Phishing – Not Just for Anglers Anymore

The digital world is becoming ever more perilous, and the people looking to defraud you are getting cleverer and cleverer.  We all remember the scam emails claiming to be from Nigerian princes, who just need your bank account information to get their millions of dollars out of the country, and who are willing to reward you with a mountain of cash for the help.  Today’s threats can be much harder to detect, and require a little more attention.  I’d like to talk about something that I’ve had a great deal of experience with, both funny and terrible – phishing. 

Phishing, and it’s more insidious brother, Spear Phishing, generally involves an email that you receive telling you some dire information, and that you need to take action on immediately – and it appears to come from a trusted source.  First, let’s talk about Phishing – 

Phishing – phishing generally comes in the form of an email from a company, or somebody claiming to represent a company, that you know and trust.  For instance, you may receive an email from “Microsoft”, claiming that your account is going to be locked if you don’t login and update your information.  I receive two or three emails a day claiming to be from “Apple” telling me my “Apple” account has been locked for suspicious activity, and I need to log in and provide my credentials to get it unlocked.  Phishing emails tend to be “blasts”, sent out to huge email lists that the attacker has procured.  You, and thousands of other folks, get the same email with a push of a button. 

Phishing emails tend to relatively easy to spot – usually, the English spelling and grammar are pretty bad, although in some cases it can be difficult to spot any mistakes without looking carefully.  Generally, if an email sounds “awkward” in its phrasing, it’s a phishing attempt – if you think about it, it’s unlikely the real Apple is going to send you an email about something that “requires your immediate attention”.  So how can you identify a phishing email?  Let’s take a look: 

1.       Is the email REALLY from the source it claims to be?  While it may say that that it comes from a trusted source, it may very well not.  Take a look at an email I received a few days ago – 

 is listed as the sender of this email – okay, so apple is sending me an email about something they need me to look at - but wait, look at the actual email address – that’s not an Apple address.  An actual Apple address would contain apple.com, like Kirk@apple.com.  This can be tricky, because not all email clients show the actual address, just who the address is claiming to be.  When in doubt, click on the sender to expand the email address, or do whatever you need to do with whatever client you are using to obtain the actual address.  If it’s not from Apple.com, or Microsoft.com, or whomever is claiming to be behind the email, it’s trash. 

2.      Do these folks speak English?  Review the email carefully –

Does this sound like an email a multi-billion dollar company would send you?  It’s certainly not the worst example I’ve ever seen, but looking at it, you get the feeling something is just “off”.  Look at the “p” in Apple in the first line – doesn’t look like the “p” I just typed, does it?  How about “your account has been used to sign-in to a iCloud via a web browser on Chrome”.  Does that look right, sound like something Apple would send?  Or would they send “your account has been used to sign into iCloud via a Chrome web browser”?  Take a look at “signed in to iCloud recently”, and “, Please take action to Verify your account informations”.  The weird grammar, spelling, and punctuation are all tip-offs this is somebody phishing a load of people in a mass email, hoping to mine themselves some Apple credentials. 

3.       Finally - - yeah, okay.  The first rule of email is never click the “convenience” link in the email.  It may look like a link to Apple, but if you dig deeper, you’re going to find it leads somewhere else – like http://getyourpassword.haha.com/scam.  If you’re really concerned that your Apple account is locked, the best thing to do is open YOUR OWN browser, type in www.Apple.com, and go from there.  NEVER follow a click thru link on a suspicious email – it causes bad things to happen, and you will end up regretting it. 

Honestly, Phishing attacks aren’t hard to detect or avoid, if you’re smart.  Got an email from Netflix saying your payment method needs updating, and they thoughtfully provide you link to update it?  Who knows, maybe your credit card expired?  Open a browser, and type in www.netflix.com, and go from there – odds are good your payment method is just fine, and you just denied somebody living in a basement in Bulgaria an Amazon shopping spree, on your dime – or worse, getting added to file of stolen credit card numbers that are then sold on the dark web to whoever has the money.  So, check the sender, check the body of the email, and for god’s sake, don’t click any links.

Spear Phishing is much nastier, but requires more work than a Phishing email – it requires personal information.  What really sucks about a Spear Phishing attack is that it’s going to come from somebody you know, and probably trust.  Here’s a recent example I’ve seen –  

To:  Bob Smith <bob.smith@BS.com>

From:  Sally Mae< smae@yoursupplier.com>

Subject:  Bank information Changes

Bob – we’ve recently changed banks, could you update your payment information with our new account?  Please find the information below.

Thanks

Sally Mae

Wesellyoustuff INC

Now Bob works in accounting, and is in charge of processing payments to vendors – and this email just popped up in his inbox.  It all looks legitimate – he knows Sally Mae, because she processes his payments to the supplier they buy parts from.  So Bob makes the changes to the account, and goes on with his life.  Two weeks later, a payment goes out to Sally Mae, and they never receive it – confused, Bob calls Sally and tells her he sent the payment out to the new account information – minutes later, bad things start to happen. 

This sound unlikely?  It’s not – it’s a more complicated, targeted scheme that looks absolutely legitimate, and has caught more people than you think.  In this case, somebody was able to harvest Sally’s information from the supplier website, and using some email magic, send Bob (whose email they harvested from his company website) that email using Sally’s actual information.  I’ve also seen more complicated attempts, where the attacker is actually able to penetrate an email system (Office365, in this instance), and respond AS somebody using their information.  Here’s what I recommend to avoid these attempts – 

1.       If you have to scratch your head and say “what??”, there’s a problem.  The CEO is traveling and ended up in a Mexican jail, and needs you to wire transfer him bail money (yes, I’ve seen it) – here’s the account.  Be smart, and pick up the phone – odds are good the CEO didn’t assault a hooker in Guadalajara.

2.      “Please don’t tell anyone” – I’ve seen this scam pulled both by phone and by email.  Your <insert family member here> has been arrested for drug possession, and this is his/her personal plea – “just send money, don’t tell Mom or Dad.”  Again, pick up the phone.  I know somebody whose elderly mother was stopped just in time on her way to the bank for withdraw $10k, and I’ve seen emails with the same scam. 

3.      “Please change our account information” – folks, even multimillion dollar corporations fall for this.  If you send people money, and those people tell you to change their account information, it’s worth a phone call to confirm.  I know it sucks, but it’s better than being the guy in accounting who changed the information and cost the company $15k. 

The world is full of people who want to take advantage of you and steal your hard earned money, and with technology, it’s getting easier.  Scammers are getting smarter, and you really need to pay attention.   

So finally, here are the general rules I apply: 

1.      Trust, but verify.  If Sally Mae asks you to change her pay to, give her a call and confirm.

2.      Take a minute and think about what the email is asking – if you’re uncomfortable with it, verify it

3.      NEVER click on embedded links in email – go to the website, and log in via that interface

4.      Always check the email sender – I know it’s another click, or otherwise more complicated, but it’s worth it

5.      If it sounds or looks funny, it probably is. 

Hopefully this will help you from becoming “that guy” – it certainly help keep your personal information safe, and your credit card info where it belongs.

Kirk