In the infancy of the Phishing scam, those bygone days of a few years ago, when a mail would pop into your inbox offering fabulous wealth in exchange for something as innocuous as your bank account details, there were a few high profile cases and some initial problems caused.
Once knowledge of these scams entered the general consciousness the ludicrous nature of what was on offer quickly became apparent and the Nigerian prince with funds to siphon through a foreign bank rapidly slipped into fodder for the stand-up comedians. As with so many of those who populate the internet, rather than give up on a lost cause, the phishers have merely seen this as a challenge, stepping up there game to create increasingly convincing fakes and shifting from offering a life of luxury to subversively threatening your finances and security if you don’t respond to their requests.
Preventing yourself from becoming a victim has stopped being about simple common sense and started being about educating everyone at an organisation about recognising the signs that separate the fact from fiction.
One of the first steps in any successful hack is crafting a believable site for the user to land on. Rarely do the emails themselves contain the threat, they are usually just a delivery system for the illicit links, and it’s the website it links to that does the damage. Attempting to attack a network by attaching a virus to an email will be picked up by anti-virus and spam filters. Getting the user to click a link creates an outward connection which protection software will find much more difficult to prevent.
Sometimes internet browsers will identify these sites and flag up ‘This site is not trusted’ and if you see that message don’t ignore it or try to get around it, move away quickly. These trusted site certificates aren’t perfect though and more often than not a subversive site will probably get through. Creating a fake site is a surprisingly quick process. Registering a fake but similar address, ‘Bank.org’ rather than ‘Bank.com’ is the process of a few minutes with a hosting service and there are numerous tools, some legitimate, that will copy all of the assets from an official site so the forger can quickly create a carbon copy with all the appropriate logos and content you’d expect from the original. The difference being when you enter your details here rather than granting you access to your bank you’ll get an error page while your username and password are stored away in a database for later use.
The email itself is usually the easiest part. Like most forgeries all that’s needed is a copy of the original which in this case is normally just a matter of registering with the site to get a template email sent through with all the logos and formatting to make it look legitimate. At this point it’s the target that defines the next step.
The majority of scams will have a scatter gun approach, fire out twenty thousand emails and hope for a fraction of a percentage to bite. The minuscule costs involved in setting up this kind of scam mean that even if only half a percent respond it will still turn a healthy profit. To increase that percentage, and reduce the profile of the scam, phishers have turned to a system known as Open Source Intelligence Gathering or OSIG. Utilising publicly available information, through networks like Facebook and Linkedin, forgers can gather information on the personnel and structure of a company and then target specific users with information that would seem private; full names, job titles or even nicknames, all to increase the credibility of the email. ‘Dear Bill’ will work a lot better than ‘Dear User’.
Control of information is vital, more vital than probably any other part of a business. The information that you hold about yourselves, your suppliers and your customers has a price on it far beyond the money in your bank because it offers a way in their bank accounts, and then their friends and families banks accounts. Educating staff and keeping a tight rein on where your data goes is vital for your business survival.