Prospective college students know the anxiety of waiting for college acceptance letters well. Unfortunately, the hackers behind one of the latest phishing attacks knew this too. According to the Chronicle of Higher Education, hackers sent prospective students at three colleges emails offering students their complete admissions package. All for the price of one Bitcoin or about $3,900.
This situation is far from unique. Verizon reported 1,192 phishing attacks in their 2018 Data Breach Investigations Report. With so much at risk, the value of learning how to stop phishing emails is clear.
How Does Phishing Work
Phishing is a social engineering attack. These attacks happen when hackers use the way people think against them to get someone to give them what they want. In the case of phishing, hackers often pretend to be a trustworthy person/group in messages to get whoever received the message to do something. The common attack pattern involves a hacker deciding which group they want to infiltrate, researching the people in that group, developing an attack plan and finding the best time to execute their attack.
This attack plan is visible in the recent attack on three public colleges. While it’s difficult to confirm the attackers’ intent at this time, it seems clear enough the attackers targeted prospective college students at the three affected colleges. They proceeded to learn about the applicants by hacking into a software known as Slate, where the admissions were stored. The information stored there included admissions comments, interview reports and dates of birth. More sensitive information like social security numbers and credit card information were stored separately and were not compromised.
The hackers used this information to send these applicants emails featuring their date of birth as proof that the hackers had the information they claimed. These emails were sent at a time when many students have submitted applications for the school year but may still be waiting for their results. This made it an ideal time to plan an attack like the one on these three Slate using colleges.
For another example of a phishing attack, see Impulse’s “Banks of All Sizes Should Prepare for Cyber Attacks” article.
The Motivations for Phishing
The good news is that phishing primarily originates from outsiders to their targeted organizations as opposed to individuals within the targeted organizations themselves. This shows that most of the people posing these threats are not the targeted organization’s own employees. Verizon reports that social attacks, which phishing and pretexting represented 98 percent of, were organized by someone from outside the targeted organization 99 percent of the time. 59 percent of hackers behind social attacks are motivated by financial incentives and 38 percent were motivated by espionage-based incentives.
This suggests that the majority of criminals involved in phishing are after either money or information and safeguards should reflect this.
Common Phishing Attack Methods
There are several common subtypes of phishing. While email phishing is most well-known, SMiShing (text phishing), vishing (voice phishing) and social media phishing also exist. According to Trend Micro’s 2018 Mobile Threat Landscape, these phishing methods remain prevalent.
One of these attack vectors is then paired with something criminals want their victims to do. Often hackers want victims to click on a link or attachment containing malware or send money. In the case of a link or attachment containing malware, once one device is infected, the infection often spreads to other machines on the device’s current network.
How to Prevent Phishing Attacks
While it’s impossible to stop phishing emails entirely, perhaps the best way to limit their success is to educate employees about common phishing techniques. Some best practices include the following.
Don’t Click on Links and Attachments
Phishing messages often contain links or attachments that the hacker tries to make look like they were sent by a trustworthy source.
“My approach is to never click a link in an email,” said Impulse’s CTO Russ Miller, “but rather to search for the equivalent in a search engine or go more directly to what I know to be the associated web site.”
This means it’s important to avoid clicking on links whenever possible. If it’s not possible to avoid clicking a link, one technique is to hover over links before clicking on them to help ensure they’re from a legitimate source.
Consider that some phishing links will take someone to an identical but compromised version of the original website where the hacker can steal credentials. When in doubt, visit an organization’s website directly. As for attachments, bear in mind that most legitimate organizations won’t send them without you requesting them first.
Be Weary of Spelling and Grammar Mistakes
Phishing messages often contain obvious spelling and grammatical mistakes that most legitimate organizations would proofread for. It’s also common for phishing messages to have email addresses and other information that is slightly off from their claimed identities.
Contact the Sender Directly
When you have doubts about who sent a message, contact the sender directly to make sure that the person who sent the message is who they claim to be.
Services That Can Help
Perhaps the most basic defense measures are to make sure a spam filter, antivirus and computer updates are turned on and up to date. The spam filter will limit the number of phishing emails that reach the sender, while the antivirus and computer updates help limit the ability of phishing emails that contain malware to infect devices.
Beyond this, additional cybersecurity services can minimize phishing’s success. For example, services that help stop the spread of malware between devices on a network can limit the ability of malware originating via phishing to spread between devices before the malware can cause significant damage.
How Impulse Can Help
Impulse’s SafeConnect and Software-Defined Perimeter (SDP) products can help limit malwares’ spread across networks due to phishing techniques. SafeConnect accomplishes this by enabling different levels of permissions for different types of employees and the creation of separate guest and secure networks. SDP was adapted from technology originally created to defend against sophisticated attacks by allowing access to network resources when needed. This enables SDP to further help prevent the spread of phishing malware.