IEEE Future Directions
Don’t Take the Bait! Protect Yourself from the Latest Email Scams
By Sabrina Davis and Junaid Chaudhry
July 2018
Cyber security– it is commonly thought of as a world of virtual threats made by seemingly virtual people. But cyber security is instituted to in fact, help us secure our computer’s software. Cyber is compelled by human emotion and thought, as underneath every falsified email or server attack, there is a person hitting the “go” button to send it off. This means any threat can be stopped by the same human knowledge that is able to launch it. The link between cyber and psychology is fundamental in understanding threats such as phishing, spear phishing, and whaling.
“Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get you to share valuable personal information such as login information and Social Security numbers” (FTC 2017). Once they have this information, they can access your personal device and install malware that can lock you out of your own programs. Phishing is not directed at any one person. Just like actual fishing, the fisherman drops the bait, hoping for any one random fish to bite. Yes, a few things can be done to target a bigger fish, but there is no guarantee that those fish are even around the area.
The reason phishing is effective is because the criminal emotionally appeals to his audience. Lies such as “your account will be frozen” or “your family member will be hurt” are some of the threats these criminals use. When spam messages like this pop up, it is essential that proper research is done before clicking on it. It may cause a sinkhole vulnerabilities in your computer system (Chaudhry 2014)
There are a few ways to spot a phishing attack. The first is to look up the address, email, or phone number, and make sure it is coming from the person who claims to have sent it. If it is not from that person, do not click on the link or email. Second, stay in control. Do not let urgent messages or high-pressure sales tactics influence a careful review of the site or email. Third, find the site they are claiming to come from. If it is a company you know of, visit the site and make sure it is the same site you intend to land on. Make sure the website is “secure” by seeing the green lock symbol on the left hand side of your search engine.
Spear phishing is different from phishing because it targets one specific person, usually someone who has high visibility in the public eye, for example in an upper management or executive position. Spear phishing works by a criminal sending an email “from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware” (Kaspersky 2018). The motivation for this is to steal data or install malware. This email from a “trustworthy” source is cleverly picked. Even top CEO’s find themselves opening emails they should not have and this is because of the psychology behind spear phishing.
The attacker does extensive, time consuming research on the organization or person’s life. They get to know the people around them, executives, employees, family members, and their hobbies. This makes the email very easy to click on for the victim, because it might look like several other emails they have received from their friends, coworkers, or employers. The victim is eager to give the information and respond in a timely manner because usually the email will be requesting information that is urgent or important to the person requesting it. “Many times, government-sponsored hackers and hacktivists are behind these attacks. Cybercriminals do the same with the intention to resell confidential data to governments and private companies” (Kaspersky 2018). These messages are extremely personalized and highly effective.
There are a few ways to protect yourself from spear phishing. One should be aware of spear phishing and how criminals usually send these attacks. Education on these attacks with increased caution before clicking on what looks like a legitimate email or text is essential. A receiver should always check with the sender before clicking in order to verify that was actually who the email was sent by. Never send confidential information via email. Although it is difficult these days with the proliferation of social media, avoid putting too much information online. This is where the attackers find personal information to make the individualized attack. There is always a chance to click on a spear phishing email, so besides education, email security is necessary to block these attacks (Chaudhry 2016).
Lastly, whaling is the subset of phishing. It has been gaining popularity over the recent years and is one of the newer cyber-attacks. The main objective is to extort money or other critically important information and is often done through spoofing, which is stealing an IP address in order to look like another person. This makes the attacks very specialized and effective, because the attack appears to be coming from a legitimate person’s device. These emails contain links to a website “specifically created for this specific purpose in an attempt to gain access to their personal or company information” (SecurityZap 2018). It is called whaling because it usually attacks the individuals of higher status in a company or organization that hold more information than just the employees.
These emails have a highly personalized touch and are unique. This could be done by possible competitors to the company in order to gain information to give them a competitive edge. It works by either the attacker sending an email to the victim, then providing a bogus page for them to input information, or by sending a PDF or Word document that has malware and viruses embedded in it. These viruses stay in the computer after the document is downloaded. Usually, upon first attempt, the password will be incorrect before the victim is redirected to the regular page after. This means the attacker still got the correct username and password and
can now use it to login.
The best way to protect yourself is to test the page you landed on by checking and ensuring there is a green padlock that says “Secure” in the browser (See Figure 1). Also, avoid downloading files from unknown sources and lastly, confirm with the person who sent the email that they in fact sent the email to make sure it is genuine.
Figure 1: SSL Secure Certificate. Studio 2108
Although cyberattacks seem too effective to deter, simple education can be the most important thing to remember when trying to protect yourself. Cyber criminals can only know as much information as you put online, so try and limit your online presence. As long as the website you are on is marked “Secure”, putting in your username and password should have no ill effects. The people behind these cyber-attacks, although masked by a computer, can be detected if adequate caution is taken.
References
1. Damian. (2018). SecurityZap. Whaling Cyber Attack Explained. Retrieved from
https://securityzap.com/whaling-cyber-attack-explained/
2. Federal Trade Commission. (2017). Phishing. Retrieved from
https://www.consumer.ftc.gov/articles/0003-phishing
3. Harnedy, Ryan. (2016). 5 Ways to Keep Your Users Safe from Spear Phishing. Retrieved from
https://blog.barkly.com/5-tips-keeping-users-safe-from-spear-phishing
4. Kaspersky. (2018). What is Spear Phishing? – Definition. Retrieved from
https://usa.kaspersky.com/resource-center/definitions/spear-phishing
5. Studio 2108. (2017). Security and Search Engines: The Benefits of an SSL Certificate. Retrieved from https://studio2108.com/studio-2108-2/benefits-of-an-ssl/
6. (Chaudhry 2016) JA Chaudhry, SA Chaudhry, RG Rittenhouse, Phishing attacks and defenses, International Journal of Security and Its Applications, 2016
7. Chaudhry 2014) JA Chaudhry, U Tariq, MA Amin, RG Rittenhouse, Sinkhole vulnerabilities in wireless sensor networks, International Journal of Security and Its Applications, 2014
Sabrina Davis is a third year Forensic Psychology major at Embry-Riddle Aeronautical University. This article is a result of a class project that Ms. Davis successfully concluded out of her interest in criminology, psychology, and cybercrimes. She volunteers at the Juvenile Justice Court as a mentor and tutor. Growing up on the beach gave her a love for surfing and sport fishing. Besides working and interning, she builds websites and hits the gym in her free time.
Junaid Chaudhry is cyber security faculty at Embry-Riddle Aeronautical University, Prescott, Arizona. He has over 15 years of exciting experience in academia, industry, law- enforcement, and in corporate world in information and cyber security domain. After getting his PhD in Cyber Security from Ajou University, Junaid obtained training at Harvard Business School, University of Amsterdam, and Kaspersky Research Lab in cyber hunting and training. He is a Senior Member of IEEE, a Practicing Engineer, member of High Technology Crime Investigation Association (HTCIA), Australian Computing Society, Australian Information Security Association, and frequently volunteers in promotion of science through public speaking, conference organization, and by editing the scientific journals i.e. IEEE Access, Computer and Security by Elsevier, IEEE Internet Policy and IEEE Future Directions, and board member of tech startups. He has authored three books and over 100 research papers. He received awards for his research achievements from Government of South Korea, Qatar, Pakistan and from Saudi Arabia.
Editor:
Olga Kiconco is the Lead, R&D at the Innovation Village Uganda where she works closely with the Team Lead to identify key market trends to deliver value for various stakeholders in the innovation ecosystem across different sectors such as Agriculture, Health, Education, Finance and Energy/ Climate. The Innovation Village aims to bring players together such as the government, academia, entrepreneurs, development agencies and private sector to drive Uganda’s socio-economic transformation, and the region at large.
Olga is ardent about using her strong business acumen, technology background and international exposure to help the start-up community thrive in today’s competitive innovation and entrepreneurship landscape. She has rich experience working with diverse teams traversing various sectors on short term consulting and business development projects in Strategy, Management and Business models for emerging markets in the Asia Pacific region.
She holds a Master’s Degree in International Business from Hult International Business School (Shanghai campus) and a Bachelors of Electronics Engineering majoring in Telecommunications (Malaysia). She is part of the IEEE Ethics and Policy in Technology Editorial Board, enrolled in the Tony Elemulu Foundation Entreprenuership Program 2018 and a Cherie Blair Foundation Mentee. She holds certifications in Certified Ethical Hacking (CEH) and EC Council Certified Security Analyst (ECSA).
She is also the Chief Strategy Officer of Milima Technologies, a cybersecurity start-up that assists organisations understand the various risks they are exposed to while online and how to best mitigate them through training and awareness programs.