Hook, Line, and Sinker
Written by Pauline Johnson
Does it seem like email has become more of a chore lately?
With so much SPAM and unwelcomed advertisements, does it feel like you spend way too much time questioning the contents of your inbox, and scrutinizing the senders’ email addresses?
You’re not alone! Every week it seems like there is a new technique or method by bad actors to get your data or to capture data from someone close to you. Since phishing is not going away, we need to work to minimize taking the bait.
A Latest Phishing Exploit
Phishing really is a big deal. In August, cyberscoop.com reported the story of a recent hacking campaign by Russian government-connected bad actors who were believed to be possibly associated with the Russian Security Service agency (“FSB”.) They targeted, among others, a former U.S. ambassador to Ukraine. Using spear-phishing lures, and creative methods, they sent emails that seemed to come from family members, or acquaintances. The emails tried to get the recipients to click on a PDF, which took them to fake login pages. Some victims who took the bait were deceived into entering their user credentials.
The attack used social engineering to identify people: their professions, their activities, their friends*, etc. This data helped them make the emails seem legitimate. What was interesting about this campaign, is that one of the targets was a behind-the-scenes administrator, a position that doesn’t sound like it’s an interesting target, but if the hackers had been able to steal data from her, it could have led the bad actors to using the compromised account in other attacks, stealthily working their way up the organizational chain.
*It’s recommended to configure all social media accounts as “private” and be very cautious when posting photos and identifying by name (tagging) your friends, family and co-workers, especially when commenting on others’ pages.
Types of Phishing Attacks
There are many different types of phishing attacks. Most of us are familiar with Spear Phishing, email phishing, Domain spoofing, Man-in-the-middle (MITM) attacks, and Social Media phishing. Our next blog will be featuring more types of phishing to watch out for, along with some best practices to counter each method.
Best Practices
Please remember: the best practice of all is to be alert about all forms of unsolicited digital contact, as well as the sites you visit on the web. Slowing down, reading carefully, and paying attention to what you are selecting, will go a long way to keeping you from getting caught by a phishing lure.