Phishing

Phishing is a social engineering attack which is form of fraud in which an attacker masquerades as a reputable entity or person in order to obtain personal or sensitive information maliciously. Phishing normally appears in emails, however could appear in other communication channels. The attacks are usually completed using malicious links or attachments in the email. Beyond the compromise of personal information a compromise of computer systems could occur.

The current threat landscape has shown that approximately 91% of all cyber-attacks1 start with a phishing attack. Threat based security requires that efforts to mitigate attacks should be directed where the threat is. Phishing attacks are directed toward the end user rather than a computer system. The end user is one of the easiest means to break into a computer network. Along with securing computer systems, the security industry has coined the term, “Securing the Human” as an effort to combat phishing attacks.

1 - Stated in many security expert sites, Example.

Yes MCPHS University tests faculty and staff using an information security vendor called Knowbe4. This effort is to help our faculty and staff to become more resilient to phishing attacks. If a faculty or staff member fail the test by clicking on an embedded link or opening an attachment in a test email, they are automatically assigned a short training module. This training is intended to help the end user become more secure at home as well as at work.

Phishing - The generic term for all phishing attacks, where the majority are not targeted but sent to random sets of users.

Smishing - Just like phishing, smishing uses cell phone text messages to lure consumers in. Often the text will contain an URL or phone number.

Spear Phishing – These are phishing attack directed at an individual, a group of individuals or a specific business.

Whaling – These are phishing attacks generated towards high level executives of a business, such as the CIO, CFO, etc.

Vishing – These are phishing attempts over the phone rather than through email.

There are many ways phishing emails can be identified. Even if you know a few it will go a long ways in identifying a phishing attempt.
  • Hyperlinks are spoofed (that are different than what is shown). Hover over a hyperlink do not click on it. If the hyperlink does not show where the hyperlink will actually send you then beware.
  • Emails with only a Hyperlink and no other content. Professionals normally hold discussions around any link they send therefore be careful if you receive such an email.
  • Hyperlinks that are misspelled. In particular with a well know website misspelled. For example, if a hyperlink shows www.goggle.com where google is misspelled, it most likely is a malicious email.
  • Attachments with a possible dangerous file type. (.txt only safe file type) – must be careful that .txt is not part of filename rather than extension, e.g. document.txt.exe. Additionally note that .pdf, .zip, .xls, and many other documents could contain malware.
  • Does the email appear to have an odd or illogical link or attachment? Think about the logic around the email and if there is limited to no logic where the link or attachment does not make sense or is odd then there is a high probability the email is malicious.
  • Attachments that you were not expecting or the sender normally would not send that type of attachment. Contact the sender via a different medium (e.g. phone call) to make sure that they intended to send you the attachment. Do not use a phone number sent in the suspect email.
  • Is the email from someone you do not do business with or a business to whom you never gave your email address to?
  • Does the email come from a suspicious or misspelled domain name?
  • If the email was sent as an apparent personal email and had a large number of people CC’d, then it may be a malicious email. Conversely, if you were CC’d on an email that appears to be targeted specific to a single user or to a person whom you do not know it may be a malicious email.
  • Email sent to a strange or random group of people. Normally emails send to groups are sent to groups with common interests. Attackers send mass emails many times without regard to normal group membership in a shot gun fashion.
  • Is the email from someone you haven’t heard from for an extended period of time with a strange message (e.g. “check this out”)? Checking with the sender via a different medium (not email) would be advisable in this Email requesting that you click on a link otherwise there would be negative consequences or fantastic gains. For example, emails requesting an urgent response. Most phishing emails attempt to create a sense of urgency, leading recipients to fear that their account is in jeopardy or they will lose access to important information if they don’t act immediately.
  • Emails requesting personal information. Most legitimate companies will never email customers and ask them to enter login credentials or other private information by clicking on a link to a website. This is a safety measure to help protect consumers and help customers distinguish fraudulent emails from legitimate ones.
  • Is email content strange? If the email does not meet the sensibility check, then it is most likely a malicious email.
  • Does it have bad spelling or grammar? Many times bad spelling is because the English language is not native to the attackers.
  • Is the email asking you to look at an embarrassing picture of yourself of any other person? This is a common social engineering tactic.
  • Does the email appear to be out of character from the person who sent the email?
  • Date was sent at an unusual time? Will a user send a file in the early morning hours normally?
  • Emails with generic greetings. Phishing emails often include generic greetings, such as “Hello Bank One Customer” rather than using the recipient’s actual name. This is an obvious tell for phishing attacks that are launched in bulk, whereas spear phishing attacks will typically be personalized.
  • Do you have a bad feeling about the email?
Yes, if a faculty or staff member would like to take a training module all they have to do is submit a ticket to the Help Desk requesting a training module. Information security will contact the user and assign an appropriate module for that faculty or staff member. (Email: helpdesk@mcphs.edu, or phone: 617-732-2170).