This week we spoke to Steve Terrill, IT Security & Business Continuity Manager, to really get to grips with how phishing works. For example, why do phishing emails get past the spam filter, and what can fraudsters actually access if you do click on a malicious link?
What is phishing?
Essentially it is social engineering. What fraudsters do is send someone or usually a large group of people a fake email which is designed to trick them into thinking it was from someone else and legitimate. Usually, but not always, it will contain a link to a malicious website or an attachment that has a malicious payload, and quite often that is ransomware.
Sometimes it is designed to reel you in; it is quite common for phishers to spoof the sender's email address so that the email purports to come from someone it hasn’t. In higher education, for example, they might send an email coming from the vice chancellor to someone in finance saying: "Please can you help me sort out a direct bank transfer?" If tricked, they may provide bank details and a fraudlent payment is then made.
What information can fraudsters get from a successful phishing email?
We run a simulation here at University of London – it's just a document with a macro set up in it which allows one of the IT team to take over and control the machine, but it accurately reflects what a cyber criminal can access. So, they can record keystrokes (and by this method catch people's passwords), turn on the webcam, watch people, record conversations, look at whatever they're doing on the screen and take screenshots... it's all possible. However luckily, this is not normally where a phishing email will lead, but it can happen.
Traditionally they want money, so the link will be to a website which will invite you to log in. They've then captured your details and will immediately go to the real site and log in to your real account and take money out of there. However, these days it’s more likely to be about stealth. You’ll click on a piece of malware and the hackers are silently through the backdoor into your corporate network, where they’ll work their way around until they find the big prize. Most high profile data breaches were initiated by phishing emails.
At the moment, ransomware is also on the rise, which is usually sent through an infected email attachment. If you click on ransomware it encrypts a huge amount of your files, including your desktop files, your documents, and network drives. Unfortunately, it's usually a one way trip: the only way to get the file back is to pay the ransom, which is not recommended as they don’t always give you the decryption key even if you pay. The other method to combat ransomware is to restore your files from a back up if - but that's only if you’ve got one.
How do they get my email address?
The emails they send are often indiscriminate and sent to hundreds of thousands of people. They are email addresses they’ve harvested or bought.
What are the different kinds of phishing?
There are more sophisticated types of phishing. Firstly, there's spear phishing, which is when they’ve actually done the research on the person they’re targeting. They can get this information from any number of sources, such as social media sites. People share far too much information on these sites, and often there are also profiles of senior staff on company webistes.
So when you think about it, it's not too difficult for fraudsters to craft a very convincing email which, coupled with spoofing the email address, could trick anyone.
There's also whaling, which is when they go after the 'big fish', i.e. the directors and board members. The big thing about phishing is that anyone can fall for it. The advice we give is: stop and think about whether it's legitimate. If you receive an email from anybody you weren’t expecting that contains a link, an attachment, or instructs you to do something, stop and think, even if it's from an address you know.
If you're in any doubt at all, phone them up and ask them - just don't phone the number in the email, as that's likely to be fraudulent, too.
Why do phishing emails get through the spam filters?
A spam filter is an automated process - there's no human being sitting there saying 'that looks dodgy.' You have to feed a spam filter rules to apply when examining incoming emails and if you make those rules too stringent then you risk blocking legitimate emails. It is a balancing act between blocking the bad and not blocking the legitimate.
The problem is that whenever you detect a malicious email the spammers will always think of a way to get around it.
What should I do if I click on a phishing link?
If you are in an organisation, you should phone the IT service desk immediately. If you enter a password, go to the legitimate site and change it immediately, and if you use that password for more than one account you need to change all of them.
Even if it's outside of work, your bank for example, phone them immediately and tell them what you’ve done. There's absolutely no reason not to tell anyone; it’s all about damage limitation. If you’ve clicked on a ransomware email, options are as described above, but obviously our advice is don't pay the ransom. There are reasons why people do pay: it could be all your wedding photos, for example, and you have no back-up, and they're only charging £100.
The lower the ransom the more likely people are to pay it, and people often think that’s worth it to get their photos back. But if you pay, this propagates the problem, - the more people pay it, the more ransomware attacks we’ll see. Plus, there is absolutely no guarantee you'll get your files back.
Invest in proper back-up and focus on prevention instead.