Don’t Fall for the Bait – Michael Pertuit
How many times have you received an email that looks to be from a legitimate source or a government entity notifying you of long-forgotten money awaiting you or some pending legal action?
The line between legitimate emails and fake emails is getting blurred. Scammers and malicious actors are continuously finding ways to improve their fake email campaigns (called phishing) in an attempt to monetize their efforts…and they are often successful.
Phishing is a big business. According to a study from the Ponemin Institue on behalf of Proofpoint (https://www.proofpoint.com/us/resources/analyst-reports/ponemon-cost-of-phishing-study), the monetary cost of phishing attacks has risen 4-fold in the past 6 years with the average cost in the United States reaching $14.8 million in 2021 compared to $3.8 million in 2015.
What are some different phishing attacks?
1. Phishing attacks that demand immediate action
These attacks traditionally have been via email, but are now evolving to be also delivered via text (smishing) or via telephone (vishing). Here the malicious actor is requiring you to take immediate action to avoid some repercussions.
It could be someone who poses as a government authority or an alert from your financial institution notifying you of fraudulent activity. In any instance, the hope is for the victim to click on a link that directs the victim to a website that is controlled by the malicious actor in order to either capture sensitive information like banking details or request payment, typically via gift cards.
2. Phishing attacks that offer “services”
These attacks are straightforward; the malicious actor contacts the victim and poses to offer some sort of “legitimate” service. I have seen examples where a victim navigates to a fraudulent website and then receives a pop-up indicating that there is a virus or other issue with their computer.
They are then directed to a company for remediation. In actuality, there is no company doing remediation and the individual that they are contacting is going to remediate something that wasn’t there, to begin with and request payment or try to trick the victim into allowing the malicious actor access to their computer where they will exfiltrate data and extort the victim into paying to prevent their data from being leaked.
3. Phishing attacks that pretend to be sent from someone else
These attacks are usually targeted and prey on the human instinct to trust but not verify. The malicious actor pretends to be someone that the victim may know. The malicious actor will usually do some sort of reconnaissance via social media accounts to get background information on the victim.
They will then craft an attack that makes the victim believe that it is someone that they know. Once a level of trust is established, then the malicious actor will try to get information or payment from the victim.
4. Phishing attacks that contain a malicious payload
These attacks leverage the above mechanism with the same end goal: monetize the attack. However, the means to monetization is via a payment from ransomware, a payment from extortionware, or gaining sensitive financial information.
The key difference in these types of attacks is that the malicious actor wants to get the victim to open an attachment that will launch malware into an environment in the hopes of deploying a successful ransomware campaign, data exfiltration campaign, or a campaign to capture sensitive financial data.