Teach a Man to Phish

Give a man a fish, feed him for a day. Teach a man to fish, feed him for a lifetime. This old adage could not be more true in the world of cyber security. Phishing is a cyber attack that uses the method of disguising email as a weapon, or the bait.

It is against the law to steal a car but yet we still lock our cars. Do we lock them to keep honest people honest or do we lock them because it helps us feel safer. We lock them the same way we put a password on our home Wi-Fi; like water flowing down a hill, we all follow the path of least resistance. Locking your car may not stop a determined thief, but if that thief going around a parking lot checking car doors, your chances just went up

Phishing scams are typically not about direct focus, it is about numbers. Check enough car doors, and a few are bound to open with little to no effort. We have to be vigilant and use a little common sense to make sure we do not as well, fall victim to a cyber attack.

There is a reason it is called Phishing, somewhat related to actual fishing. For starters, phishing tactics use bait and lures in the form of strategically formed emails to get the end user to react. This could be clicking an email, opening an attachment, or in some cases, even opening the email itself can be enough.

Phishing in the form of a message is mostly about one thing, trust. Traditionally, people were very ignorant to phishing attacks. Attackers needed very little imagination to get users to click a link or open an attachment. Today, people are beginning to finally realize the dangers of the phishing attacks but the phishing methods are getting more advanced. We are not going to go in depth on all the methods and ways a cyber attacker can and will attempt to get information or secretly install malware or viruses on your devices; but we hope to shed some light on how easy this is and to give you some pointers on how to protect yourself, devices, and your company.

Step by step on how to Phish

1. Phishing starts with an email. But, how do you know an email is valid. https://email-checker.net/ is an email checker and can be used by anyone to ensure the message you are sending will go to an actual email.
2. Now you might be asking, “how would they know my email address anyway. Well, I will tell you. One way, is to go to https://hunter.io/ and type in a domain and viola, you have source data that verifies email addresses and you also have common pattern for email setup. firstinitiallastname@ or firstname.lastname@ or firstname@, etc.
3. A quick search on the companies website, Google, or LinkedIn will give you roles and positions and now you have a general idea on how you are going to position your attack and who you will target.
4. Typically companies use the big name payroll companies like ADP, Gusto, Intuit, Paychex, etc. so you could do a little bit of research or you could send a few emails to lower tiered employees to find out. All you need is one employee to reply with a “no we use ADP”, or maybe you setup a legit survey to get some one to give you answers and offer a prize (that they will never receive).
5. Now it’s about trust, so you could send an email that looks like a ADP, Microsoft Teams, Google, or Bank system generated email, but if you really wanted to catch a big one, you could buy a domain and link to it to throw the user off of your scent. Go to https://www.GoDaddy.com and purchase a like domain. We did a quick search and you can grab https://microsoftsupportgroup.com for 11.99. This way, if a suspicious user checks or hovers over the link, they may think it is ok. Maybe you make your email look like the user needs to update their account as they have been added to a Microsoft Support Group. i.e. “Click here if you would like to be removed from this group.”
6. Lastly, if you really wanted to put in the effort. you could copy or clone a website so it looks like the actual website. I won’t go into how to do this, but it can be done fairly easy. The more advanced phishing methods will definitely deploy these tactics even though, to do it it right, it takes time. To a Pro Phisher, it’s just part of the fun.

So now you know some basic information on how phishing is performed and how simple it can be. What do you do?

1. Think before you click! Don’t open emails from email addresses you do not know. This includes info@. If you do not know the domain, the person, or have not interacted with the company; ignore it, spam it, it or report it to your IT department for further evaluation.
2. Install Anti-Phishing Tools. As a company, deploy advanced protection tools on your email server. These services can include, link protection, A.I. and human spam monitoring, quarantine protocols, advanced filtering, and additional policy management.
3. Verify a Site’s Security. Once you know the domain, don’t click, go to https://www.sslshopper.com/ssl-checker.html and check the SSL first. This is not a full proof method, but can be one additional check to help mitigate attacks.
4. Check the accounts you have regularly. If a home page changes, chances are, if you check regularly, you will notice something is off.
5. Never Give out Personal Information. Duh!
6. Use Antivirus Software. Additionally, using an IT partner to setup RMM services to proactively monitor the integrity of your network, devices, and cloud infrastructure are more advanced steps to mitigate cyber attacks.
7. Keep your browser up to date. Majority of updates are security related, so make sure you update. This goes for computers and devices as well.