Showing posts with label cybercriminals. Show all posts
Showing posts with label cybercriminals. Show all posts

Wednesday, October 10, 2018

Phishing: An Introduction


Chances are good that at some point you’ve received a suspicious email urging you to click on a link or open an attachment. This email was most likely an example of the cybercrime known as phishing. This article serves as an introduction to phishing: what it means, how it affects individuals and organizations, and how security awareness and training tools can be used to reduce the threat of these attacks.
What is Phishing?
Phishing is when cybercriminals send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials, or other sensitive data.
The term “phishing” came about in the mid-1990s, when hackers began using fraudulent emails to “fish for” information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails try to lure you in and get you to take the bait. And once you’re hooked, you’re in trouble.
Phishing is an example of social engineering: a collection of techniques scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection, and lying, all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage you to act without thinking things through.

Why Is Phishing a Problem?

Cybercriminals use phishing because it’s easy, cheap, and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.

 The data cybercriminals go after includes personal information — like financial account data, credit card numbers, and tax and medical records — as well as sensitive business data, like customer names and contact information, proprietary product secrets, and confidential communications.
Cybercriminals also use phishing attacks to gain direct access to email, social media, and other accounts — or to obtain permissions to modify and compromise connected systems, like point of sale terminals and order processing systems. Many of the biggest data breaches — like the headline-grabbing 2013 Target breach — start with a phishing email. Using a seemingly innocent email, cybercriminals can gain a small foothold and build on it.
Cybercriminals use three primary mechanisms within phishing emails to steal your information: malicious web links, malicious attachments, and fraudulent data-entry forms. 
Example of Malicious Web Links:
Image of an example of a Malicious Link

Links, also known as URLs, are common in emails in general, and also in phishing emails. Malicious links will take you to imposter websites or to sites infected with malicious software, also known as malware. Malicious links can be disguised to look like trusted links, and embedded in logos and other images inside an email.
Here is an example of an email received by users at Cornell University, an American college.  It is a simple message that showed "Help Desk" as the name of the sender (though the email did not originate from the university’s help desk, but the @connect.ust.hk domain). According to Cornell’s IT team, the link embedded in the email took clickers to a page that looked like the Office 365 login page. This phishing email attempted to steal user credentials.
Example of a Malicious Attachment:
Image of an example of a Malicious Attachment


These look like legitimate file attachments, but are infected with malware that can compromise your computer and the files on it. In the case of ransomware — a type of malware — all of the files on your PC could become locked and inaccessible. Or, a keystroke logger could be installed to track everything you type, including your passwords. It’s also important to realize that ransomware and malware infections can spread from your PC to other networked devices, such as external hard drives, servers, and even cloud systems.

 Here is an example of phishing email text shared by international shipper FedEx on its website. This email encouraged recipients to print out a copy of an attached postal receipt and take it to a FedEx location to get a parcel that could not be delivered. Unfortunately, the attachment contained a virus that infected recipients’ computers. Variations of these types of shipping scams are particularly common during the Christmas shopping season, though they are seen year-round.
Fraudulent Data Entry Forms
image of an example of a fraudulent tax data from

These emails prompt you to fill in sensitive information — like user IDs, passwords, credit card data, and phone numbers. Once you submit that information, it can be used by cybercriminals for their personal gain.
The above image is an example of a fake landing page shared on the gov.uk website. After clicking on a link in a phishing email, users would be routed to this fraudulent page that appears to be part of the HMRC tax collection agency. Users are told they are eligible for a refund but must complete the form. This type of personal information can be used by cybercriminals for a number of fraudulent activities, including identity theft.
It’s important to recognize the consequences of falling for a phishing attack, either at home or at work. Here are just a few of the problems that can arise from falling for a phish:

In Your Personal Life

  • Money stolen from your bank account
  • Fraudulent charges on credit cards
  • Tax returns filed in your name
  • Loans and mortgages opened in your name
  • Lost access to photos, videos, files, etc.
  • Fake social media posts made in your accounts.

60 Seconds to Better Security video
Partially reposted from Wombat Security: Phishing: An Introduction

At Work


  • Loss of corporate funds
  • Exposed personal information of customers and coworkers
  • Outsiders access to confidential communications, files, and systems
  • Files become locked and inaccessible
  • Damage to employer's reputation
Posted by at
Labels: , , , , , , , ,

Tuesday, October 10, 2017

Don't Let a Phishing Scam Reel You In

Cybercriminals use phishing—a type of social engineering—to manipulate people into doing what they want. Social engineering is at the heart of all phishing attacks, especially those conducted via e-mail. Technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive, and low risk: any cybercriminal with an e-mail address can launch one.
According to Verizon's 2017 Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40% of these breaches. Knowing what you're up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:
  • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
  • Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Your school definitely won't. Still not sure if the e-mail is a phish? Contact your IT help desk. (Many institutions now offer a "phish bowl" so end users can quickly and easily report phishy messages or view the latest scams.)
  • Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, delete it—unless you are expecting it and are absolutely certain it is legitimate.
  • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.
  • Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
  • Check the sender. Check the sender's e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from YourIThelpdesk@yahoo.com.
  • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
  • Don't click links in suspicious messages. If you don't trust the e-mail (or text message), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.


Partially reposted from:  https://er.educause.edu/blogs/2017/9/october-2018-dont-let-a-phishing-scam-reel-you-in
Posted by at
Labels: , , , , ,
Subscribe to: Posts (Atom)