daughter and seventeen-year-old nephew live with him, and one of them opened a malicious link from an email. That link opened a door to a remote control attack on the computer.
The phishers got access to the Amazon account that was logged in. They didn’t try to do anything else with the computer – they obviously knew what they were after. They started ordering things on Joel’s Amazon account. First it was a non-returnable gift card that they spent immediately. Then they ordered a small grocery item sent to Joel’s house. The pattern repeated with more and more expensive gift cards each time. Joel later learned that this pattern was an attempt to avoid Amazon’s fraud algorithm.
Joel gets alerts from his bank when a purchase is made. His credit card carrier sent him notifications about the purchases. Since the first ones were small amounts, he wasn’t concerned. By the time he got a fraud alert from the credit card company and looked into the charges, the hackers had racked up $400 in gift card charges.
None of us are invulnerable to the threat actors that are out there.Joel Hollenbeck
Joel eventually got the money back, but he had to go through his credit card company to do it. He knows how to detect phishing and is careful about clicking links, but someone else logged into a family system wasn’t quite as careful. It still ended up causing problems for him. He may be a cybersecurity expert, but even his systems aren’t immune to cybercrime.
How to Detect Phishing when the Tactics Evolve
Malicious actors are always evolving their tactics to trick victims. They have a whole collection of ways to approach people. When they find a method that gets people to click on the link or open the attachment, they use it repeatedly. Eventually, people will start catching on that the tactic is a phishing tactic. Then they just move to the next method.
A lot of phishing attempts have moved from email to SMS and text messaging. Joel thinks part of it is because people have their guard up about email. Many people know how to detect phishing through email and to be suspicious of links in email. But people trust SMS more. It seems more personable, and there’s less awareness of SMS phishing. Once people trust it less and learn to detect phishing over SMS, phishers will switch to something new.
Phishers are going to look for any platform where they can get around people’s trust issues.Joel Hollenbeck
A common phishing tactic is to imitate a well-known brand to trick people into clicking. Common ones are FedEx or DHL. They are often sent as an email with a PDF attachment. The PDF is malicious, and once you open it, the phishers can take over your computer. Currently, the most-imitated brand by phishers is LinkedIn. Their goal isn’t even to take over your computer. They want to harvest your credentials and use your LinkedIn identity to send phishing attempts to your network.
An essential first step to detect phishing is awareness. Be aware that you may get a DHL email with a malicious attachment. Be aware that people are trying to steal your LinkedIn information. It’s also important that the brands be aware of this so they can communicate with their customers.
How Phishing Works
There are two basic methods of phishing, and knowing them will make it easier to detect phishing. First is mass-broadcast phishing. The phishers send the same phishing message to millions of people. This tends to be the poorly-written kind that people who are aware of phishing can easily spot. The return rate for these phishing attacks is less than 1%, but the phishers make profit off volume.
The second method is targeted, elaborate attempts known as spear phishing. With this type, phishers spend weeks, months, or even years studying specific targets. They use the information they find to gain the trust of the victim (or people around them) and swindle the victim out of their money. It’s very difficult to detect phishing when it’s so targeted, and the scammers make lots of money from it.
Phishing attacks use a variety of communication platforms. Each one goes through a similar cycle. For example, email is a broad platform that lots of people have access to. Phishers started using email to target victims. As they saw success and more of them started sending emails, the market became diluted. People started trusting email less. They learned how to detect phishing through email. Joel knows people who don’t even read their personal email unless they’re looking for something specific.
Then the phishers moved to SMS. More people trusted SMS and it was a good platform for them. But we’re starting to see the same thing that happened with email. People are trusting SMS less and realizing that they need to know how to detect phishing through SMS. As their success rates go down, the phishers will start moving to something else.
It doesn’t matter what the platform is, the phishers are going to go where they think they can get success.Joel Hollenbeck
Joel hates to give phishers any kudos, but he has to admit that LinkedIn is a brilliant move for them. It has a messaging platform and a lot of information about people publicly available. In addition, everyone contacting you on there should be professionals or business contacts (at least in theory). Eventually, though, people will learn to detect phishing through LinkedIn and the phishers will move on to a new platform.
Simple Steps Everyone Should Take
Use a Unique Password for Everything
Reusing passwords has been repeatedly shown to be a bad idea. If one account is breached, your password will get posted on websites. Malicious people can then try those credentials on other sites, and if you reuse passwords, they might just get access. Joel says that every account that needs a password should have a unique password. It can get complicated to keep track of them all, so he also recommends using a password manager.
Use Multi-Factor Authentication Everywhere
Multi-factor authentication, sometimes called two-factor authentication, requires an additional step between entering your credentials and logging in. Usually it’s receiving a text with a code or using an authentication app. Not every service offers it, but for those that do, it adds an extra layer of security just in case someone gets their hands on your credentials.
Demand Multi-Factor Authentication from Financial Institutions
When you hear “financial institution,” you probably think of banks, credit unions, and investment accounts. But Joel broadens the definition a bit. He includes places like Amazon and other online stores. You do financial transactions with them on a regular basis, and you probably have your cards stored with them. Someone gaining access to that information can financially harm you just like if they accessed your bank.
Set up Alerts on Financial Accounts
Joel gets alerts for all his credit cards and bank accounts. Every time there is a transaction over $1, they send him an email and an SMS message. Not every company offers this – Amazon, LinkedIn, and Microsoft are all ones that Joel thinks should offer more notification options. But for those accounts that have the options, turn them on. Many companies don’t advertise their additional security options, so you may have to search for them.
Take Basic Security Precautions
Having basic security awareness will help you a lot. Learn how to detect phishing in emails, SMS, and any other incoming communication. Be aware of things like sales that try to create a sense of urgency and get you to click links. If you see something in an email or on social media that you want to buy, avoid the link and type it into your favorite search engine instead. Being completely cynical isn’t a great way to go through life, but we do need a little cynicism to protect ourselves in the online world.
You have to have a healthy sense of everything that is going on. You have to take a pause when you get these things. … I hate to encourage people to be cycnical, but you have to have the cynicism to survive in the world we’re in today – online, at least.Joel Hollenbeck
Joel’s Predictions for the Future of Phishing
Joel thinks LinkedIn is going to be the big medium for phishing attempts in the near future. Phishers will be able to mine the message history of compromised accounts for data. There will be mass phishing attempts trying to spread ransomware. There will be also be lots of extraordinarily sophisticated spear phishing attempts. Since this method is still new, we don’t know yet how LinkedIn will adjust. In the meantime, it will be essential to detect phishing in incoming LinkedIn messages.
Joel also predicts that we’ll see a rise in phishing attacks on collaborations platforms like Slack, Teams, and even Zoom. They will be targeted for the same reason any new platform is – they’re more trusted. Most people aren’t thinking they should be ready to detect phishing when they open Slack like they are when they open their email.
If you’re trying to protect your computer, your system, your accounts, and your personal identifiable information, you have to be extremely cynical about those links and attachments and be extraordinarily careful.Joel Hollenbeck
Even though Joel has some educated guesses, we really don’t know how phishing will evolve in the coming years. That’s why it’s essential to learn to detect phishing to keep your money and information safe.
Check Point Software Technologies publishes weekly research articles at research.checkpoint.com and weekly customer-facing information on blog.checkpoint.com. They also publish a quarterly brand phishing attempts report. You can find Joel Hollenbeck on LinkedIn.Please wait while you are redirected...or Click Here if you do not want to wait.