Phishing Tricks – The Top Ten Treacheries of 2020
Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phishes to your own staff so that if they do slip up, and click through… it’s not the crooks on the other end.
(Don’t worry – this isn’t a sales pitch, just some intriguing statistics that have emerged from users of the product so far this year.) You can create scam templates to construct your own fake phishes, but the product includes an extensive collection of customizable templates of its own that we update regularly. The idea is to track the look and feel of real-world scams of all types.
History teaches us that email tricks can work surprisingly well with no text in the message body at all. One of the most prevalent email viruses of all time was HAPPY99, also known as Ska, which came out just over 20 years ago at the start of 1999. The email consisted only of an attachment – there was no subject line or message, so the only visible text in the email was the name of the attachment, HAPPY99.EXE. If you opened it, a New Year’s fireworks display appeared, though the animation was cover for the virus infecting your computer and then spreading to everyone you emailed thereafter. Ironically, the lack of any explanatory text at all meant that the email was much less suspicious than if the subject line had contained words in a language the recipient wouldn’t have expected. HAPPY99 as a filename all on its own had a timely and global appeal that almost certainly tricked millions more people into clicking it than if it had included any sort of marketing pitch.
Searching for The Best Worst
Well, the Phish Threat team asked themselves, “Which phishing templates give the best, or perhaps more accurately, the worst results?”
The answers covered a broad range of phishing themes, but had a common thread: not one of them was a threat. Most of them dealt with issues that were mundane and undramatic, while at the same time apparently being interesting, important, or both.
Nothing on this list was urgent or terrifying, and they all sounded likely and uncomplicated enough to be worth getting out of the way quickly.
The Top (or Bottom) Ten
1-Rules of conduct. This purported to be a letter from HR outlining the company’s new Rules of Conduct. With interest in increasing workplace diversity and reducing harassment, many companies are revising their employment guidelines. Most know they’re supposed to read new guidelines, and that the HR team is obliged to chase them until they do, so clicking through this feels like a task you might as well get out of the way.
2-Delayed year-end tax summary. This notified staff that their tax documentation wouldn’t arrive when they expected. It’s one of those “necessary evils” that staff know they need, so they might as well find out how long the delay will be.
3-Scheduled server maintenance. We were surprised that this was #3, because we assumed that most people would be inclined to ignore IT messages of this sort, because they couldn’t do anything about them anyway. In retrospect, however, now that so many people are working from home, we suspect that people like to know when outages are likely so they can schedule their lives around them.
4-Task assigned to you. In this message, the Phish Threat user gets to pick a project scheduling system that their own company uses (e.g. JIRA, Asana), so that the email doesn’t stand out as obviously bogus. Although that makes this a semi-targeted phish, you should assume that the business tools used in your company are widely known and easy for crooks to figure out, perhaps even automatically.
5-New email system test. Who doesn’t want to be helpful, if all it takes is one quick click?
6-Vacation policy update. Coronavirus has made booking and taking vacation tricky these days. Many companies are adapting their vacation policies accordingly – and who wants to risk missing out on time off?
7-Car lights on. In this message, the building manager was apparently being helpful by reporting a car with its lights on. In real life, you might be suspicious that they posted a picture instead of just typing in the vehicle tag – but it occurred to us that many states don’t supply front plates any more, so a photo taken from the front of the vehicle probably wouldn’t show the plate number.
8-Courier service failed delivery. This is a tried and tested trick that crooks have used for years. It’s especially believable these days thanks to the surge in home deliveries due to coronavirus. In fact, you may be expecting a delivery yourself right now – and in most cases it’s the vendor who decides which courier company to use, so you might not know who is doing the drop.
9-Secure document. This purported to be a “secured document” from the HR team, giving a plausible reason for making you take an unusual route to view it. This trick is widely used by phishing crooks as reason to convince you to enter passwords where you wouldn’t usually have to, or to adjust security settings on your computer – apparently for the sake of improving security, but in reality to reduce it.
10-Social Media Message. This was a simulated LinkedIn notification stating “You have unread messages from Joseph”. LinkedIn seems to be more popular right now, which is not surprising considering how many people have lost their jobs or had their working hours cut. It’s tempting to click through, and scammers are happy to capitalize on that.
- What to do?
- Think before you click. Even if the message looks innocent at first sight, are there any scam giveaways that are obvious if you take the time to check? Examples include: spelling mistakes you doubt the sender would make, terminology that isn’t how your company would say it, software tools your company doesn’t use, and behavior such as altering security settings you have explicitly been warned not to change.
- Check with the sender if you aren’t sure. But never check by replying to the email to ask if it’s genuine – you will get the answer “Yes” either way, because a legitimate sender would tell the truth but a crook would lie. Use a corporate directory accessible via trustworthy means to find a way to get in touch with a colleague you think has been impersonated.
- Take a careful look at links before you click. Many phishing emails contain text and images that are error-free. But the crooks often have to rely on temporary cloud servers or hacked websites to host their phishing web pages, and the subterfuge often shows up in the domain name they want you to visit. Don’t be tricked because a server name looks “close enough” – crooks often register near-miss names such as yourcompanny, yourc0mpany (zero for the letter O) or yourcompany-site, using misspellings, similar-looking characters or added text.
- Report suspicious emails to your security team. Get in the habit of doing this every time, even though it feels like a thankless task. Phishing crooks don’t send their emails just to one person at a time, so if you’re the first in the company to spot a new scam, an early warning will let your IT department warn everyone else who might have received it too.
By the way, if you’re in the security team and you don’t have a quick and easy way for your staff to report potential cybersecurity problems such as suspicious phone calls or dodgy emails, why not set up an easy-to-remember internal email address today, and get used to monitoring it?
It doesn’t take much encouragement to turn your entire workforce into the eyes and ears of the security team.
After all, when it comes to cybersecurity, an injury to one really is is an injury to all. To learn more about Sophos Phish Threat, or the rest of the Sophos security line of solutions, give Ashton Technology Solutions a call at 216 397-4080.
Published with permission from Sophos Naked Security