Phishing... What is it? Best practice to stay safe online.

At names.co.uk, we like to share knowledge, especially when we feel it would benefit our customers and community. Recently, we learnt that our logo was used as part of a phishing scam, so we have decided to share some knowledge and run through some hints and tips on good practice, to help our customers stay safe online.

What is Phishing?

We hear the phrase quite a lot nowadays – it’s even made it onto mainline news articles. At a basic level, it’s a scam, a con, a means of tricking someone out of information. A dictionary definition states:

‘Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.’

Scammers send out fraudulent emails to huge mailing lists, with the aim of gaining access to a system or for data mining.

One thing that sticks out to me in the above paragraph, is the fraudulent emails to huge mailing lists… Let’s go back a step to understand how we can easily become a recipient of a phishing email.

Background

We know that you will, at some point, receive a phishing email. They appear to be unavoidable in the current age of technology and we can’t simply ignore using technology in our daily lives, can we? I mean, shopping, running a business, research for holidays, research for school projects – they all involve internet activity.

Some pointers that might be a little bit of a shock, or appear to be a bit doom and gloom, but are needed to set the scene…

Some of your personal data is already “out there” in the big churn that is the internet:
- Over the years there have been big breaches of data, consider the recent ones that have made national news headlines; Marriott, British Airways, Capital One, Equifax, TalkTalk to name a few. Oh, and there is also the data you have opted to share via social media, either knowingly or unknowingly.
It’s not a matter of “if” you will ever be targeted, more of a “when”:
- This phrase is being used a lot nowadays and personally, I’m glad to hear it, it’s one I use. It means people are taking information security seriously and that can only be a good thing for people using online products and services. Companies are planning how to combat and react to those that make the internet a difficult place to navigate.
A company doesn’t have to be hacked and have a data breach to be spoofed and used in a phishing scam:
- Some online products and services must publish information that allows a threat actor (bad person) to start sniffing around. Plus, you can copy and paste the logo’s or images from a website with relative ease.

Before we move forward, I would like to clarify the use of the word “targeted”… it sounds very personal, so let’s clear that up a little. It is extremely unlikely that a phishing scam is personal, but the likelihood here is that a criminal is focusing on a user group or a brand, or simply slinging lots of mud waiting to see what sticks. Most criminal activity is opportunistic, focusing on the easy and/or accessible.

Remember I said most, not all, actions and criminal activity is targeted but that is a whole separate blog article. We are focusing on phishing and what is perceived as easy. Thousands upon thousands of criminals are attempting phishing scams each day. For a criminal, it is low cost, low impact and low risk, hence the volume we see.

But how do they do it?

We’ve already alluded to the overall principle of a Phishing campaign, but let’s go a little further. The scammers will send out fraudulent emails to huge mailing lists, with the aim of gaining access to a system or for data mining. The criminal will hope that at least a handful of recipients will fall for the spoofed email.

The vast lists that are used may be purchased online at nefarious locations, or, simply guesswork. For example, we can go with generic emails; info@, contact@, sales@, privacy@, complaints@, marketing@… Recognise any of these addresses from your own business? Or, we can go with names of staff researched from a popular professional networking site. In fact, some people might even publish their work email address. Do you publish your information online?

Next, we need to generate buy-in from the recipient, we need a hook. Frustratingly, this maybe a little easier than thought, we’re only human after all… A criminal will try and lean on human nature.

Some simple but effective techniques to look out for are;

Create a sense of urgency:
- the subject might state “respond now to avoid a loss” or “next response wins a car”, “must pay before today’s payment run cut off”, “we’ve been trying to get in touch, urgent information”.
An air of authority :
- the message will appear to be from your boss or bank, creating an authoritative stance.
Mimicry or copying:
- imitating a colleague by sending a meeting request with an agenda that needs to be opened.
Curiosity… (I’ll just sneak a little look in case its real…)
- something that will make you peek behind the curtain, “update from HR” or “changes to your bank account”, the latest celebrity embarrassing pictures etc. “you’re our 100^th customer and have won a prize, we just need to know where to send the gift/payment…”.

At a glance, the above examples seem obvious or even silly, but let’s factor in a stressed, running late person, slightly tired, dashing between meetings, or school pickups. Suddenly, that person(s) receive an urgent email, the logo looks legit, the address at a glance seems right, and you know what, they think that in between everything going on they might have missed a payment for that catalogue or professional service… “I’ll just fill out the form and then it’s done…”

What can I do?

If we consider the above, it gets tough to understand what we can trust out there in the world of the internet. Now, I wouldn’t advise we all switch off our computers, phones and tablets and return to pen and paper (or my favourite, the chalkboard = lowest risk…) as we can’t let the few ruin it for the many. We can still embrace technology confidently, but just introduce a few smarts that reduce the risk of being a victim.

Good news alert 1 – (it has been a bit gloomy up until this point) the national infrastructure, supported by the likes of the National Cyber Security Centre (NCSC), does its best to filter out some of the big nasty attacks on the UK 24/7/365. However, the reality is some will make it through.

Good news alert number 2 – I’m not the only one advocating introducing a few skills into the everyday household. There is an abundance of help out there, some with real weight and budgets behind them… some were used for researching this blog and have links below (we must recognise the work others are doing in this area too).

Now, it is very unlikely that you can erase your entire internet history, or the use of your email address, so, let’s look at some smart ways that can help you weed out the bad from the good.

If we consider what we now know, here are some key watch-outs for phishing;

Were you expecting that email?
- If not, be cautious and consider the subject before opening.
Who actually sent you the email?
- If you’re not sure you can often hover with your cursor over the sender’s email address; does it resolve/display as an email address from the business trying to contact you? If not, it’s likely to have been spoofed.
- If you get more than a few similar emails you weren’t expecting, consider adding them to your spam or junk filter.
Is the link legit?
- If you are unsure, don’t click it; if you are prompted to log into your account in an email, open a browser and go to the web page directly and sign in – this way you know it’s not a fake link. Legitimate businesses try to avoid sending links because of this known issue. Hover over the link – does it ultimately come from the business?
Still not sure?
- Pick up the phone and call the service provider trying to contact you. We know it’s not as convenient, but it’s better to be safe than sorry!

Remember;

Don’t give out your username AND password to anyone
- keep it safe like the keys to your home!
If you’re out and about in a busy area, don’t confirm details over the phone
- Say you are in a busy place and will call back later, a reasonable statement to make.
- Legitimate businesses do understand security, and if the business doesn’t understand, consider if they are the right person to share your information with…
- Also, by calling back when it is convenient for you, will allow you to use a number you are confident that gets you through to the right people.
If you do click a potentially bad link or fill out a form online and question yourself afterwards
- the best course of action is to do something about it, taking no action will likely put you at risk, for example, reset your password straight away.
Use as many different passwords as possible across all the services you use because if you do end up giving away a username or password for one service, it can’t be used elsewhere.
- This is not paranoia- it’s being smart with the keys to your kingdom…

Phishing… What is it? Best practice to stay safe online.

What is Phishing?

Background

But how do they do it?

What can I do?

Remember;

Further reading

Nathan