When things get phishy where you don’t want them to be
There are many places where we want things to run nice and orderly without any kind of disruption, our classwork, traffic on the way to work and school, a trip to the library, and most certainly in the care and safekeeping of our vulnerable loved ones. Unfortunately, something as simple as responding to a phishy email can put them at risk. This unfortunate event has happened before in 2020 to a US home-based healthcare provider named Elara Caring back in 2020, as reported by Jessica Haworth of The Daily Swig. This phishing attack can be categorized as a ‘Spear phishing’ attack, as the threat actor behind the phish emails managed to either control or spoof a known external entity which intentionally targeted Elara employees. As a result, 100k+ individuals potentially had their personal data compromised, information including name, date of birth, address, phone number, financial account information, social security numbers, insurance information and account numbers, and driver's license numbers. Everything you would need to perpetuate many forms of identity theft.
Who armed the phish with spears anyways?
Spear phishing is a more advanced version of a common phishing attack and requires that the threat actor in question start with some knowledge about you and your organization. They use information like your organization’s org chart, names and email addresses, who you and your organization do business with, and any other information they have either looked up or otherwise collected from other sources. It often comes in the form of an email(e.g. an email from the CEO requesting that you transfer funding for a new project at once), but can come in other ways(e.g. a voice call from your bank stating that there is an urgent problem with your account). They are often much more difficult to detect, as not only do they spoof a known entity but they also frequently do not have the hallmark errors in punctuation and grammar and are much more successful at imitating legitimate communications. Because of these reasons, they tend to be a much more successful method of attack, even rising to the point of what is called ‘whaling,’ or successfully compromising the ‘big fish’ of the organization such as the CEO or CFO. There are however steps you can take to protect yourself from this type of attack:
- Maintain a skeptical mindset - Keep in mind who is asking you to do what and why. If you are a low-level accountant, why would the CEO of the company himself reach out to you directly to order financial transactions, wouldn’t this order come from your supervisor? Or, if you're working as a front desk associate, wouldn’t the operations manager have his own ways of looking up who has what email?
- Verify the Sender - Related to the point above, if you have concerns over if a communication is legitimate or not, reach out to the source directly to verify. Be aware that any links or phone numbers on the suspicious communication itself can be faked, so make sure you are using a known and verified, or at least independently sourced point of contact.
- Protect your personal information – Oftentimes, it is difficult to prevent exposure of some of your data, from information gained from preexisting data breaches to information about you listed on a company website. However, you can make threat actors’ jobs much more difficult by ensuring that you have protected your social media presence by maximizing your security settings, as well as taking care what kind of information you are giving out. Additionally, utilize a two-factor authentication service wherever possible, such as Google Authenticate. Washburn University utilizes Duo multifactor authentication.
- Beware of links sent by suspicious senders - Make sure that you do not click on links by unknown senders, nor be fooled by a spoofed website into giving up your login credentials directly to the threat actor. Always use known, internal information systems to find out information, and when in doubt, reach out to the sender directly or report the email as a phish for IT review. Use the Phish Alert Button!
Thank you for staying vigilant!
--WU ITS Information Security