Email phishing… and why you’re easier to hook than you think

User receiving a phishing bank email

Phishing is coming to an inbox near you… And the attacks are getting more sophisticated by the day. Rob Larson from the University of Bristol’s Cyber Security group talks to us about the latest developments and how you can protect yourself online

Last year, 76% of organisations experienced phishing attacks, with nearly half noticing an increase from the previous year*. According to the FBI, American businesses lost $12.5 billion through corporate email attacks. Closer to home, the NHS ransomware attack of 2017 affected dozens of authorities; staff resorted to using pen and paper, and operations were cancelled, with potentially life-threatening results.

Not only are these attacks on the rise, but scammers are turning to ever-more sophisticated methods, exploiting moments in our everyday lives when we’re at our busiest and most vulnerable.

Rob Larson from the Cyber Security group
Rob Larson from the Cyber Security group

This is an area which interests Rob Larson, whose PhD focuses on online social engineering attacks. He questions the long-standing idea that individuals are the weakest link in the security chain, instead seeing them as an asset and the first line of defence. He believes that a strong organisational defence is multi-layered, with systems fortified through technology and staff trained to understand the psychology of phishing attacks.

Rob explains the prevalence of phishing attacks: “When it comes to defences, organisations have traditionally put up a perimeter, to keep the bad guys out, and locked down the systems inside it, in case they get in. So it’s often easier to just target the users of the systems, sitting behind the defences.”

We asked Rob about the wide-ranging aspects of phishing – and for some advice on what to look out for online.

Rob’s background…

“I’ve always had an interest in the psychology of social engineering, such as phishing scams, and why something so simple remains so effective.

“As a computer scientist, I wanted to understand how they’re performed, why they’re successful and what defences are available. I really wanted to bring our understanding of social engineering up-to-date and address this belief that the people who fall victim are at fault.”

On the evolving face of phishing…

“Phishing can be a very low-cost, low-overhead attack as opposed to using exploitative code to break through a hole in the system, or other costly techniques. Traditionally it was deployed willy-nilly with hundreds to thousands of emails being sent, as spam. Now, we’re seeing not only an increase in the number of attacks, but also an increase in their sophistication. Instead of casting a wide net with a mass generic email, they’re targeting a small number of people with content which is more relevant to the recipient.

“Take a university, for example, the email might talk about systems such as ‘Blackboard’ which students within the university actually use. It might reference specific personal details to seem more legitimate, such as their student ID number or course name. Links in the email might then take users through to a website which is tailored to look like the university’s web portal login, asking the target to input their username and password.

Email phishers can use personal information and a sense of urgency to trick users

“It’s common to see emails putting pressure on the target to elicit an emotional response. Fear of loss is a common one, like replicating a university email and warning the student that they’ll be withdrawn from their course if they don’t respond quickly. If the student clicks on the link they’re redirected to a fake university system and once they’ve logged in the system steals their credentials. The email will thank them for confirming attendance so they’ve no reason to suspect anything.

“These emails have a greater degree of sophistication and subtlety… They’re similar to earlier, more generic phishing scams, but are well-targeted and done in a way that users are less likely to report them, or even notice they’ve fallen victim to anything.”

On spear-phishing…

“Part of my research is trying to understand the spectrum of spear phishing and how sophisticated the attacks get. Spear phishing is a bit of a different animal to the more generic, widely distributed spam-like email; it might be a bit more specific, mentioning you by name. It could come from a contact which looks familiar or appropriate, such as a friend or a colleague, or may include some personal information. It’s quite common to see scammers deploying persuasive techniques in these emails, that leverage authority. For example, they might impersonate your boss and importantly, it might be requesting urgent action.

“Scammers often want a quick reaction – they want you to just respond on auto-pilot. You’re taking a heuristic route and going off your gut, rather than taking time to think it through. It’s something we do naturally, that we need to do to work effectively, and they take advantage of that.”

On ‘crime as a service’…

“Spear phishing used to be so labour-intensive. It was the preserve of people who had the time, money or interest; state actors; organised criminals after big money; or cyber criminals with a persistent interest in a target;

“But now you can buy this kind of service on the Dark Web, for as little as $25. Criminals can go there and say: ‘I want to impersonate a bank, I would like that bank’s website and login page cloned.’ They can pick-up a similar domain and a security certificate. It’s gotten to the point that for very little cost, they can even hire a call centre, and direct users there to steal information by a different route, or add a degree of authenticity.

“It’s a perfect storm. Stolen personal information can be bought and sold online. You can buy tools and services to generate websites, and software packages to generate phishing emails that already include these psychological ploys within the templates.”

On whaling (or ‘CEO phishing’)…

“Whaling, or Business Enterprise Compromise is also increasing dramatically. Think of whaling as ‘phishing’ for a really big fish. For example, criminals target someone in finance and the CEO of the company. They might compromise a device on the company’s network, and send an email appearing to come from the CEO instructing someone in finance to make a money transfer.

“In the past five years, according to the FBI, this kind of fraud has cost US business $12.5 billion. That’s not a small figure by any kind of reckoning. If we’re talking about subtlety or lightness of touch, whaling is right at the top end of the spear-phishing spectrum. The focus is on one person and it will be very targeted and very specific.”

On social-media phishing…

Facebook users who ‘check in’ may be a target for hackers

“Another good example of phishing is on Facebook. Someone might visit a club, and check in on Facebook – the scammers message them that they’ve been tagged in a photo at that particular club on that particular night. They click on it because it’s somewhere they actually were, maybe they’re worried that it’s a terrible photo that they don’t remember. If the hackers manage to compromise the target’s social media account they can then use that to launch targeted attacks on their contacts.

“Recruiter scams are also common. Because many legitimate companies recruit primarily through LinkedIn, it’s definitely a good place to be if you’re job hunting. People put loads of information on there about their university and educational history, crucially, the kind of job roles they’ve held in the past and are currently looking for. A prevalent attack comes from fake recruiters or head-hunters. With all the information people are sharing about themselves it’s very easy for a scammer to tailor a convincing job offer email.

“It’s easy to say be careful about what you share online, but it’s always a toss-up between the benefit you’re getting from using an online service and the risk.”

On what to look out for in phishing emails…

“Despite this greater sophistication in scams, a lot of the advice given about spotting phishing still stands up. So watch out for any of any of the following when you receive an email:

  1. It’s generic or impersonal: they don’t greet you by name or mention your account number, instead using an ambiguous greeting such as “Dear user, student, or customer”.
  2. The message looks odd: spelling or grammar errors are common in less sophisticated attacks. Company branding or logos may be incorrect or appear poorly formatted.
  3. The email address of the sender looks wrong: for example, a message might claim to come from ‘billing@yourbank.com’ but the email shows as ‘billing@y0urb4nk.com’. However, it is possible to impersonate or ‘spoof’ addresses, so you shouldn’t rely on this alone.
  4. It’s asking for sensitive or personal information: such as your password, PIN etc.
  5. It’s trying to rush you with an urgent deadline to respond.
  6. It has a suspicious link or attachment: similarly to email addresses, links that do not match the web address of the company or service the email claims to represent.

On protecting yourself online…

“As I’ve mentioned, a common goal of these scams is to steal your username and password.  Don’t forget to use different passwords for different services and use strong passwords too. It doesn’t have to be the letters, numbers and special characters thing that a lot of sites promote – you could use pass-phrases like six random words, tied together with hyphens. But make sure the words aren’t related to you and are as random as possible. Personally, my preference is to use a Password Manager which generates strong passwords and stores them securely. I’d also recommend services with two-factor authentication, that’s when you login and have a second code sent to you.  So, even if your username and password is stolen they still need another piece of information.

Two-factor authentification
Google’s two-factor authentification helps to secure your login

“There’s been a lot of advice about phishing and social engineering detection. Some of it is really questionable. For example, ‘don’t click on things’ – that’s like saying you should never leave your house if you don’t want to get mugged!

“My advice is to treat any approach like somebody coming to your door to sell you something. If you don’t have the time to check their credentials, don’t play into their time frame. If you’ve got 50 emails and one pings a red flag to you, put it into a folder, crawl through the other emails, and come back to this one when you’ve got time to look at it properly. Don’t reply to it, don’t click on the link, don’t open the attachment. If the email claims to come from an external organisation, such as your bank or University, call the bank directly via information on their official website rather than links or numbers in the message. If it’s from a friend or someone internal to your organisation, drop them a quick call to check.

“At the end of the day, it’s important for individuals and organisations to understand that even with extensive training and a detailed understanding of these scams people still fall for them, because they leverage vulnerabilities present in all of us and happen whilst we’re distracted by other things.”

On collective responsibility…

“People will still mistakes, such as choosing weak passwords, so organisations need to support them with technology and policy where possible, such as taking measures to prevent weak passwords being used or limiting the speed at which attackers can try to guess a password. An awful lot of the systems and countermeasures out there still fail to support the user adequately, meaning these relatively simple attacks remain a big problem.

“So for my PhD, I wanted to find out what’s really going on. I wanted to give something back to help people devise better training, build better defences and create software to lessen the burden on users and to ultimately make people’s jobs easier in the fight against cybercrime.”

More information

CPNI: Don’t take the bait – https://www.cpni.gov.uk/dont-take-bait

NCSC: Defending your organisation – https://www.ncsc.gov.uk/phishing

NCSC: Password guidance – https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

The University of Bristol’s Cyber Security Group is part of the Academic Centre of Excellence in Cyber Security Research (ACE-CSR) at Bristol. The group’s research focuses on three over-arching but interlinked strands: security of cyber-physical infrastructures, software security and human behaviours.

* https://www.wombatsecurity.com/news/76-organizations-report-being-victims-phishing-attacks

From India to the UK: Top tips from an international student

Starting university can be daunting at the best of times, but even more so when you’re studying overseas and leaving your home country for the first time.

That’s what Indian student Samia Mohinta faced when starting her MSc in Advanced Computing last month. Samia has thrown herself into life in Bristol and has some advice and insight for others in a similar position…

Hello readers,

Are you having cold feet – terrified to leave your home country? Or have you taken the big leap, but missing home? Keep reading! This post lists all that I found useful while coming to the UK and after two weeks of being here.

This is my first time anywhere outside India. I am an avid traveller, but stepping out of India, to go to a place for a year without family and friends, did freak me out. So, trust me, I can understand how you all are feeling. Don’t worry, you are not alone.

Here are a few tips to help organise yourself and shake off the blues before and after you travel to the UK:

  1. Prepare beforehand: If you are planning to study at the University of Bristol, get an idea about the city before you arrive. Bristol is hilly, so start working on improving stamina, because you’ll need a lot of that when you climb up to reach your lectures. There are quite a few blogs on the city of Bristol and reading one of those will give you sufficient information of what the city is like. Currently, for me, it’s fantastic.
  2. Review your goals: Think and write your aspirations on a page. Judge your potential. The Indian model of imparting education is very different from here. Unlike in India, you won’t be spoon-fed with information and details all the time. You need to be self-motivated and alert to grab the opportunities that come your way.
  3. Understand the course you are going to take: Go through your course modules and check if you understand what it’s about. This is very important. I have seen a lot of my friends dropping out of courses that they chose without self-judgement of potential. Follow your interests and think about your existing experience and skill set.
  4. University of Bristol flags at Heathrow airport
    Reach out for help: If you are travelling alone from India to UK, reach out to people if you face any problem. Don’t panic. Speak to your co-travellers, even if you don’t know them and ask for advice. You shall definitely find someone travelling to the same or a nearby place. Team up! I myself had a four-hour delayed flight, which led to a lot of problems after landing in Heathrow. I reached out to the University representatives, who were present at the airport, bus stops and train stations, and got my issues sorted.
  5. Only pack for one week: Don’t fill your bag with unnecessary stuff. Bring dry food to last a week. Pack some cooked food, just to soothe your cravings. Bring hoodies, warm jackets, gloves, mufflers and sweat shirts. Also pack a few cottons and summer dresses. If you can, pack a pressure cooker or a rice cooker – extremely useful to prepare a quick meal. Carry some cloth hangers and air-tight tiffin boxes as well.
  6. Indian food: Do not carry a lot of Indian spices because you can get everything in the supermarkets. But I shall ask you to pack a small amount of flour or rice for making chapattis or rice, so that you do not need to rush to a supermarket immediately after you arrive. There are a lot of Indian restaurants all around the city, pop in to satisfy your occasional cravings. Take a bus to Easton and find loads of Indian stuff.
  7. When in Britain, do as the British do: Try and get a brief idea about the British culture. You should know how to greet people when you meet them. In India, we usually don’t shake hands, but here it is a common courtesy. Be polite and friendly.
  8. Make new friends: I know it sounds weird. You cannot just be friends with someone after a tiny chit chat. However, meet a lot of people. I am not suggesting you to jump into parties, but during uni hours speak to your classmates and get to know each other. You can join a few societies or clubs (there are nearly 200 clubs and societies in UoB) and make a few friends. Get out of your comfort zone and shake a leg at a dance taster session.
  9. Exploring Bristol harbourside
    Explore Bristol, reduce boredom: Bored with sitting at home? Grab a backpack and put your travel shoes on. Time to explore Bristol! Bristol boasts of beautiful parks, hot-air balloons (I am personally fascinated with these), Ferry rides at the Harbourside, the Clifton Suspension Bridge (loved the view from it), Museums and some fantastic graffiti decorating the walls of the entire city. Get a student’s one-day bus pass for £3 and explore the Bristol inner zone. You can also buy an outer zone pass that lets you access Bath and Bristol completely for a day.
  10. Take your modules seriously: Go to the lectures. Don’t get unnerved if you find the first few a little difficult. Read the materials and ask for help from your professors. There are dedicated teams for mental health in the University, who can help you cope with the study pressure. A lot of Indians study at UoB as well, reach out to them via the Indian Society and share your worries.

Life is all about taking risks. Sign yourself up for an adventure every day and reap the satisfaction it brings. This new world in Bristol is a lot different from yours back in India. It is way more organised. It is also extremely welcoming. Be confident. You shall shine!

Thank you for being with me till the end.

PS : I shall come back with some other fun stuff about my adventures in Bristol. Stay tuned!

Student well-being

There are many options at Bristol if you need any support settling into University life or just need to chat to somebody. Find out where to get help here.

Formula Student is go go go!

Formula student team University of Bristol

The world’s largest student engineering design competition is back. We spoke to Engineering student Harry White about the Formula Student project and being a part of the Bristol Electric Racing team

The team showing off the car at last’s year University Open Day

Formula Student is a long-running international competition where the best engineering students across the world design, manufacture and race open-wheeled single seater formula styled vehicles. The vehicles produced by some of the top teams are truly astounding feats of engineering, with some cars able to accelerate from 0-60 MPH in under 1.5 seconds! The big finale is the head-to-head race at Silverstone, where the teams battle it out to find the overall winner.

Chief Engineer, Harry White, explains the uniqueness of this project: “This competition is one of the best opportunities available to university students to experience a complex, real-life engineering problem that requires analytical thinking, design and team work.”

“It allows students to develop important skills that may be less focused on in a classical engineering degree, such as business, marketing and cost analysis.” He continues “We’ll be working hard towards developing our business and marketing case, with the goal of ranking amongst the top teams next year.”

The team’s workspace, in the shadow of a helicopter!

This year’s team are currently building their first car to compete at the 2019 competition. Harry updates us on their progress: “We have most of a rolling chassis, with only a few modifications still required to produce a product that fundamentally works. The next steps this year will be to develop the powertrain, which is no small task, and to continue developing the rolling chassis until the car can drive under its own power. From there the next task will be an extensive testing and commissioning stage. There’s a significant difference between a car that can move and a car that can race.”

One of the great benefits of the project is for the students to work equally as part of team, with all members having the opportunity to contribute significantly to the design. As Harry points out: “There’s a lot of design involved with creating a car from scratch, and this means that younger members of the team can contribute in a way that would be almost impossible in more established teams.”

Importantly, there’s the social aspect of the project: “Working as part of a dedicated team, all focused on achieving the same goal, leads to a tight-knit group of friends, between different years and courses; a social dynamic that is difficult to find elsewhere.”

As Harry sums up: “Formula student is an amazing opportunity that gives real engineering experience and is as rewarding as it is demanding; at Bristol Electric Racing there is the opportunity for anyone who is motivated enough to do great things.”

You can follow the team’s progress on Facebook.