If he looks like a duck, swims like a duck, and quacks like a duck, then he’s probably a duck. Now how do you apply the duck test to defend yourself against phishing?
Fall is a great time of year to get away from it all and spend some time in the great outdoors. Criminals, on the other hand, appear to be stepping up their phishing campaigns as the daily routine of deleting unwanted and malicious emails and texts takes longer every day. October is Cyber Security Awareness Month and the second week of the month-long campaign to put cybersecurity at the forefront of everyone’s mind is dedicated to ‘Fight phishing‘theme.
The hard truths
Would you be surprised to learn that just over 60% of participants in a recent phishing quiz, produced by ESET, to whom four phishing images or real messages failed to identify them correctly?
Called on ESET phishing derby and run by the ESET team in the US, the free contest is designed to show how good we are at identifying fake messages versus real ones. The scoring system is based on speed and correct distinction of messages, and the nearly 40% who correctly identified samples may include participants who identified three correctly in lightning-fast time. So, in reality, the number correctly identifying the four is likely to be lower. The quiz was not designed to generate statistics – it was designed to raise awareness and help educate participants on how to identify fake emails.
Interestingly, the results show a marked difference in how young participants aged 18 to 24 correctly identified samples – 47%, compared to just 28% of those over 65. Those aged 25 to 44 reached 45% and those aged 45 to 64. -years were at 36%. In case you were wondering about the validity of this data, the number of participants was 4,292 and the data collected is a by-product as opposed to an academic study. A similar result was presented when the same questionnaire was conducted by ESET Canada at the end of 2020, with 68% of participants not correctly identifying the four samples. You can take the tests here Where here.
What action should we take from the results? If you are reading this blog, you probably need to know more about cybersecurity and stay safe online. So let me challenge you during this Cyber Security Awareness Month 2021: Spread the word about caution about emails and messaging and other best practices you can adopt. to stay safe online and teach them to friends and family, with an emphasis on helping the elderly, as data shows they could benefit from a little more help.
You might think with the continual awareness campaigns from financial organizations, cybersecurity companies, governments, and others, like getting the cybersecurity awareness message across the home, that this number should be lower, much lower, and I might agree. However, some phishing emails that land in inboxes are so well crafted and look like the real deal, making it much harder to identify them as fake. This challenge will only get more difficult as cybercriminals hone their craft.
Last week, I received an email purporting to be from American Express, informing me that a suspicious transaction attempt had been blocked and asking me to review recent transactions. At first glance, the email looks legitimate and well-written and has good graphics, but there are some obvious signs that the email is a fake.
To begin with, I don’t have an American Express Business Platinum card. If you have an account, it can be understandable that this prompts you to take the next step, open it, and possibly click the link in it. The email is designed to create an emotional response, “oh no, there is fraud on my account, I need to fix it, click”.
Also, one of the fake IDs for me in this specific email is the addressing “Dear Card User” and then “Account starting with 37 *****”. American Express knows who its customers are and does not refer to them generically in communications, and credit card companies normally use the more unique end digits of an account number, not the less unique numbers. at the beginning of the account number. As a former employee of American Express, I know that all the cards they issue start with 3 and the second number is either a “4” or a “7”, so the number used in the e- mail I have received is generic and valid for many cardholders, a shotgun approach by the cybercriminal to catch a victim.
The improved computing resources readily available to cybercriminals will make the task more difficult; for example, the leasing of the power of cloud computing, the massive amounts of personal information available from data breaches and, to some extent, the funding of recent successful cyberattacks reinvested to grow the business sector of the cybercriminality. Now imagine that the phishing email impersonating American Express contains the name of the cardholder and the last 4 digits of the card number, gleaned from breached data, the likelihood that the recipient will click the link will undoubtedly increase significantly.
Other red flags of phishing attacks
Here are some more tips on how to identify a phishing email:
- The email is not addressed to you personally, whereas in the company that the sender is supposed to be will know who you are and will usually send emails addressed personally and not generically.
- Grammar and spelling errors: As phishing emails improve, be sure to read them twice, as errors can be harder to spot.
- The email is unsolicited from a company you have never contacted.
- A call to take urgent action, click on a link and log in to review transactions or the like
- Email Addressing: Hover over the email address and verify the sender’s actual address and the domain it was sent from.
- Emails with attachments, for example, claiming to be an invoice or notification of some type.
My recommendation in cases where there is still uncertainty as to whether an email is real or fake is to visit the supposed sender’s website directly through a browser, log into your account, and search for all messages. . All that is important will be in the messages of the account or in the inbox and if necessary, contact the company and validate the request.