As of today, 95% percent of all cyber intrusions took place because someone clicked on a link that was in an email or a text. The most publicized cyber intrusions such as the DNC, Sony, Target, the robbery of the F-35 plans perpetrated by China, and the list goes on and one have one single common denominator: phishing!
What is phishing?
It is a fraudulent way of fishing for information and the consequences stink like rotten sardines. This fraudulent practice consists of sending emails purporting to be from reputable companies or government organizations asking individuals to reveal personal information, such as passwords and credit card numbers.
The emails most often look very legitimate. The photo below shows a phishing email that the customers of the National Australia Bank received. The bank lost $1.8 million before they realized the scam was going around.
Who can get phished?
Everybody can get phished. The goal is to obtain information that can be used to access intellectual property, bank accounts, credit cards, medical records…. Anything that can be sold in the black market.
There is this false belief that only important people get phished. Nope. You could be the newest employee hired to watch people go in and out of the building. If the crook can access your personal information and from there crawl his/her way to the most protected data in the company or government organization; then, you are a good candidate to be a phishing target.
In Dec 2016, Ben DiPietro writing for the Wall Street Journal reported about a survey conducted by the firm RedSeal resulting in a conclusion that 80% of CEOs operate with such a cyber ignorance about these type of threats that they make their companies a cyberattack target.
How do you escape a phishing attack?
You might think that if phish stinks like rotten sardines, then maybe a powerful room deodorizer will protect you against cyber intrusions. Not in this type of phish.
The ONLY way you can prevent falling victim of a phish is by NEVER clicking on a link sent to you via email or text. If you receive an email from Google asking you to check something on your account (as it was the case in the DNC hack), do not click on the link of that email to go to Google. You must go to your browser, and type the domain of the website you need to access directly on your browser.
If you receive an email from anyone you know well, or trust, or your boss, the Pope, the Dalai Lama… and that email has a link (URL) that will send you to a website, DO NOT click on the link. You will copy the link and paste in the Google search bar (not in the URL bar but the search bar). This way, if the link has a cyber mine, Google will let you know in most cases that you are about to step on a cyber mine.
Most people check the news on their phones. The same rules apply. You will copy the link and bring it to your browser search field. See images below, and noticed that the link gets copied, then pasted to the Incognito url bar of Google Chrome (incognito mode does not have a search field separate from the url bar).
Same principle applies to links received by text.
How can you read the source or header of an email?
When you look at the header of all emails, you can see the return path. This means you can see to whom the email will be sent when you click reply. This is a good thing to look at in emails where the sender is asking you to reply with some personal information.
Not all phishing emails have a link. Some phishers are asking you to type information in the body of the email as you send your reply.
In Gmail, you can access the “view source” by selecting the arrow to the right of the reply button. Below are examples of a phishing scam, and what the return path address is.
That is all for now. Thank you for reading and remember that I can bring this training to your organization. See below.
Meta brings the courses Risk Management When Online and Open Source Intelligence (OSINT) Collection and Analysis to your organization regardless of where you are located. Watch this short clip: https://www.youtube.com/watch?v=aRXazQuPzFs Then call us to schedule training for your team or organization.
About the Blog
This blog is updated on a bi-weekly basis and it will address a variety of topics concerning cybertechnology, privacy and ethics in the cyberspace domain.