Gone Phishing

The NuData Security Fancier: Phishing Edition

The NuData Security Fancier: Phishing Edition

An electronic periodical for the discerning security enthusiast

September 21, 2016

Summer might be drawing to a close, but phishing season is still in full swing. Yes sirree, there’s nothing quite like a long, lazy afternoon floating on a data lake, warmed by simulated sunshine, just waiting to see what bounty Mother Technology blesses you with. Sharp eyed readers might have noticed the unorthodox spelling of “phishing” in the preceding paragraph. Excellent work, sharp eyed readers!

If it’s not obvious by now, we’re not talking about fishing, the beloved recreational activity in which human beings employ a variety of purpose-built instruments for the capture and consumption of aquatic wildlife.

Today we’re talking about phishing which, like all weird and unintuitive stylizations of existing English words, is a term born in the crucible of computer culture and intended to both fascinate and alienate the normies who don’t really understand the inside workings of magic internet boxes.

PHISHING is a broad term that encompasses any activity that is intended to deceive users into providing sensitive or private information to a person or group that has no business obtaining that information.

As an example, consider the ol’ Fake Banking Website Grift – a classic phish tail if there ever was one. You get an email that appears to be from you bank telling you that there’s been some suspicious activity on your account. Not to worry, here’s a link you can click that will take you straight to the login page where you can check on your precious funds!

Not Your Bank

Notice anything suspicious in the screen capture above? If you said, “Royal Bank’s official shade of blue is a few degrees darker,” you’re right! But also, the URL isn’t a Royal Bank URL.

Imagine you just enter your username and password into the boxes provided. Whoopsie daisy, you just sent your banking credentials to a group of nefarious hackers. Phishers? Regardless, it’s bad news for you.

There are as many types of phishing attacks as there are phish in the sea. You might get an email “from” your phone company, asking you to remit this month’s bill via Paypal to the email address telusmobility@gmail.com. Or an email “from” your Grandma who unexpectedly won the lottery and needs your SIN so she can transfer you fat stacks.

These phishing attacks aren’t just personal, either. Increasingly, companies and their employees are being targeted by enterprising hackers. Watch out for emails asking for your work passwords or proprietary information.

It’s hard out there for the average punter who just wants to use email without having their entire identity stolen and sold on the Deep Web for a few satoshis and some Star Trek fanfic of dubious origin. But here are a few things you can do to keep yourself, (and your company!), a little bit safer:

  • Never respond to emails that request privileged information, particularly financial information! If you think the email might be legitimate, contact the company or person through their publicly accessible phone number to verify the source of the email.
  • Be cautious of opening attachments and downloading files from emails, no matter who they are from! Hackers can “spoof” an email address, making it look like the message came from someone you know.
  • Check that website URLs are legitimate, and that you are using HTTPS when available! The “s” stands for “security!”
  • Report any suspicious activity to your Operations or Technology team! Don’t try to hide it if you got fooled by a phishing email, you probably have folks at your company who are there to help.

Want to read more posts like this? See our full blog here.