August 2012 IT Business Consulting Newsletter

Don't Be the Big Phish

By Tom K

Last month I mentioned Phishing - the most prevalent means for the bad guys to get your (and your staff’s) personal/confidential information. They can use this information to access your private and commercial bank accounts, email accounts, shopping accounts, even your loyalty mileage accounts.
If it has value and they can get to it, they will steal it!

In this month’s newsletter I discuss Phishing and its cousins – SMishing and Vishing – how they work, how to detect them, and how to not be that Big Phish! I also provide a few links that show some Phishing examples and allow you to see how good the bad guys are, and how good you are at detecting them.


Social Engineering – What is it?

Social Engineering is the act of manipulating people into performing actions... in our case, a con devised to get you to give up your personal (or corporate) information. Yes, the bad guys convince you to just hand it over! And they are very good at this, continuously coming up with better cons, improving their approach, and adapting to new technologies. Phishing is the most predominant form of this type of social engineering.


Phishing

Phishing uses email to deliver the con. The email will try to lure you to a web site designed to trick you into providing personal information... any info used to access anything of yours that is available on line and has value, or info that can be used to steal your identity.

The phishing emails are generally from “financial institutions”, advising you of the need to activate, update, or correct your info... simply click here! They usually present a sense of urgency, as your account will be locked or you will be fined immediately if you don’t click here! An old favorite was PayPal. I’ve seen variations from all the major banks, and very popular of late is one “from” the IRS.

As mentioned, the cons have become very good. While we still see many Phishing emails and sites that are noticeably flawed with poor grammar, misspelled words, or shoddy graphics, many are now very well designed and very difficult to detect as counterfeits. Gone are the days when detection was a simple matter of scanning the email (and chuckling!)

The best means of detection is to always be on guard and don’t click on ANY links or attachments unless you are sure they’re legitimate and you know the sender. Any email that has a link to “your” personal info is fraudulent. No financial or government institution will request information and provide a link.

If you get an email that you believe may be legitimate, or one that has you concerned (from the IRS?), access the institution’s web site directly by manually typing the URL into your browser – don’t hit the link! Or phone them, but don’t use any phone numbers provided in the email – get it from the web site you accessed manually.

One recent variation is the Phishing email that directs you to an 800 number rather than to a web site. You’ll enter an automated system that eventually asks you to enter personal info. We’ve also seen Phishing emails that provide both phone numbers and web links. You get to pick the bait of your choice!

And if you just won $1000 from Best Buy or Staples or WalMart, you really didn’t... Don’t click the link!

If you are inclined to click on a link, set your browser to display the actual URL of links and hover your mouse pointer over the link to see where it really goes. But stay on guard as some of the links point to very well counterfeited URLs.


The Derivations - SMishing and Vishing

Cute names for vicious activity...

SMishing is Phishing via text (SMS) rather than email. All the same concerns exist, and all the same rules apply. No financial institution will request personal info via a link, and you didn’t win $1000!

Vishing is Phishing via phone (Voice). You’ll get a call from a helpful customer service rep that just needs a bit of info to straighten out your account. Hang up and call the institution directly.

Another popular Vishing con is the call from Microsoft or Dell advising that you have a virus, and if you go to a site and download an app they can pop right into your PC and fix it! Don’t believe it and don't do it!


Social Media

We’ve seen instances of fraudulent links and phone numbers being presented through the Social Media channels. The same risks exist here, and data indicates this is becoming more prevalent.


If You Do Get Caught...

In the USA, the best place to start is the Internet Crime Complaint Center. The IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).

http://www.ic3.gov/default.aspx

In Canada, the best place to start is the Canadian Anti-Fraud Centre. Select your language, and select “How do I report Fraud?” on the left.

http://www.antifraudcentre-centreantifraude.ca/

Both sites also offer a wealth of information concerning Internet Fraud of all types.


Some Quizzes with Examples

You may think you are better than the fraudsters, but they are very good. I am VERY good, but I missed one out of ten in the last Phishing quiz I took. Here are some links to a few quizzes:

http://www.ic3.gov/super-phishing-quiz/

http://www.opendns.com/phishing-quiz/

http://www.contentverification.com/phishing/quiz/

http://www.elearningcorner.com/products/phishingquiz/

http://www.sonicwall.com/furl/phishing/


As ever, if you have any questions or comments concerning this article, I’d be happy to discuss this with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.


Next month I’ll continue the discussion of security with a look at the hows and whys of security audits. See "IT Security Audits"