Phishing attacks tap into human eccentricities that bad guys have exploited for thousands of years, which makes them extremely difficult to counter. Case in point; for this article I asked a few friends if it’s alright to click on active links in an email. They all said no. But, I know for a fact that an email with a video link about cats that is circulating among that same group.
Therein lies the problem. Bad guys understand this. Bad guys also know which psychological buttons to push, to improve the odds of getting a victim to click on a malicious link.
A good example of pushing buttons is how phishers are leveraging the FUD created by the Target data breach, sending out thousands of phishing emails offering financial protection. Target is aware of the deception, mentioning the following on their FAQ webpage:
“Be wary of scams that may appear to offer protection but are really trying to get personal information from you. If you have any suspicions about the authenticity of an email or text, do not click the links in it. Please go directly to the sites you need to access.”
The fact that phishers are using the Target data breach to their advantage illustrates a fault even I’m guilty of--stressing out about a situation and making a hasty decision I usually end up regretting. The solution is to step back, take a deep breath, and realize that the amazing offer or panic-inducing security alert is likely a phishing email.
Phishers exploiting attachments
Like most con artists, phishers must keep their deceptions fresh. As people learn to avoid active links in unsolicited emails, a phishers are switching to a new lure--email attachments. In a Naked Security post, Paul Duklin urges people to be leery of attachments:
“We urge you to be cautious of email attachments (Duklin's emphasis), especially if you weren't expecting them. That's to protect you from booby-traps, where cybercriminals feed you a crafty file such as a document or image that is deliberately rigged up to crash your browser (or PDF reader, or multimedia player, or whatever) and sneakily infect you with malware.”
Duklin is concerned because warnings about phishing emails often refer to links embedded in the email body, not attachments.
Technology will always be a step behind
A question people have been asking me lately, “Besides stepping back and taking a deep breath, what else can we do?” That is a great question, and I’m afraid my usual answer seems hollow now. I, like many others who write about information security, have preached, “do this and don’t do that.” But, to be honest, it all boils down to being aware.
I say that is because there is precious little that antimalware and IT professionals can do with technology to protect us. Sure, once they get wind of a new phishing attack, they get the word out, and update their software to recognize the latest deception. But what about those unlucky enough to receive a targeted phishing email before the word gets out?
That question is the very reason experts I have talked are becoming convinced that the only proactive deterrent is user awareness. Trust your instincts, if it seems bad, it most likely is. Additional advice, “More often than not, there are ways to check if the email is for real or not. And if there isn’t a phone number or alternative way to authenticate the sender, delete the email.”