Went Phishing, Got Hacked!

Oh, the emails you will get, the places they will be from, the USB drives you will find, and stick in your computer for fun. The strangers you will meet, that pretend to ask for help, have cloned your work badge, and used it for themselves!

Thank you, Dr. Seuss, for the inspiration on my Cyber Security rhyme.

Social Engineering remains as one of the most common forms of hacking, with the simple concept of “Why should I work so hard, when I can get someone else to unknowingly do it for me?”

According to Fossbytes.com Phishing is the most common type of social engineering attack, and all you need to do is send an email. Yep, that’s right, an email.

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity in an electronic communication.

Reference: https://en.wikipedia.org/wiki/Phishing

It’s not as simple as sending an email and asking you to provide your username and password, though I am sure that has worked in the past. Normally the originator is pretending to be a legitimate source such as a bank, doctor’s office, your Human Resources team at work; the hacker will embed links in that email, and using clever phrasing, tempt you to click on them.

These links can download malware in the background, take you to a scam site, or simply ask you for personal information because you are lead to believe it’s for something legitimate.

Here is the sad part, even though people are aware of this type of scam, both email and voice phishing are still on the rise for the simple reason that they were unable to tell a phishing attack from the real thing.

Cook S. (2018) of Comparitech.com writes: It’s 2018, and most consumers have gotten pretty wise about common types of phishing scams. Even still, a 2015 McAfee survey found that 97 percent of consumers were unable to correctly identify phishing emails, meaning we may be wise about what phishing emails are, but we’re still pretty bad about avoiding them in practice.

Reference: https://www.comparitech.com/blog/vpn-privacy/phishing-statistics-facts/

So, what can you do to protect yourself? Here are some simple steps:

Voice Phishing

  1. Ask the name of the person you are speaking to and the company they are with. Politely end the call, and let them know you will be in touch soon. Hop on Google and search information about the company, check LinkedIn, the Better Business Bureau, you can even go as far as calling the company back on their public number, and inform them of the call you received. It is a bit of extra work, but it is worth the extra effort when it protects you or your organization.
  2. If they are calling you at work, verify with a manager. Ask if they have a work order or documentation they could email to you in regards to their call.
  3. Ask for a Call Back number. Google that number, and see if there is any information on it.

 

Email Phishing

  1. Verify the sender information by checking the email header. MXToolBox.com has some great tools for verifying the source of an email and checks it against known bad or fraudulent sites or senders.

Scan Email Header: https://mxtoolbox.com/EmailHeaders.aspx

  • If you are unsure on how to get the header from your email, they also have some sweet instructions:

How to get the email header: https://mxtoolbox.com/public/content/emailheaders/

  1. Scan a link before you click on it! Instead of just randomly clicking a link and inadvertently downloading a malicious program or being redirected to a fake site that looks just like your banking site, use a URL Scanner to verify its authenticity.

URL Void: https://www.urlvoid.com/

  1. Delete it. If you don’t know who it is from, either try to verify the sender or delete the email altogether. If it appeared to be from a legitimate source, call them directly and ask if they sent you an email.

 

Okay, Coders, I hope this helps in your future internet adventures, and until next time #dontcodealone