Tale of a Trained Phishing Target
Phishing attacks are increasing in sophistication, and the signs of phishing that many people learned early in the lifespan of this criminal activity have changed.
Today, phishing is the most popular cyberattack technique because it offers a straightforward way for cybercriminals to monetize unauthorized access into quick cash.
Here’s an example scenario:
Alex, a busy salesperson with thousands of contacts, received a text from her friend Jade, an Apple developer rep, offering a 20% discount on AirPods Pro, Alex's favorite. The text looked genuine, even coming from Jade's phone number, and her iPhone identified and labeled the text as coming from Jade (caller ID spoofing).
Eager for the deal, Alex clicked the link in the text. (Click!)
The link led to a website that looked identical to the brand's official website. It had the same layout, color scheme, and product images. The website even had a limited-time banner ad for partners – the same ad Alex had seen on Apple’s site recently.
The site displayed a small padlock icon in the address bar; the URL started with https, indicating that the connection was “secure.” Confident that the website was legitimate, Alex entered her ApplePay payment credentials, but the site rejected them. She reasoned that her corporate VPN account could be blocking the purchase, so she entered her credit card details instead.
Once Alex entered her credentials, they were immediately visible to the malicious actors. With access to Alex's account, they made increasingly large fraudulent purchases totaling $2,600, mostly in gift cards, then sold both her account credentials on the dark web, for $4 USD each (yes, that is a going rate), as well as her address and other information valuable in the criminal economy for more sophisticated identity thefts.
The ease with which cybercriminals tricked Alex underscores the effectiveness of phishing engineering tactics. Alex discovered the breach months later, before a flight, when she was unable to access her ApplePay account. She never realized the malicious actors had also compromised her credit card. The advice given to her was to change her password, use MFA, and monitor her credit report.
What Alex Missed
In the scenario above, the padlock gave Alex a false sense of security. The truth is that most phishing sites use TLS (Transport Layer Security), meaning they would have that padlock. Many users, like Alex, see the padlock and assume the site is safe. They do not understand that the padlock only means the transmission is encrypted, not that the website is trustworthy. This misunderstanding is what phishing attackers exploit.
Here’s a little background on this point: Public Key Infrastructure (PKI) provides the foundation for secure communication by managing digital identity through certificates, while TLS leverages these certificates to establish encrypted and authenticated connections between devices. While PKI has been a cornerstone of digital security for decades, it has become increasingly clear that it is not the ideal solution. PKI is often difficult for average users to utilize correctly.
10 Ways to Protect Your Accounts
The story of Alex, a target of a phishing text message, exemplifies the ease with which cybercriminals can trick unsuspecting individuals. Phishing tactics prey on human trust and exploit emotional triggers, making them particularly dangerous.
Here are ten things you can do to help protect your accounts:
- Do not click on links or open attachments in unsolicited emails or texts, regardless of their apparent legitimacy.
- Hover over links to reveal the actual URL and use link expander services to verify their authenticity.
- Scrutinize email addresses and phone numbers for any discrepancies or anomalies.
- Contact the sender directly through a separate, trusted communication channel (e.g., company phone line, internal messaging system, Signal) to confirm the message's authenticity.
- Employ unique, complex passwords for each online account.
- Utilize an open-source self-hosted password manager to generate, store, and securely manage your passwords.
- Enable MFA for all financial accounts with hardware keys (e.g., YubiKeys).
- Recognize the limitations of training and individual actions. Leverage enterprise-level security measures such as Zero Trust Architecture (ZTA) and advanced email security solutions.
- Consult with people that can help.
- Stay informed and vigilant! By staying vigilant and taking proactive steps, you can reduce your risk of falling victim to phishing attacks.
Phishing attacks are increasing in sophistication, and the signs of phishing that many people learned early in the lifespan of this criminal activity have changed.
Today, phishing is the most popular cyberattack technique because it offers a straightforward way for cybercriminals to monetize unauthorized access into quick cash.
Here’s an example scenario:
Alex, a busy salesperson with thousands of contacts, received a text from her friend Jade, an Apple developer rep, offering a 20% discount on AirPods Pro, Alex's favorite. The text looked genuine, even coming from Jade's phone number, and her iPhone identified and labeled the text as coming from Jade (caller ID spoofing).
Eager for the deal, Alex clicked the link in the text. (Click!)
The link led to a website that looked identical to the brand's official website. It had the same layout, color scheme, and product images. The website even had a limited-time banner ad for partners – the same ad Alex had seen on Apple’s site recently.
The site displayed a small padlock icon in the address bar; the URL started with https, indicating that the connection was “secure.” Confident that the website was legitimate, Alex entered her ApplePay payment credentials, but the site rejected them. She reasoned that her corporate VPN account could be blocking the purchase, so she entered her credit card details instead.
Once Alex entered her credentials, they were immediately visible to the malicious actors. With access to Alex's account, they made increasingly large fraudulent purchases totaling $2,600, mostly in gift cards, then sold both her account credentials on the dark web, for $4 USD each (yes, that is a going rate), as well as her address and other information valuable in the criminal economy for more sophisticated identity thefts.
The ease with which cybercriminals tricked Alex underscores the effectiveness of phishing engineering tactics. Alex discovered the breach months later, before a flight, when she was unable to access her ApplePay account. She never realized the malicious actors had also compromised her credit card. The advice given to her was to change her password, use MFA, and monitor her credit report.
What Alex Missed
In the scenario above, the padlock gave Alex a false sense of security. The truth is that most phishing sites use TLS (Transport Layer Security), meaning they would have that padlock. Many users, like Alex, see the padlock and assume the site is safe. They do not understand that the padlock only means the transmission is encrypted, not that the website is trustworthy. This misunderstanding is what phishing attackers exploit.
Here’s a little background on this point: Public Key Infrastructure (PKI) provides the foundation for secure communication by managing digital identity through certificates, while TLS leverages these certificates to establish encrypted and authenticated connections between devices. While PKI has been a cornerstone of digital security for decades, it has become increasingly clear that it is not the ideal solution. PKI is often difficult for average users to utilize correctly.
10 Ways to Protect Your Accounts
The story of Alex, a target of a phishing text message, exemplifies the ease with which cybercriminals can trick unsuspecting individuals. Phishing tactics prey on human trust and exploit emotional triggers, making them particularly dangerous.
Here are ten things you can do to help protect your accounts:
- Do not click on links or open attachments in unsolicited emails or texts, regardless of their apparent legitimacy.
- Hover over links to reveal the actual URL and use link expander services to verify their authenticity.
- Scrutinize email addresses and phone numbers for any discrepancies or anomalies.
- Contact the sender directly through a separate, trusted communication channel (e.g., company phone line, internal messaging system, Signal) to confirm the message's authenticity.
- Employ unique, complex passwords for each online account.
- Utilize an open-source self-hosted password manager to generate, store, and securely manage your passwords.
- Enable MFA for all financial accounts with hardware keys (e.g., YubiKeys).
- Recognize the limitations of training and individual actions. Leverage enterprise-level security measures such as Zero Trust Architecture (ZTA) and advanced email security solutions.
- Consult with people that can help.
- Stay informed and vigilant! By staying vigilant and taking proactive steps, you can reduce your risk of falling victim to phishing attacks.
