EDSD: » Phishing

Phishing

The digital age brings with it convenience but also challenges. One of the most difficult and increasingly common challenges is phishing attempts. Phishing stands as a testament to the ever-evolving landscape of online threats that seek to exploit the trust and goodwill that bind us together. As we navigate these digital waters, it is crucial that we equip ourselves with the knowledge to protect ourselves.

Below are two fictional stories of Maggie and Marcus, who were victims of phishing. Let’s see what we can learn from their experiences.

Maggie’s Story

Maggie, who works at a local church, is navigating a hectic day filled with consecutive meetings. While sifting through her emails on her smartphone, she notices a message from the “Employee Portal,” urging her to immediately verify her working hours.

Upon clicking the provided link, Maggie lands on a webpage that strikingly resembles the church login page. However, she finds the form’s response to her input oddly different from what she’s accustomed to. After entering her credentials, Maggie is rerouted to an unfamiliar webpage…

Please consider these questions for yourself before expanding the sections.

What clues could Maggie have considered to determine if this was phishing or legitimate?
- Maggie had the option to tap on the sender’s name to inspect the actual reply-to email address. It’s probable that it wasn’t from a legitimate source, as spoofing genuine reply-to addresses is a challenging task for phishers.
- She could have verified whether the email contained a digital signature or a trusted security footer, indicators of communication from a credible sender.
- Instead of clicking the link in the email, Maggie could have directly accessed the official website to find the relevant service, checking for any direct notifications within the official site.
- Performing a “hover” action on mobile devices to reveal the true URL can be difficult, depending on the device. If unsure how to perform this on her device, she should have refrained from tapping any links in the email.
- The service mentioned, “Employee Portal,” doesn’t exisist at Maggie’s small church, a tactic often used by scammers is using official-sounding terms to seem plausible.
- Upon following the link to a spoofed login page, Maggie still had a chance to notice differences from the legitimate login page, which has unique traits and features hard for imposters to replicate. Familiarizing oneself with the legitimate login page and verifying the actual URL before entering any sensitive information is crucial.
What are possible outcomes of engaging with phishing message?
- Maggie unwittingly handed over her login details to the fraudsters. They now possess her username and passphrase for all services that utilize these credentials.
- Most systems now mandate the use of two-factor authentication, but for any systems not incorporating this security measure, the fraudsters could gain access to steal information or impersonate Maggie.
- If the scammers also managed to access any of Maggie’s devices registered for security verification, they could potentially uncover more sensitive data, including financial information.
- Should Maggie have used the same username and passphrase across different sites and systems, the scammers might attempt to use these credentials on various popular platforms to see if they can access other accounts.
- The act of clicking on a link in a phishing email could have allowed scammers to install malware on Maggie’s mobile device, highlighting that malware can affect any mobile platform.
What is the worst that could happen?
- If the phishers gather sufficient sensitive data using her credentials, Maggie’s personal identity could be at risk. This exposure could result in debt, damaged credit, and various legal and financial complications.
- Scammers exploiting her credentials to mimic her could potentially misappropriate assets or funds, potentially exposing the company to significant security breaches and financial losses.

Marcus’s Story

Marcus is a new member at St. Swithin’s Church. He receives a message that appears to come from the rector, suggesting his attendance at a newcomer’s event…

Upon clicking the “Register” link, he is redirected to a “page not found” notice on an unfamiliar website. Unbeknownst to Marcus, that click led to the installation of a keylogging malware application on his computer. Later, he used this compromised computer to conduct some online shopping transactions.

Please consider these questions for yourself before expanding the sections.

What clues could Marcus have considered to determine if this was phishing or legitimate?
- Marcus had the option to tap on the sender’s name to inspect the actual reply-to email address. It’s probable that it wasn’t from a legitimate source, as spoofing genuine reply-to addresses is a challenging task for phishers.
- He could have verified whether the email contained a digital signature or a trusted security footer, indicators of communication from a credible sender.
- Instead of clicking the link in the email, Marcus could have directly accessed the church’s website to find the newcomer’s event.
- Performing a “hover” action on mobile devices to reveal the true URL can be difficult, depending on the device. If unsure how to perform this on her device, she should have refrained from tapping any links in the email.
- Marcus should always feel free to contact your rector or the leader of an event with questions or concerns if you feel the invitation is suspicious.
What are possible outcomes of engaging with phishing message?
- Keylogging malware captures every keystroke entered by the targeted individual, searching for patterns that might reveal credential information. This means that in addition to potentially exposing his credit card details from online purchases, any system Marcus accessed by typing his username and passphrase after the malware’s installation is now vulnerable. This could encompass email accounts, banking platforms, and various other accounts.
- If the phishers accumulate sufficient data and access from Marcus’s keystrokes, his personal data and financial stability could be deeply endangered, possibly beyond swift resolution.
- Similarly, if the phishers amass enough information based on Marcus’s keystrokes, the security and financial integrity of any organization he has access to, including potentially sensitive data, could be in jeopardy.
What is the worst that could happen?
- If phishers obtain sufficient sensitive data about Marcus through his credentials, his personal identity could be at risk. Such exposure could lead to debt, damaged credit, and various legal and financial problems. Being in a crucial phase of his early career as a graduate student, this situation could significantly hinder his job prospects and result in ongoing financial difficulties.
- Moreover, scammers leveraging Marcus’s credentials could illicitly access and steal vital research data, contingent upon the level of access Marcus possesses through his academic research and studies.

What Do I Do If I’ve Been Phished?

If you suspect you’ve been a victim of phishing, immediate action is crucial to minimize potential damage. Start by changing the passwords for all accounts you believe may have been compromised during the phishing attack, especially those involving sensitive information like email, banking, and social media accounts. It’s important to use strong, unique passwords for each account to prevent cross-account breaches. If possible, enable two-factor authentication (2FA) for an added layer of security. Additionally, alert your financial institutions and credit card companies about the breach to monitor for any unauthorized transactions and, if necessary, replace your cards.

Next, report the phishing attempt to the relevant authorities to help prevent further scams. This includes notifying your organization’s IT department if the phishing attack was work-related, as well as reporting to national anti-fraud and cybersecurity agencies, such as the Federal Trade Commission (FTC). These reports can aid in tracking down the scammers and potentially stopping them from harming others.

Always run a full antivirus scan on your computer to detect and remove any malware that might have been installed. Stay vigilant for any signs of identity theft or fraud by regularly checking your credit reports and account statements.