Phishing

Phishing – Are you Susceptible? (Part 2)

secureguard

Welcome to the second blog in a series of blogs discussing phishing and social engineering – and ways of protecting yourself from hackers. We will be discussing the elements behind how hackers are trying to exploit you, and we will be discussing the techniques and other preventative controls you can take to protect yourself. Today, we will be discussing the underlying elements behind phishing attacks, emotion.

Bullet Point Summary

  • Hackers will try to use emotion to reduce your ability to think critically.
  • Some examples of emotions can be urgency/panic, greed, curiosity, fear, empathy, sadness, etc.
  • Emotion will reduce your ability to think critically and cause mistakes.
  • Understand yourself and learn to recognize the warning signs or when you’re feeling emotion based on an email.
  • If the email has created any emotion, don’t click the link or download any attachments.

Recap

In our last blog, we described what phishing is and how it’s a social engineering method by email used by hackers. We also gave a sample phishing attack and showed that the From address was clearly not a legitimate address.

Before we get into analyzing URL’s and emails though, we’re going to walk through the most important part of phishing and protecting yourself, understanding the basic elements of how hackers are operating. Keeping these methods in mind is the most important step that you can take.

The Underlying Element

The basic underlying element to every phishing attack is the attacker’s ability to invoke some type of emotion in you. For simplicity sake, if we think of mental state as being either:

  1. The ability to think critically, or
  2. The inability to think critically

Hackers are attempting to use emotion to move you from your normal behavior of thinking critically to no longer thinking critically for some period of time.  Hackers use emotion to reduce your ability to think critically.

Emotion

What types of emotions do hackers use? Hackers use emotions like urgency/panic, greed, curiosity, fear, empathy, sadness, etc. The following are some potential examples; we’ll discuss actual email attacks that have been used in a separate blog.

Urgency/panic: an email from Amazon stating that your account is locked out, or that the account will be locked out if you don’t log in. The email would then direct you to a link where it would ask you to log in.

Greed: continuing with the Amazon example, offering you a free Amazon gift card. Hackers could ask you to input your username and password, or they could simply have you click a link to redirect you to a malicious web page. In a later article, we’ll cover how a hacker can take full control of your computer with just one click.

Curiosity: this could be as simple as a generic subject line with a “click here” link.

Fear: Fear is a unique emotion and is mostly used on pretext calling (we will cover this in another blog), but using the Amazon example, it could be an email from Amazon (actually from the hacker) stating that fraudulent activity has come from your account and that your account has been reported to the IRS with a link to dispute any claims. The link, as in the example of the other attacks, would redirect you to either a site to gain more personal or confidential information, or a malicious website with malware.

What should I do?

Understand yourself and recognize your emotions

To prevent phishing attacks from being successfully used on you, understand yourself. More specifically understand yourself and learn to recognize when you are feeling emotions. Anyone feeling emotion from an email coming unexpectedly, or even expectedly, should consider the email suspicious.

When in doubt, pick up the phone and call the individual who sent the email to confirm.

Do not click the link and do not download any attachments

If you’re feeling any emotion based on the email sent, DO NOT click the link or DO NOT download the attachment. Doing so could compromise you and your information.

Are any of these URLs legitimate?

Look at these URLs and try to pick out the legitimate websites. Remember, DO NOT try to navigate to these websites; instead, read the URL and think about whether it’s legitimate or not. In our next blog, we will provide some analysis.

    1. http://microsoft.com/file.txt
    2. http://secure-microsoft.com/file.txt
    3. https://secure.microsoft.com/file.txt
    4. http://microsoft.com/secure/file.txt
    5. http://rnicrosoft.com/file.txt
    6. http://microsoft-securitycenter.com

Author

This article was written by Kaushal Kothari, President of Secure Guard Consulting, LLC, a cybersecurity / IT audit and consulting company. Kaushal is a former FDIC IT examination analyst and certified ethical hacker with 15+ years of experience in the technology field.