We tweeted earlier this week about a client who had received a call from what he believed was TalkTalk customer service. The individual had called TalkTalk 2 weeks before and believed this was a return call. However it was a scam, the fraudsters inserted software onto his machine that stopped all of his programmes, including his antivirus, and inserted a key logger. Fortunately we were able to remove the offending items and stop the attack before it infected the rest of the network. However this is a timely reminder of the dangers of ‘phishing’ attacks.
In this case it was voice phishing, or vishing; the fraudulent practice of making calls or leaving phone messages purporting to be from reputable companies in order to persuade individuals to reveal personal information, such as bank details and credit card numbers. In the recent attack on our client the criminals were allowed to remotely access the clients computer – he was extremely lucky that the outcome wasn’t far worse.
Phishing in its many forms is big business – one single Santander customer lost £22,700 from his account last year – but it is preventable.
Phishing is a play on the word ‘fishing’ in that the fraudsters ‘fish’ for potential victims by sending out vast numbers of emails, social media or text messages in the hope of catching a few victims. Whether the initial contact is via external email (phishing), personalised or internal email (spear phishing), telephone (vishing) or SMS (smishing) the approach is similar. The message will appear to originate from a reliable source – usually a large company such as a bank or internet service provider, or a web site with a broad membership base, such as eBay or PayPal.
Here are some things to look out for and ways of protecting yourself from these attacks.
Phishing
Email scams have been around for a long time. You’ll recognise some of the more common ones; I’m sure we’ve all won a foreign lottery or been the benefactor of a rich individuals estate (just send a few hundred pounds for processing and your bank details). We all know that these are rubbish, so we delete and ignore them. However many of the newer scams are more complex and far more believable.
Check the email address: The name may look OK but either the website or email address doesn’t look right; authentic website addresses are usually short and don’t use irrelevant words or phrases. Businesses and organisations don’t use web-based addresses such as Gmail or Yahoo.
Other things to look out for are poor quality spelling, grammar, graphic design or images. They may use odd ‘spe11lings’ or ‘cApiTals’ in the email subject to fool your spam filter. If they know your email address but not your name, it’ll begin with something like ‘To our valued customer’, or ‘Dear…’ followed by your email address.
Finally is the contact out of context? Didn’t sign up for a free trial? Don’t have a Natwest account? Then no, you’re not going mad, you don’t need to cancel your subscription because you don’t have one! People look to take advantage of our busy lifestyle and a tendency to forget what we have signed up for.
Spear Phishing
Spear Phishing uses email that targets a specific organisation or user and seeks unauthorised access to confidential data. These kind of attacks are generally targeted and are likely to be made by groups or individuals looking to steal trade secrets or seeking financial gain. Spear Phishers will spend time collecting information about the business or individual, spending time on the company website and social media channels gaining information that can help make the email approach appear more convincing. The email will appear to come from a business you know well, or even from a contact internal to the organisation.
Due to the level of personalisation these kinds of emails are much more effective, however you can spot them if you know what to look for. Again this may be incorrect spellings, or terminology that is unusual for that organisation or contact or strange email extensions.
So if a “friend” emails and asks for a password or other information, call or email (in a separate email) that friend to verify that they were really who contacted you. The same goes for banks and businesses. First of all, legitimate businesses won’t email you asking for passwords or account numbers. If you’re suspicious that the email might not be real, call the bank or business and ask. Or visit the official website. Most banks have an email address to which you can forward suspicious emails for verification.
And always remember: Don’t give up too much personal information online, because you never know who might use it against you. Or how.
Smishing
SMishing uses SMS messages to lure victims into downloading malware, visting a malicious website or calling a fraudulent phone number. SMishing attacks are usually designed to get an immediate reaction from the target, requiring them to hand over personal information or account details. Financial institutions are particularly popular covers for cybercriminals looking to carry out these types of attacks due to the rise in popularity smart phone and there increasing use to pay bills etc.
A SMishing attack will use legitimate sounding wording and may even include some branding. Frighteningly if you’ve got a thread of texts from your bank the fraudulent text may well show up in the thread.
To prevent falling victim to these kinds of attacks avoid clicking links within text messages, and don’t respond to texts that request private or financial information. If a text message is urging you to act or respond quickly, stop and think about it. Remember that criminals use this as a tactic to get you to do what they want. Finally do not call numbers included in the message; if the message requests a call back get the customer service number from the company’s website and call that.
Vishing
Finally, vishing, which is how our client was caught out. This is the same as the others but using a telephone call or voicemail. As with all of these types of attack user awareness is the best defence.
Legitimate companies will know who they are contacting and will address you by name. Vishers typically don’t know who you are and won’t usually know your name.
Do not use the phone number that has been left in a voicemail message. You should look up the number for the organisation that has called you either from your own records or by looking them up on the internet. This is the number you should call.
If you receive a call and you are not comfortable with any questions being asked, or if it is unexpected and doesn’t fell ‘right’ do not answer the questions and disconnect the call. Tell the caller you wish to check that the call is from a legitimate source. No reputable company will have an issue with this. You can then call the company back on the phone number you have looked up. It’s also worth waiting a few minutes before making the call, to ensure that the connection with the cyber criminals has ended.
Most of the precautions are fairly common sense; if something seems too good to be true it probably is and if it doesn’t seem ‘right’ it probably isn’t. Trust your instincts and err on the side of caution – if you’re not sure take the safe route and call the company or colleague on a number that you know belongs to them.
If you do think you’ve been exposed to an attack, even if you’ve been sensible and thwarted the cyber criminals, let someone know. Whether this is your IT Support Provider, your manager or the company from whom the email supposedly came.
Your IT Department provide complete Cyber Security solutions including anti-virus software, Watchguard Firewall Hardware, advice and training. To find out more about how we can keep you secure call 0115 7980704 or email us info@your-itdepartment.co.uk