Email phishing… and why you’re easier to hook than you think

User receiving a phishing bank email

Phishing is coming to an inbox near you… And the attacks are getting more sophisticated by the day. Rob Larson from the University of Bristol’s Cyber Security group talks to us about the latest developments and how you can protect yourself online

Last year, 76% of organisations experienced phishing attacks, with nearly half noticing an increase from the previous year*. According to the FBI, American businesses lost $12.5 billion through corporate email attacks. Closer to home, the NHS ransomware attack of 2017 affected dozens of authorities; staff resorted to using pen and paper, and operations were cancelled, with potentially life-threatening results.

Not only are these attacks on the rise, but scammers are turning to ever-more sophisticated methods, exploiting moments in our everyday lives when we’re at our busiest and most vulnerable.

Rob Larson from the Cyber Security group
Rob Larson from the Cyber Security group

This is an area which interests Rob Larson, whose PhD focuses on online social engineering attacks. He questions the long-standing idea that individuals are the weakest link in the security chain, instead seeing them as an asset and the first line of defence. He believes that a strong organisational defence is multi-layered, with systems fortified through technology and staff trained to understand the psychology of phishing attacks.

Rob explains the prevalence of phishing attacks: “When it comes to defences, organisations have traditionally put up a perimeter, to keep the bad guys out, and locked down the systems inside it, in case they get in. So it’s often easier to just target the users of the systems, sitting behind the defences.”

We asked Rob about the wide-ranging aspects of phishing – and for some advice on what to look out for online.

Rob’s background…

“I’ve always had an interest in the psychology of social engineering, such as phishing scams, and why something so simple remains so effective.

“As a computer scientist, I wanted to understand how they’re performed, why they’re successful and what defences are available. I really wanted to bring our understanding of social engineering up-to-date and address this belief that the people who fall victim are at fault.”

On the evolving face of phishing…

“Phishing can be a very low-cost, low-overhead attack as opposed to using exploitative code to break through a hole in the system, or other costly techniques. Traditionally it was deployed willy-nilly with hundreds to thousands of emails being sent, as spam. Now, we’re seeing not only an increase in the number of attacks, but also an increase in their sophistication. Instead of casting a wide net with a mass generic email, they’re targeting a small number of people with content which is more relevant to the recipient.

“Take a university, for example, the email might talk about systems such as ‘Blackboard’ which students within the university actually use. It might reference specific personal details to seem more legitimate, such as their student ID number or course name. Links in the email might then take users through to a website which is tailored to look like the university’s web portal login, asking the target to input their username and password.

Email phishers can use personal information and a sense of urgency to trick users

“It’s common to see emails putting pressure on the target to elicit an emotional response. Fear of loss is a common one, like replicating a university email and warning the student that they’ll be withdrawn from their course if they don’t respond quickly. If the student clicks on the link they’re redirected to a fake university system and once they’ve logged in the system steals their credentials. The email will thank them for confirming attendance so they’ve no reason to suspect anything.

“These emails have a greater degree of sophistication and subtlety… They’re similar to earlier, more generic phishing scams, but are well-targeted and done in a way that users are less likely to report them, or even notice they’ve fallen victim to anything.”

On spear-phishing…

“Part of my research is trying to understand the spectrum of spear phishing and how sophisticated the attacks get. Spear phishing is a bit of a different animal to the more generic, widely distributed spam-like email; it might be a bit more specific, mentioning you by name. It could come from a contact which looks familiar or appropriate, such as a friend or a colleague, or may include some personal information. It’s quite common to see scammers deploying persuasive techniques in these emails, that leverage authority. For example, they might impersonate your boss and importantly, it might be requesting urgent action.

“Scammers often want a quick reaction – they want you to just respond on auto-pilot. You’re taking a heuristic route and going off your gut, rather than taking time to think it through. It’s something we do naturally, that we need to do to work effectively, and they take advantage of that.”

On ‘crime as a service’…

“Spear phishing used to be so labour-intensive. It was the preserve of people who had the time, money or interest; state actors; organised criminals after big money; or cyber criminals with a persistent interest in a target;

“But now you can buy this kind of service on the Dark Web, for as little as $25. Criminals can go there and say: ‘I want to impersonate a bank, I would like that bank’s website and login page cloned.’ They can pick-up a similar domain and a security certificate. It’s gotten to the point that for very little cost, they can even hire a call centre, and direct users there to steal information by a different route, or add a degree of authenticity.

“It’s a perfect storm. Stolen personal information can be bought and sold online. You can buy tools and services to generate websites, and software packages to generate phishing emails that already include these psychological ploys within the templates.”

On whaling (or ‘CEO phishing’)…

“Whaling, or Business Enterprise Compromise is also increasing dramatically. Think of whaling as ‘phishing’ for a really big fish. For example, criminals target someone in finance and the CEO of the company. They might compromise a device on the company’s network, and send an email appearing to come from the CEO instructing someone in finance to make a money transfer.

“In the past five years, according to the FBI, this kind of fraud has cost US business $12.5 billion. That’s not a small figure by any kind of reckoning. If we’re talking about subtlety or lightness of touch, whaling is right at the top end of the spear-phishing spectrum. The focus is on one person and it will be very targeted and very specific.”

On social-media phishing…

Facebook users who ‘check in’ may be a target for hackers

“Another good example of phishing is on Facebook. Someone might visit a club, and check in on Facebook – the scammers message them that they’ve been tagged in a photo at that particular club on that particular night. They click on it because it’s somewhere they actually were, maybe they’re worried that it’s a terrible photo that they don’t remember. If the hackers manage to compromise the target’s social media account they can then use that to launch targeted attacks on their contacts.

“Recruiter scams are also common. Because many legitimate companies recruit primarily through LinkedIn, it’s definitely a good place to be if you’re job hunting. People put loads of information on there about their university and educational history, crucially, the kind of job roles they’ve held in the past and are currently looking for. A prevalent attack comes from fake recruiters or head-hunters. With all the information people are sharing about themselves it’s very easy for a scammer to tailor a convincing job offer email.

“It’s easy to say be careful about what you share online, but it’s always a toss-up between the benefit you’re getting from using an online service and the risk.”

On what to look out for in phishing emails…

“Despite this greater sophistication in scams, a lot of the advice given about spotting phishing still stands up. So watch out for any of any of the following when you receive an email:

  1. It’s generic or impersonal: they don’t greet you by name or mention your account number, instead using an ambiguous greeting such as “Dear user, student, or customer”.
  2. The message looks odd: spelling or grammar errors are common in less sophisticated attacks. Company branding or logos may be incorrect or appear poorly formatted.
  3. The email address of the sender looks wrong: for example, a message might claim to come from ‘billing@yourbank.com’ but the email shows as ‘billing@y0urb4nk.com’. However, it is possible to impersonate or ‘spoof’ addresses, so you shouldn’t rely on this alone.
  4. It’s asking for sensitive or personal information: such as your password, PIN etc.
  5. It’s trying to rush you with an urgent deadline to respond.
  6. It has a suspicious link or attachment: similarly to email addresses, links that do not match the web address of the company or service the email claims to represent.

On protecting yourself online…

“As I’ve mentioned, a common goal of these scams is to steal your username and password.  Don’t forget to use different passwords for different services and use strong passwords too. It doesn’t have to be the letters, numbers and special characters thing that a lot of sites promote – you could use pass-phrases like six random words, tied together with hyphens. But make sure the words aren’t related to you and are as random as possible. Personally, my preference is to use a Password Manager which generates strong passwords and stores them securely. I’d also recommend services with two-factor authentication, that’s when you login and have a second code sent to you.  So, even if your username and password is stolen they still need another piece of information.

Two-factor authentification
Google’s two-factor authentification helps to secure your login

“There’s been a lot of advice about phishing and social engineering detection. Some of it is really questionable. For example, ‘don’t click on things’ – that’s like saying you should never leave your house if you don’t want to get mugged!

“My advice is to treat any approach like somebody coming to your door to sell you something. If you don’t have the time to check their credentials, don’t play into their time frame. If you’ve got 50 emails and one pings a red flag to you, put it into a folder, crawl through the other emails, and come back to this one when you’ve got time to look at it properly. Don’t reply to it, don’t click on the link, don’t open the attachment. If the email claims to come from an external organisation, such as your bank or University, call the bank directly via information on their official website rather than links or numbers in the message. If it’s from a friend or someone internal to your organisation, drop them a quick call to check.

“At the end of the day, it’s important for individuals and organisations to understand that even with extensive training and a detailed understanding of these scams people still fall for them, because they leverage vulnerabilities present in all of us and happen whilst we’re distracted by other things.”

On collective responsibility…

“People will still mistakes, such as choosing weak passwords, so organisations need to support them with technology and policy where possible, such as taking measures to prevent weak passwords being used or limiting the speed at which attackers can try to guess a password. An awful lot of the systems and countermeasures out there still fail to support the user adequately, meaning these relatively simple attacks remain a big problem.

“So for my PhD, I wanted to find out what’s really going on. I wanted to give something back to help people devise better training, build better defences and create software to lessen the burden on users and to ultimately make people’s jobs easier in the fight against cybercrime.”

More information

CPNI: Don’t take the bait – https://www.cpni.gov.uk/dont-take-bait

NCSC: Defending your organisation – https://www.ncsc.gov.uk/phishing

NCSC: Password guidance – https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

The University of Bristol’s Cyber Security Group is part of the Academic Centre of Excellence in Cyber Security Research (ACE-CSR) at Bristol. The group’s research focuses on three over-arching but interlinked strands: security of cyber-physical infrastructures, software security and human behaviours.

* https://www.wombatsecurity.com/news/76-organizations-report-being-victims-phishing-attacks