Cybersecurity Tips | Phishing
Hi, my name is Dave Hatter and I'm a cybersecurity consultant at Intrust IT. I'm excited to be here today on behalf of my friends from HCM to talk about an important and timely cybersecurity topic, in this case, phishing. Chances are, even if you don't know what the term means, you've unfortunately been exposed to it. And you can see in the first bullet there, I have a quote from phishing.org. Phishing.org is a great website that will not only help you identify phishing, but also help you avoid it. I highly recommend you check that side out. It will go a long way towards helping protect you, your family, and your organization from these phishing attacks, which unfortunately are increasingly prevalent and unfortunately continue to produce results for the bad guys.
Phishing originally can trace its roots back to email. As more and more people have access to email, the bad guys know it's a very cheap and effective way to reach large numbers of people. They can buy a list online of millions or hundreds of millions of email addresses, send out emails to people. Again, the idea that I'm going to cast the line and see what I can reel in, at almost no cost and frankly, with very little risk of being caught. And that you'll see that funny graphic there on the bottom. My bank just emailed me, better confirm my address and Social Security number, like they asked, which is the type of Social Engineering that's typically delivered via phishing. You get an email message, it has some urgent nature to it, or you're being asked to do something like buy gift cards. Usually you're warned that if you don't do something almost immediately there's going to be these dire consequences. And those were some of the tales, but we'll come back to that in a minute.
It's important to point out though, you can see in my “types include”, there are different types of phishing in terms of their targeting, I'm going to come back to that in a minute, and there's different types of phishing based on the delivery mechanism.
Again, phishing typically refers to email delivery. Also, because you have an ever-increasing number of people using texts on their mobile phones, being subject to something called smishing. SMS is the shorthand technical name for text, and so smishing is a take off of that. That's text-based phishing. It's very easy for the bad guys to get a list of phone numbers and send out bogus messages via text.
Understand that phishing is much broader than just email. And then you have vishing, which is voice phishing, Bad guys, and we'll talk about this in more detail in a different topic, have call centers set up where they will just try to run scams all day long. Again, they're socially engineering you, they'll call and try to get you on the phone, or they'll leave a message telling you there's some crisis at your bank or whatever, and attempting to encourage you to give up information that you should not give up. It's important to understand these types of attacks.
Again, a form of social engineering could come via email, they could come via text, or they can come via phone call. And then the phishing can be targeted. In many cases, again, it's just, I'm going to send out as many emails as I can and see what I reel in. But you also have types of phishing where it's known as spear phishing. I'm going to target a specific group of people, or perhaps people with a certain role.
I'm not just going to send out a hundred million emails and see what happens. I'm going to target, right. I'm going to want to spear phish instead. And sometimes you might hear the term whaling. Whaling is a very, very targeted form of spear phishing where they're generally going after high-level executives.
In some cases, they will impersonate a high-level executive based on information they can find on publicly online on things like LinkedIn profiles or company websites. And they might send an email to some accounting employee in a large company that impersonates the CEO and says they need to do a wire transfer, that sort of thing.
If we had more time, I could tell you lots of real world stories where I've seen this, and frankly, had these tactics targeted at me in various capacities. It happens all the time. It's very common. It's never been more important for people to understand that this goes on on large scale, and partially because it's very inexpensive for the bad guys to pull off these attacks. In many cases, they're raking in lots of money as a result, and they're rarely prosecuted. There are a lot of telltale signs of phishing. If you get an email or any sort of message, let's just call it a message. Whether it's an email or a text, or even voicemail someone might leave. It’s from an organization you've never had any contact with before, and it's telling you something urgent and these things are very carefully designed. In some cases, it might appear to be a UPS shipment that has a problem or a FedEx shipment. It might claim to be some local government agency that claims you owe taxes, or, there's a warrant out for your arrest.
They will cover their tracks in a variety of ways and attempt to create an air of legitimacy and urgency. In the old days, a lot of times these things would be full of spelling errors and grammar errors. Those are certainly red flags. If you see a lot of spelling errors or grammar errors, understand that it's probably fake.
If you get something from any organization that it claims you have to do something like right now you should be highly skeptical of that. One of the best defenses against phishing is to be extremely skeptical. Okay. Because it's very easy for the bad guys to go to a legitimate website, copy everything off that website, send you an email that uses real logos, real names, real copy from a real company.
There's all kinds of scams where phishing starts the scam. Okay. It's very easy. The best thing you can do when you get any message, and you have any questions about it whatsoever, and you really do need to be skeptical. If you do business with 5th/3rd bank, and you get an email from 5th/3rd bank, and it tells you they're going to close your account, it tells you need to go to this website and enter your username and credentials.
No legitimate organization needs your username and password. They already have it and they can reset it for you. They do not need you to supply it to them. If they do need you to supply it to them, you probably need to find a new vendor for whatever that service is. If you're being asked to provide any sort of sensitive information, a credit card, number, your username and password, your Social Security number, anything like that from an unsolicited email, then the best thing you can do is do what we nerds in the business call go out of band. You literally ignore the message and you say, okay, I think that this thing could be legitimate. I'm not going to call any phone numbers that they supplied to me. I'm not going to click any links they supplied to me. I'm not going to use any of the information they supplied to me. I'm going to go on my own, open up a new web browser window.
Look up the organization,5th/3rd, Target UPS, IRS, whomever this thing claims to be from, and use the information that you find on their legitimate website to reach out to them and say, I got this message, text, email, whatever it is. And again, go out of band. Confirm on your own. It's a trust but verify thing only, sadly, nowadays you really can't trust anything because it's so easy to spoof this stuff.
You really need to assume anything you get that's unsolicited, especially if it's from an organization you've never done business with before, you need to assume it's fake. You need to reach out, if you want to follow up, you need to reach out on that organization on your own, by information you find independent of that message to confirm it's real because 99% of the time, these things are fake and they're going to play on the sense of urgency they created there.
Unfortunately, this is probably going to get worse before it gets better, because again, the bad guys are making an enormous amount of money and they are unfortunately, rarely prosecuted. Stay safe out there. Be very skeptical, and go to phishing.org, where they have lots of examples and you can see just how realistic these things are.
If you have further questions about this, you're more than welcome to reach out to me. You can easily find me on Twitter or LinkedIn, and I will be happy to try to provide any additional guidance I can. Thanks a lot for your attention today and have a great day.