“Oh, an email from Microsoft? That looks important.” Once you’ve opened the email the situation looks even more dire. “My account has been compromised?!” The email presents an easy solution: Microsoft, the ever helpful and friendly company has stopped the malicious actor in their tracks, and only needs you to login to verify your account credentials. “Easy enough…” Except it isn’t—the scenario outlined above is just one example of a scam that has become commonplace—phishing.
The term phishing originated in the hacker-spaces in the early days of the Internet, and comes from the idea of hackers trolling for users that would allow their accounts to be compromised, similar to the actual practice of fishing. Since those early days of compromised America Online accounts, phishing emails have become much more sophisticated. Below, we will outline six of the most dangerous types of phishing and email scams you’re likely to run into.
Artifical Intelligence-based phishing apps: This is a technique generally only deployed by nation-states (think Russia, North Korea, Iran), and utilizes a sophisticated artificial intelligence to tailor phishing messages specifically to their targets. This might mean impersonating someone the target knows using knowledge of specific events or a similar writing style. By building phishing attempts into automated systems, malicious actors make it easier to pinpoint targets that can be monetized quickly.
Use of imposter domains: Bad actors attempting to impersonate a site like PayPal or Chase will often craft a login page that looks very accurate to the real one, but a closer examination of the website address, the page is hosted on would show that it is illegitimate. Instead of logging into chase.com you may be directed to something like chasee.com.
Deepfake audio: Threat actors have begun making phone calls using voice deepfakes (a very accurate approximation of a real person using software) to impersonate corporate officers requesting things like wire transfers. Since CEOs and CFOs increasingly appear on YouTube or TED talks, audio samples can be readily gleaned from these sources to help facilitate a malicious audio doppelganger.
Sextortion: This has become increasingly common—an email will be received indicating that the threat actor is in possession of photographic or video evidence of the user engaged in embarrassing activities. The email will go on to threaten to release that video to Facebook friends or the wider Internet if a ransom of some sort isn’t paid. This scam isn’t particularly sophisticated, and generally relies on website breaches that release lists of email addresses and passwords on the dark web.
Impersonating supervisors: This scam is also becoming more and more common, increasing 274% in the past three years. Sometimes referred to as “spear phishing,” a threat actor will send an email to an employee purporting to be from a supervisor—for instance the email may say that it’s from the CFO and ask the controller to wire money immediately to an account for a client or vendor. Nearly two-thirds of employees say they’re most likely to open an email from their supervisor before any other, and threat actors utilize this sense of urgency to overcome suspicion of the requests being made.
SSL certificates: SSL stands for Secure Socket Layer, and, in short, is the standard technology for keeping an Internet connection secure and safeguarding any sensitive data sent between two systems. For many years, the majority of phishing websites were unable to obtain an SSL certificate, meaning that they were on an http:// connection instead of https://. Because of this, many users understood that websites that didn’t display the little lock icon in the browser were unsafe to visit. A lot of changes have occurred that decrease the requirements needed to obtain an SSL certificate. Many phishing websites are now procuring SSL certificates to facilitate an https:// connection.
What does all this mean for you? As with many things, the best defense is a good offense, and the best offense in the case of phishing emails is education and suspicion. Microsoft will never send you an email requesting that you login to a website to validate your credentials, the same is true of your banking institution. An email from the CEO requesting $5000 in Amazon gift-cards should be treated with a good deal of skepticism and require a confirmation over the phone. When in doubt, seek assistance from your IT provider or make a follow up phone call to whomever is asking you to perform a suspicious action. As attackers improve their methods for separating people and the companies they work for from their money, so to must your education on scammer tradecraft. All the firewalls, antivirus, and antispam technology in the world cannot hold a candle to someone armed with knowledge of threat actor tradecraft and a healthy dose of skepticism.
Mythos Technology is an IT consulting and management firm that provides Managed Technology Services including hosted cloud solutions. For more information, please visit www.mythostech.com or call (951) 813-2672.