Last Thursday, the UTM Alumni Association hosted a Classes Without Quizzes event, featuring Ryan Duquette, a digital security specialist, licenced private investigator, and currently a lecturer in the mathematics department at the University of Toronto. He shared his knowledge on how to secure digital information from phishing scams.
Phishing is an increasingly complex and highly successful criminal enterprise. It has evolved over time due to the evolution of social engineering and targeted intelligence gathering. The three main types of digital fraud are phishing, spear phishing, and whaling. The aim of phishing scams is to gain access to credit card information or login credentials, or to have the user open links or attachments which will allow ransomware to be downloaded to your device.
Spear phishing is a personalized phishing attack, specifically targeting you. The emails are sent to the targeted individual, and are based on personal information gathered in a variety of ways, including through social media. According to Duquette, “this targeted information dramatically increases the success of phishing attacks.”
“Ninety-seven percent of phishing emails are associated with ransomware,” says Duquette.
Ransomware is when an outside party encrypts your electronic files and refuses to release them until you pay their ransom. Since spear phishing is used to personalize the emails, it can affect everyone from individuals to hospitals, businesses, and schools.
“Newer forms of ransomware allow you to decrypt your drive only after you have infected two others,” Duquette adds.
Additionally, the newest ransomware will not only encrypt your drives and data, but if you don’t pay within the time limit, it will make your data publicly available for anyone who wants to access it.
Whaling is spear phishing that usually involves someone masquerading as a C-level employee in the company. Duquette shared an instance of corporate whaling where, in April of 2015, a financial executive at Mattel, Inc. received an email from the new CEO of the company, instructing her to make a payment to a vendor in China. The company requires dual authorization for transfers to go through. With the authorization from the CEO in the form of the email, the executive gave the second authorization and transferred three million dollars to a bank in China, based upon a phishing email.
Whaling usually targets businesses or individuals with greater financial resources. While this takes longer, it also has a higher return. It’s common for those operating a whaling scheme to work in teams, gathering large amounts of data, taking their time, and building relationships with their targets. The requests usually involve information relevant to the recipient or sender, based upon social media and other gathered data.
Duquette has four steps to follow that will lower your susceptibility to phishing attacks.
First, take some time. “Many of us have a somewhat Pavlovian response when it comes to our emails. The second we hear a ping from our computers or from our phones, we’re reaching into our pocket or jumping on our computer to open it and see what it is,” says Duquette. “Criminals know this.” It is the aim of the emails to increase the pressure to respond by using words like “urgent,” “immediate,” or “crucial,” usually capitalized. When people see words like this, they are more likely to open the email attachments, click on any links included in the email, or send out a response. Waiting at least an hour before opening an email significantly reduces your chances of being a victim of phishing attacks. Taking some time to think about the email and to examine its details is crucial to identifying instances of phishing and protecting yourself.
Duquette calls the second step TIPC, which stands for Timing, Intent, Person, and Content. Consider the timing of an email before opening it. Are you expecting an invoice or document? Think about what the intent of the email is. Are they trying to get you to enter your personal information? Trying to get you to click on a link?
“Being cautious and aware is the smartest thing you can be,” says Duquette.
You also need to examine the person in the email, both who it is from and who it is going to. Is the email addressed to you or is it just a generalized greeting? Even if the email is from someone you know, that doesn’t mean you should disregard any warning factors, as that individual’s email account could have been breached. You should also examine the full email address of whomever sent it. The name may say it’s from Microsoft, when the email address the message originated from contradicts the claim. The final element refers to the content of the email. Look for instances of incorrect grammar or spelling mistakes. Does the message make sense? If it’s an invoice, did you recently buy something from that company? Ask yourself if what is happening should be happening.
The third step to protect yourself is to take an alternative route. If you get an email from your bank saying your account may have been compromised, but you’re not sure if the email is spam or not, you can either do nothing or open the website to your bank on your own, or contact your bank by phone, to see if there are any issues occurring. These alternative routes take you to the same destination, but allow you to protect yourself from the dangers of digital fraud.
Duquette states that the final step on the path to protecting your digital information is by educating yourself. Having the right information about what to do and what to look for greatly decreases the likelihood of being victimized, and it is your best defense against digital fraud.