It looks innocent enough - a receipt from your favourite high street shop, a file to review from a colleague or an alert from your bank or gas company that you have a statement to review or bill to pay. But something rather more sinister could be sitting in your inbox, waiting to be clicked.
Cyber criminals don't need sophisticated malware to try to hack you - all they need is your email address.
Phishing -wherein fraudsters dupe people into clicking on fake or malicious links - isn't a new phenomenon, but it has got good. Really good. Don't believe me? Ask the victim of the highest profile targeted email attack last year, John Podesta.
Podesta was Hillary Clinton's campaign chairman during the US elections. His email account was accessed without the use of any malware or vulnerabilities. An email was crafted to appear as though it originated from an official Gmail administrative account and suggested that his email had been compromised and directed him to reset his password. Once clicked, he was directed to a fake password reset page masquerading as a legitimate Gmail account reset page. No malware or exploits were needed to perform the attack. Instead, one bogus email helped to obtain a password by duping him into handing it over.
It's a practice known as 'living off the land'. Canny hackers are using the simple tools they have on hand to compromise peoples' personal information- no complicated techniques required. Norton research reveals that one in every 131 emails contained a malicious link or attachment last year- the highest rate in five years. This marks a shift in tactics; cyber criminals increasingly use simple 'social engineering' techniques which persuade people to click on bogus links or open malicious files by disguising them as authentic email. In turn, they can access vital information as opposed to relying on sophisticated malware.
Switch in phishing
The shift in the balance of email attacks is changing. Whereas previously, mass-mailing phishing campaigns were all the rage, now attacks are becoming more targeted. Our data shows that bulk spamming has decreased but targeted phishing emails are now on the rise. They're successful because they are disguised as coming from someone you know or a business with whom you interact. And you don't have to be a high ranking public figure to be caught out.
Prior to this targeted phishing goldrush, attackers relied more heavily on zero-day vulnerabilities. They would quickly exploit chinks in the armour of new software before the developers had a chance to plug them. But the developers started to smarten up with 'bug bounty' programmes, which brought a community element to spotting and reporting vulnerabilities. This helped to make software and browsers more secure, and hackers therefore turned to other methods. And although systems and networks can be protected using various technologies, hackers can always rely on people being the weak link and divulging personal information.
How can I protect against phishing?
Want to make sure you're not one of the victims? Here's what you can do to protect yourself.
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments
- Be wary of Microsoft Office attachments that advise you to enable macros to view its content. Only do this if you're 100% sure it's a genuine email from a trusted source
- Always keep your security software up to date to ensure your protection is current
- Never use links in an email to connect to a website unless you are sure it's genuine. Your best bet is to type URLs directly into the browser's address bar
- The word 'invoice' is the most common word found in the subject of malware spam campaign emails. Be wary of emails that mention financial terminology as they are the most successful in catching out victims