Category Archives: Phishing

Scam Prevention Tips for Friends

Every year or so I create a Cut-and-Paste guide that roughly mimics corporate security training, but is aimed at sending to friends and relatives to aid them in recognizing the signs of a scam call or phishing email. Particularly older friends and relatives who may be less experienced in the pitfalls of technology, and are thus frequent targets.

The past months have seen a steep uptick in calling scams, email phishing and general ploys to steal money from trusting individuals. Below are some tips to recognize scammers and stay safe. Feel free to use as your own and forward.

Scam Telephone Calls

Should you receive a telephone call from anyone you don’t know regarding the below list, beware.

  • Issue with your credit card
  • IRS or tax issue
  • Social Security issue
  • Car Warranty Offer
  • Amazon order verification
  • Grocery order
  • Computer Virus Alert
  • Any COVID-19 vaccine offer that involves a request for payment

The odds are very high that you are dealing with a scam. In short, you should hang up immediately and do your own search for an official number for the organization attempting to reach you. Use the number you locate from an official source to call back and verify the validity of the call.

Taking some specific instances:

Requests to verify Amazon orders are scams that are trying to harvest your CC information. Amazon will never call you. Hang up immediately and call Amazon Customer Service or check your account status online.

Solicitations to sell you car warranties are scams. If you pay the $2k or whatever amount for a comprehensive car warranty, you will find that the warranty doesn’t exist should you ever try to use it. The solicitor will misrepresent themselves as calling from your car dealer or manufacturer. They are simply lying to you and attempting to steal your money.

Also, when you get these scam calls: don’t engage at all. Don’t click any digits on your phone or try to get a person so you can ask to be removed from the list. It won’t work–you will simply be proving that your number is real, and they will use it even more or even sell it as a verified valid number. Just hang up.

(By the way, most consumer advocates agree that even the “legitimate” extended warranties offered by actual car dealers are arguably a waste of money. Save yourself a fortune over your lifetime and simply put the money you would use for extended warranties in a special savings account to cover repair charges. At the very least, spend some time doing your own research online before purchasing any extended warranty.)

Burn this into your mind: any call that you receive where you are asked to provide gift cards for any reason is scam.

Any call that you receive notifying you that you are about to be arrested unless you take a given action is a scam. Think about it logically for a moment, the police don’t call you with advance warnings of arrest and ask for gift cards to ward it off.

Most phone call alerts that advise you of fraudulent credit card charges are in reality scammers trying to  lure you into revealing CC information. Hang up immediately and directly call your CC. Never give personal information to an unknown caller.

Some scams involve calling you and asking you a question to which you answer “yes” and using a voice recording of your reply as a basis to “prove“ you ordered a service. Do not engage scam calls–just hang up.

Phishing Emails

Never click on a link in an email you receive: instead Google the company number or website yourself if you need to find out more information. If you click on a link or download information you might be installing malware.

If you get an email from a friend requesting help by means of a gift card of any type-it’s a scam. The friend has had their email compromised. Anyone that approaches you with any request that involves gift cards at any level is almost certainly trying to scam you.

Targeted Scams

Most scam and phishing attempts are random: you were targeted along with thousands of others in a broad campaign. However, If a scammer has a reason to become aware of you (e.g. you own a company, are known to donate to charities, are about to purchase real estate, etc. ), a whole new level of personalized, targeted scams may be directed at you. Often this involves email phishing attempts that are highly customized to appear to come from someone you know or an organization that you are involved with.

Targeted Scams are Convincing

It’s simple for most us to recognize that someone calling us from “Tax Services” telling us that we are going to be arrested if we don’t send him $200 in gift certificates from Target is a scam. We might sneer that anyone ever falls for such a ploy.

What if someone from the Title company you are dealing with calls and asks you to re-route your escrow payment to a different financial institution, due to a last minute change or correction? They will know your name and personal information, and they will know about the real estate transaction you are engaged in. The call might even appear to come from the Title company’s real number.

Are they real, or is this a targeted scam? Fortunately, many of the same rules you read about above still apply: verify that people are who they say they are by doing your own research: look the information up yourself and call or email back using the contact information you discover.

Remember that phone scammers can put any number they want in Caller ID, and that phony email addresses can be made to look deceptively real by simply registering domains similar to a real company’s domain.

Summary

In summary, avoid answering calls from unknown numbers.  If it’s important, the caller will leave you voicemail. Never provide information to anyone unless you validate their authenticity by contacting them directly at officially listed numbers. A few minutes of care can save you months of dealing with the outcome of being scammed or having your personal information stolen.

Compromised Email accounts used for Scamming contacts – A Case Study

I recently had the opportunity to observe a case of compromised email scam tactics–a friend called me in to assist in tracking the issue down. I thought it would be interesting to relate–many of you will have seen this MO 100 times, but I work on back-end issues and normally don’t get to assist in incident response.

The attacker used the compromised account to scam contacts into purchasing Amazon gift cards. It’s sometimes hard to believe that this tactic still works, but, alas, I can assure you that scamming for gift cards is alive and well, and worked in this instance. Those most vulnerable to these scams include older persons: when they see a request for help, even if it’s from a casual friend. the instinct is to help rather than be suspicious.

The compromised email account was used to send out request with subject line– A Quick Favor–and the body asked if anyone had an Amazon account. The scammer likely compromised the email password via some other compromised site, and, using that name, traced down the victim zero’s email provider and account. The password was re-used.

How the scam worked

The scammer did two things: 1) they set a forward on the compromised email account to forward all incoming email to a special account created just for this individual scam: they used the same email name with an underscore at the end, and created the scam email at Outlook.com. Hence, the domain of the scammer’s account was different versus the compromised account, but the email looked very similar at a glance.

2) The scammer set up a filtering rule to forward any responses with the subject “A Quick Favor” to Trash. Hence, responses (including alerts) back to victim zero’s email went unnoticed.

The original scam email came from the compromised account, but all responses were forwarded to the scam look-a-like account. The look-a-alike account was then used to carry-on the subsequent conversation with the collateral victims. Apparently the theory was that if someone would actually fall for the bait, that they would not notice the subtle difference in subsequent email addresses. In this instance: that worked.

Lessons Learned

Lesson #1: don’t re-use passwords. That is easier said that done: the only realistic way to not re-use passwords is to use something like LastPass to generate and save them. Maybe that should be our birthday gift to parents and grandparents: a year subscription to a password manager.

Lesson #2 : if anyone, anywhere, anytime asks you to buy gift cards either as a favor, to pay off a debt, for any reason–it’s a scam. Relaying that simple advice to our users–obvious as it seems–remains useful.

Lesson #3: if anyone you know has this happen, they need to be advised to immediately change passwords and then to go into their email settings and check for forwards and filters. The scenarios can be confusing with the original victim sometimes believing that scam emails were simply forged rather than actually coming from their account. Remember that the attacker deletes responses automatically. Victim zero must immediately change passwords then look for evidence: including filters, sent mail, deleted mail, and forwards.

Lesson #4: if you receive such a scam request, alert the contact by means other than email. Text or call them immediately to notify them that there is a serious problem with their account that must be attended to via Lesson #3.

Best Practices for Simulated Phishing Email Campaigns

The cost of successful Phishing attacks against individuals and organizations is both significant and increasing. Research by the Ponemon Institute estimates the cost at $3.7M per year for larger organizations, and , according to the Cloudmark Security Blog’s survey in 2016, a sample of 88 respondents cited an average cost of $1.6M to address SpearPhishing attacks. A Google search on the cost of phishing attacks will supply any number of corresponding accounts. Any way you look at it, Phishing is expensive for victims and relatively easy for attackers–a toxic blend. In response, IT Security organizations increasingly employ simulated phishing campaigns to assist in bolstering employee resilience to these attacks.

Using Simulations – No Longer a Debate

As organizations tally the high cost of lost hours and compromised resources due to phishing, simulated phishing campaigns have become a primary countermeasure along with general awareness training. In fact, some organizations have turned simulated phishing campaigns into a veritable science with varying detection difficulty levels, adaptive themes and frequencies based on response, dispersion and variation algorithms, etc. There is something of an unofficial nomenclature developing around the variables involved in these campaigns. The study of which is at least deserving of careful consideration, and perhaps even standardization to facilitate statistical analysis and comparison. Phishing appears to only be increasing in sophistication and cost–IT security must adapt.

One challenge with comparing simulated phishing campaigns against one another to chart progress and determine an optimum frequency/design is that the campaigns need to be aligned–or even stair-stepped–to some degree for a comparison to be useful. For example, suppose an organization ran only two campaigns a year: campaign ‘A’ designed to look like a poorly-worded external email attack with misspellings and random content, and campaign ‘B’ with personalized content and the appearance of a well-crafted email professionally aligned to a business process. It likely will not be useful to compare click-rates (i.e. failure rate where an employee clicks on a phishing simulation) of two such campaigns: campaign B will have a higher click-rate whether it was run first or second in order. In this case there are too few simulations and they are aligned too randomly.

Alternatively, an organization might start with a simple campaign (e.g. a difficulty level of ‘3’) early in the year and progress through a series of campaigns with slightly increased detection difficulty through the year. An effective strategy might include adjusting and adapting the themes of the simulations to fit the response pattern, as well as re-targeting susceptible employees for extra campaigns. It might be that click-rates don’t decrease dramatically–due to the increase in detection difficulty. If the result was a steady click rate through the increasingly realistic simulations, then that would be a positive result overall. Statistical weights could be assigned to the detection difficulty to quantify the positive progress.

Best Practices

There probably isn’t that much value in designing what we are deeming in the below table to be a level ’10’ phishing email that looks virtually indistinguishable from an internal process. One could argue that an employee should notice the external email flag (hopefully your organization uses that) , but it’s apt to cause frustration. Likewise, there probably isn’t much value in a level ‘1’ email that is laden with grammar and spelling errors and would only be clicked by the most careless or untrained users. However, the Phishme data indicates that there is value in ‘not keeping it simple’ — that is, include in the regimen realistic simulations that a sophisticated attacker might use.

Combine phishing simulations with phishing training and emphasize reporting suspected phishing emails. Consider an easy reporting button if the email client allows for it. Also, emphasize that if someone realizes they have been phished, to report it right away. Give an award or two away for people who habitually report phishing attempts.

There is ongoing debate about whether users should be warned that a phishing campaign is taking place. Most organizations discussing this on the Internet seem to favor notifications. One benefit of notification is that they serve as an ongoing reminder about phishing and hence encourage ongoing attentiveness.

As far as consequences for users that habitually click on simulated phishing emails–or even real phishing emails–it’s worth noting that for any real phishing email, it was able to penetrate the filtering system–in some sense it fooled IT Security as well. Also, bear in mind that if a user clicks on a real phish they may well realize it just after they clicked–the Security team would hope (and educate) to have that user comfortable and diligent in reporting such instances. That reporting is less likely to happen in a punitive environment.

There is not a definitive value for frequency with which anti-phishing campaigns should take place. However, based on various anecdotal sources (i.e. I Googled it and read a variety of forums) , it seems likely that the optimum is six or more per year. Warning users six times a year that a phishing campaign is afoot will at least keep everyone consistently attentive and vigilant, without being annoying. It seems doubtful that more than monthly would be useful except with respect to the most susceptible recipients. . If a campaign spans a few weeks, and is undertaken every month–that means the organization is essentially always under simulated attack.

It may be that simulated phishing platforms compile detailed campaign comparison statistics –I have only personally used a couple and they had scant data available that spanned their customer base. Phishme–a simulator solution platform I’ve not personally used–publishes a very informative report on the effects of simulation : the Enterprise Phishing Susceptibility Report contains data based on 8 million simulated phishing emails sent to 3.5 million employees.

Some simulation platforms that I have personally observed provide sector comparisons so that one may know where they stand with respect to their competitors. Without some of the details presented in the data model below, it’s hard to know how much intrinsic value is gleaned from such comparison (i.e. it may be apples to oranges). However, the trend is clear: more simulations and thoughtful strategies significantly decrease susceptibility. Phishme claims that “Behavioral conditioning decreased susceptible employees’ likelihood to respond to malicious email by 97.14% after just 4 simulations. “ What they are calling ‘behavioral conditioning’ amounts to developing a thoughtful strategy including flagging repeat offenders for extra attention and varying the themes and sophistication of simulations for maximum impact.

For those with a bent towards studying raw statistics and data, there is a very interesting JAMA article that details a multi-year statistical experiment on the effects of simulated phishing campaigns to user behavior. Predictably, it indicates that the odds of an employee clicking on a simulated phishing campaign decreases through the use of repeated simulations. There are gaps in terms of relating the article’s model to a definite frequency of simulations, for example determining the optimum annual frequency. The study is, however, very good statistical evidence to have on hand if management is skeptical regarding the concept of simulations and ROI of purchasing a simulation platform–it’s something beyond a vendor touting the value of a vendor platform.

The Data Model

In the table, the dispersion variables refer to the ability to time the campaign over an interval and not happen all at once. The variation variables refer to the ability to include several variations of a simulated phishing email so that everyone doesn’t get the same one (and warn one another). The type attributes include personal, professional and IT–it will be most useful to compare emails of similar types.

The data model listed in the below table is an attempt to develop a standardized catalog of variables for comparing simulated phishing campaigns . It’s likely the model will exceed the typical simulation platform’s set of configurable controls. Still, it is typical, with current popular software, to be able to label a campaign as ‘easy’, ‘moderate’, ‘hard’ and set the batch delivery schedule interval along with a few variations of the simulated message. That is a good start. If your software doesn’t have at least that much functionality, it may be a poor fit for the scope and cost of phishing attacks.

Phishing Campaign Nomenclature

DescriptionTypeCategoryValue RangeExample
Campaign_NameIntegerIdentificationDescriptive Text'Campaign #10 2019'
Campaign_UIDIntegerIdentificationInteger Key137
Begin_DateDate-TimeScheduleDate-Time20191003-000000
End_DateDate-TimeScheduleDate-Time20191015-235959
Total_Email_SentIntegerIdentificationInteger4,324
Dispersion_Rate - rate of emails per delivery cycle (e.g. per day)IntegerCountInteger250
Variation_Count- how many unique variations of email per delivery cycleIntegerCountInteger10
Variation_Ratio - how many unique emails per 100 employees per delivery cycleIntegerRatioInteger10
Delivery Cycles - how many different instances where a batch of emails are sentIntegerCountInteger40 [batches of email delivered]
Difficulty_Rating_Code- how hard it is to detect the phishIntegerCharacteristicInteger 1, 2, ...1010 [a rating of an email indistinguishable from a current business process]
Corporate _Flag - an email intended to appear as though the internal business organization sent itBooleanCharacteristicTrue,FalseTrue
IT_Flag - an email intended to appear as though the local IT organization sent itBooleanCharacteristicTrue,FalseTrue
Personal _Flag - an email intended to appear as though an external person or non-business-related entity sent itBooleanCharacteristicTrue,FalseTrue
Professional_ Aligned _Flag- an email intended to appear as though an external entity related to the business sent itBooleanCharacteristicTrue,FalseTrue
Target_Population_Code_General - who is getting the campaignIntegerTarget CodeCodes depict: All, Dept, Group, Manager, Non-Manager, Facility000 [ where 'All' = 000 and will be the entire population of employees with email addresses
Target_Population_Code_RepeatersIngegerRepeater Code0,1,20 [not targeted at repeaters, 1 repeaters only, 2 multiple repeater]
Month_Code - what month(s) are included in the delivery cycleIntegerSchedule1-1201,02
Season_Code - what season(s) are included in the delivery cyclesIntegerSchedule1-Fall,2-Winter, 3-Spring, 4-Summer01,02 [Fall = 03 and will include Sep 21 - Dec 21 and comprise the Christmas season]
Email_Opened_AllIntegerResultInteger2,900
Email_Clicked_AllIntegerResultInteger366
Email_Clicked_PctDoubleResultReal Number8.5%
Variables and factors used to describe the characteristics and attributes of an anti-phishing campaign for purposes of comparison across campaigns and measuring progress

Three simple Security Tips to Pass Along to relatives or Friends

Anti-Phishing

Arguably the most critical security tip anyone can pass on: don’t click on links sent via email unless you  are expecting  the sender to send it to you. It doesn’t matter if you know the sender, you must be specifically expecting the link and topic. If you are sending someone a link, IM the recipient and inform him or her that you are sending a link to a  given site. If you receive an email from someone you know with links: IM or call them prior to clicking and verify that they intentionally sent and vouch for the link. The definition of Spear-Phishing is a targeted attack against someone (e.g. you) using  an email that you have some reason to trust or be interested in.  You can lose a lot of money in a hurry by clicking on links that are unverified.

If you receive a link in what is by appearances a legitimate email such as from your bank telling you need to view a secure message or from a site you subscribe to  that is of interest, then assume the link is an attack until you can prove  otherwise. With links in emails, assume they are guilty until demonstrated innocent. Minimally you need to “hover over” links to verify the actual destination URL, and to carefully inspect any addresses.  That’s not enough, however.  If you are interested in information contained in an email, it’s typically a matter of just a few seconds to use Google to find the information linked to rather than clicking. Alternatively, simply type the website in and navigate to it yourself versus relying on links.

Guarding Financial Accounts

If you have an appreciable amount of assets in an account-using your own definition of appreciable-strongly consider requesting  a two-factor authentication mechanism for access. Many financial institutions will be able to offer this.  Consider E-trade,  they provide a simple mobile app for your phone that generates a random number every half-minute that must be used to login, this in addition to the account password (hence two factors: something you know and something you have)

Protect your sensitive data from easily being observed

This isn’t going to stop the hard core code breaker, but it serves as at least moderate deterrence. To add some security to sensitive MS Office files, use the simple encryption mechanism contained in Office. For Excel, a quick and easy password-based encryption can be placed on a file by simply using:

File->Info->Protect Workbook
image.png
If you use Office older than 2013, consider upgrading. Office 2013 uses a fairly robust SHA-512 hashing algorithm. A complex password on your part would require an extensive brute-force attack to crack the document.  Note that the encryption on Office versions prior to 2007 stand little chance of surviving even a half-hearted  crack attempt.
More robust volume or full drive encryption is available with products such as  Symantec PGP. If you were to  lose your laptop, would it contain information, documents, photos that you don’t want the world to have? Keep in mind how easy is it to have a laptop, or even desktop, stolen. Chances are good that any data you have left unencrypted on a stolen laptop will be perused.