Making the Un-obvious, Obvious
Imagine if an 8-year-old child came up to your house, knocked on your door, and with a very stern face said they were from the IRS and you owed them $3,782 in back income tax. What would you do? My guess is you’d probably laugh in their face and ask if their parents knew where they were, and that they should take their bike and go back home. You would probably do something similar if they called you on the phone, with their friends giggling in the background.
Now imagine you receive an email. It appears to be from the “Internal Revenue Service”, and the subject is “We are unable to process your tax return”. The email came in May, so the timing would be about right. The body of the email starts with the IRS logo and “Department of Treasure Internal Revenue Source”, and states that there was an issue with the filing process. It has a list of required documents that need to be completed and emailed back to avoid any delays or penalties. What would you do now?
Odds are after reading you would just delete the email. While the first scenario is laughable and immediately dismissed, there’s a good chance you took time to look over the second one. For some people, it was believable enough that they responded. So, what is the difference between the two? While scam emails are nothing new, why are they still so effective?
It comes down to what we are trained to look for. What is obvious in one situation doesn’t always carry over to another. Phishing attempts (the activity of defrauding an online account holder by posing as a legitimate company) keep getting harder to detect, and that’s why people continue falling victim to these attacks.
In the case of the child coming to your door, you know a representative for the government would be an adult, in a suit and tie, have identification, documentation, and drive a nice government-provided vehicle. They also would have been in contact with you via mail or telephone before showing up at your door. If you don’t see the things you know to look for, your mind will tell you it can’t be trusted. But if you don’t know what to look for, it’s not so easy to tell.
In December 2015, 700,000 Ukrainian homes lost power due to a malware installed after a phishing campaign. An email was sent to the electricity provider’s employees that appeared to be from parliament. It only took one person responding to open enough of a hole to compromise the entire system. Just before the 2016 presidential election, the campaign chairman for Hillary Clinton had his email hacked. A fake email was sent to John Podesta asking him to reset his Gmail password. It looked like a legitimate email from Google, so he clicked it and entered his login and password. This resulted in thousands of confidential emails being leaked online.
As we learn what to look for, scammers learn to adapt
The obvious signs that would have tipped us off in the past often are no longer present. Poor spelling or grammar, outrageous stories promising riches, and foreign-looking web links are more of a rarity. Today there are official logos, clean formatting, and links are hidden behind “click here”. So now we need to look in other places to help spot if it’s legitimate or not.
- Look at the “from” email address. There are two areas to pay attention to. One is the display name, such as “Internal Revenue Service”. The other is the actual email address, such as “firstname.lastname@example.org”. The last part of the email address, the “irs.gov”, is the domain that it came from. Hackers can register all kinds of names that look similar, like “irsservice.com”, or “gov.com”. If you don’t know what the correct domain should be, do a search for the company’s name and it will be part of the website address that comes up (for example, www.gov).
- If there are links in the email that they want you to follow, don’t click them. Hovering your mouse over a link will typically display where it’s going to, and you can look for the domain again there. If you aren’t sure, go to the website directly from your internet browser. If the email seems to be from American Express and wants you to do something about your account, go to www.americanexpress.com and log into your account to see if you have any messages.
- Is there an attached document that they want you to open? If it’s a major company or government agency, they would be more likely to have you complete a form online after you had signed in to your normal account. Attachments are an easy way to infect your computer by running a program that looks safe. Even seemingly safe Microsoft Office documents used by Word and Excel can now have malicious programs embedded inside to bypass the usual mail filters. If there’s a file attached, this should be a red flag that something could be wrong.
Time is the hacker’s enemy
Hackers are counting on fooling you into taking quick action. That’s why they will make things sound as official as possible, use scare tactics to create a sense of urgency, and give you a fast way to respond. Because the longer you have to think about it, the more likely you are to see through the sham and the less likely you are to act. If you get an email that says it needs your urgent attention, take the extra time to look it over and make sure it really did come from where they say it did. Just a little bit of research could end up saving you a lot of money and heartache.
Copyright © 2017 Texas Bank. All Rights Reserved.
Attacks/breaches of note
11/03/16 – City of El Paso
The city of El Paso fell victim to a targeted phishing attack, causing $3.2 million in funds to be lost. Approximately $1.6 million was able to be recovered.
11/02/16 – Various universities
A Phoenix, Arizona man was arrested on charges of hacking into 1,050 email accounts in order to compromise social media and look for potentially embarrassing photos.
11/10/16 – Philips Hue lightbulbs
Researchers from the Weizmann Institute of Science in Rehovot, Israel found a flaw in the ZigBee networking protocol used by Philips Hue lightbulbs that would allow hackers to reset network settings for the bulbs, and force them to pass this setting on to any other bulbs within range, with the potential to compromise all devices in a city. These then could be used to turn them off and on, recruit the bulbs for a DDoS attack, flash them in a way to cause seizures, or “brick” the devices and make them unusable.
11/13/16 – AdultFriendFinder.com
More than 412 million records with usernames, email addresses, passwords, and date of last visit were among the data that was compromised. Because of how the passwords were stored, around 99% were able to be cracked. Roughly two decades’ worth of data was covered, including accounts that were supposed to be deleted.
11/20/16 – Internal Revenue Service
A report from the Treasury Inspector General for Tax Administration showed that during a four week sample period, personally identifiable information for 8,031 taxpayers was sent via unencrypted email. The report stated that this was done in violation of existing email policies. It also noted that e-fax transmissions are sent in a non-encrypted manner due to the conversion of email to a form able to be sent over an analog telephone line.