Way back in 1792, King Gustav III of Sweden was assassinated while attending a costume party—or “masquerade ball”—in Stockholm. How convenient for the murderer, who could wear any disguise and not be observed after the fact. While those days of anonymity are long gone, it is still possible for malicious hackers to masquerade behind false fronts and screens all the time, regardless of the season. Phishing attacks, usually in the form of fake emails, or worse, “spear-phishing”—in which an attack is specifically tailored to a particular person, are on the upswing, and it’s becoming more and more difficult to distinguish these malware-infested messages from the legitimate communications we rely on to function, both personally and professionally.
Fake government emails
Recently, employees of over 20 customers of one cybersecurity company received emails that looked like they were sent by a U.S. State Department Public Affairs specialist. The email had the look and feel of a legitimate communication, with all of the right logos, signature blocks, official-sounding words, and even a “decoy document” attachment to make it appear like the real deal. But guess what happened when recipients clicked on the embedded link? Of course—it was a path for malware to exploit a Microsoft Windows vulnerability. The cybersecurity research firm FireEye identified the hack as being similar to others stemming from a group called “Cozy Bear,” with has been tied to the Russian government.
Phishing “nets” getting bigger and more authentic
That’s only the latest incident that made the news cycles. Every day, thousands of fake, malicious emails are sent out and responded to by the unwary or simply by our overburdened selves. Data from the Google Transparency Report shows an upward trend in fake phishing websites as compared with malware sites, with more than 38,000 phishing sites detected during one week in mid-November. This is obviously far more than the roughly 6,000 found when Google tracking started in 2007, although it’s less than a spike of almost 51,000 detected at the same time last year.
Another big difference over time, aside from volume, is the increasing skill with which some of these emails are composed. It’s no longer enough to follow the simple advice of looking for telltales like spelling or grammar mistakes, funky graphics, or other logos that look misshapen or the wrong color, glaring signs that a message might not be what it appears. And why not? With all of the money that some attackers are raking in with ransomware and sales of breached confidential information, they can afford to hire competent, albeit criminal, graphic artists and writers to craft their fraudulent messages, some of whom many not even understand how their “deliverables” are being used exactly.
Social engineering (aka use of psychology) also begins to play a part here. Obviously, when something looks like the real thing, we are more likely to assume it is. And as you’ll see, some phishing scams use highly sophisticated and subtle fictions to manipulate your brain. Some other such scams, which surfaced this year, looked pretty legit:
Tax preparers’ scam—Emails claiming to be from tax preparers’ professional associations, requesting usernames and passwords to preparer’s accounts.
“Fake invoices”—sent from hacked MailChimp accounts.
“Updated privacy notices”—sent from Airbnb, to hosts, claiming that the GDPR regulations required it. (Talk about extra nervy, to use this excuse!)
Noteworthy too, is a widespread attack detected this past July where an attached PDF file containing malware is embedded in the PDF. With such an embedded file, Adobe Reader issues a warning prompt when you try to open the initial attachment, giving you a second chance to get out of trouble. Take Adobe’s advice and don’t open these! For this attack, linked to a criminal group called TA505, there were few identifying details. If anything, the emails were suspicious for their sheer lack of them, appearing to have been sent from “office <email address>” with a subject of “REQUEST (REF:string)” and the message text saying merely “Please find the attached file.”
Don’t fall for “act now!”
Another technique to be aware of are legitimate-looking emails that purport to be urgent, and which require you to take immediate action to prevent negative consequences of some kind. By using this ploy, hackers take advantage of human psychology to increase your stress level, making it more likely that you’ll panic and react immediately, following the instructions without enough scrutiny to detect they’re fake. Most of these also use “brand impersonation” to also make you think that the email is from a trusted source. Some samples of this type of phishing:
- Cancellation of Netflix or similar subscriptions (“Click here to renew your membership”)
- “You missed a delivery” notices from UPS or another delivery service
- Notifications from your bank or credit card company, asking for account or password information because you’ve been locked out of your account
- Notifications from PayPal, LinkedIn, and even Google
- Subpoenas from the U.S. District Court, with a “click to learn more” (fake) link
- “Refund notices” from the IRS (the IRS says they will never contact you by email)
All of these emails instructed users to click on a link or graphic that took them to another web page, which was fraudulent. These fake web pages then typically instruct users to enter some kind of privileged information such as login credentials or the web page itself runs a script that infiltrates the user’s system.
Spear-phishing: Is this really from your CEO?
There’s another psychological trick that attackers use to trick you into an immediate response: masquerading as Very Important People whose relationships you value. Called spear-phishing, the attack is designed to target specific individuals; they often appear in the context of the workplace. You could receive an email that looks as though it’s from the CFO, CEO, a government official a few pay grades above you, or even merely your immediate boss. Spear-phishers do extensive research, learning organizational hierarchy, common vocabulary and even company culture in advance. Then, when an email pops up it’s from someone whose name is familiar and meaningful to you, and is most likely a believable request, such as “please send all employee W-2 forms” for someone in the payroll department, or “send a wire transfer to…” for someone in finance.
Not a whale of a deal
The analogies with catching sea creatures don’t end there, unfortunately. “Whaling” emails—spear-phishing for the big fish— typically target other VIPs who by virtue of their actual position have access to what should be protected data, or who can authorize high-dollar payments. In 2016, a combination of this sort of social engineering—making the requestor seem legitimate—with an “urgency” aspect in which multiple related emails and phone calls were directed at the victim in a short period of time—caused a mid-sized French company to send half a million dollars to foreign bank accounts.
Also in 2016, Snapchat reported an instance of a whaling scam in which employee payroll data was released to unknown parties. People have lost their jobs, too. Last month, a Netherlands court confirmed as valid the firing, earlier this year, of the CFO and CEO of a movie theater chain for being duped into sending 19.2 million Euros ($21.7 million) to email fakers. And a New Zealand CFO was forced to step down from her job as a result of having fallen for a whaling attempt in which over $118,000 was inadvertently handed over to Chinese attackers.
One thing is for certain: it’s getting harder and harder to tell the fakes from the real thing. Every day, people are being fooled by fake emails, with sometimes very harmful consequences. A few tips to keep in mind:
Don’t click on links – always go separately to a company’s web site to validate any request.
Verify requests for information or action by calling the company or person who sent the email. And don’t use a phone number that’s in the email—find the real phone number by a separate means.
Don’t reply immediately to some request from a “trusted” brand or person. Wait a while so that the purported urgency of the situation doesn’t fool you into a quick, but harmful reaction.
Don’t download documents unless you are sure they are from a trusted source. It’s best if you expected the specific document as a result of some other communication. (If this isn’t the case, verify, and not by sending a follow-up question to the “sent from” email address).
We’re faced with a dilemma like one that must have been before poor King Gustav. Should he participate in the fun and attend the masquerade party, or should he miss it because such an event could pose a danger? Unfortunately, in our era, it’s unlikely that most of us can afford to entirely disengage from email. So just be careful, out there, of ill-willed imposters.