Cyber-Criminal Tactics - Phishing, Vishing, Smishing

October 2021

hands working at a laptop in profile

This is the big one. Phishing attacks have increased in frequency by 667% since COVID-19. (source).  

Phishing attacks are so easy to set up, and yet very effective, giving the attackers the best return on their investment.

funny comic regarding phishing, see link below
source: xkcd

What it is 

A technique carried out over the phone (vishing), email (phishing), text (smishing) or even social media with the goal being to trick you into providing information or clicking a link to install malware on your device.  

You may have also heard the term spear-phishing or whaling.  

Spear phishing is targeted phishing. This is even more effective as instead of targets being chosen at random, the attacker takes time to learn a bit about their target to make the wording more specific and relevant.  They may even make the sending address something that will help trick that specific person Eg From: theirbossesnametrentuca@gmail.com.

Whaling is going after executives or presidents. They’re hoping for a bigger return on their phishing investment and will take time to craft specific messages in this case as well. 

An incredible example of vishing 

It can be very easy to trick people. If you only have 3 more minutes, skip everything else and watch this video. See how easy it can be for someone to call your cell phone provider and completely take over your account

(direct YouTube link)

Email example 

A student, staff or faculty gets an email from trent-it[at]yahoo.ca 
“Click here and login or your account will be deleted” 
*they don’t realize the email is a phishing attempt and click the link out of fear of their account getting deleted* 
“Enter your credentials :” 
*they enter their Trent username and password unknowingly into the attackers’ form* 

That’s all it takes.  Now the attackers have this persons’ email address, username and password. 

Best case scenario, they’ll use these new phished credentials to start up another phishing campaign from this legitimate @trentu.ca email address they now have access to.  It will look that much more legitimate than their last more generic attempt. They’ll likely get even more hits this time as a result, if it doesn’t get shutdown by IT first. Phishing can snowball in this fashion quite easily.

Worst case, they’ll use these credentials to log into MyTrent, or OneDrive or Outlook, and steal sensitive data. 

These links don’t even need to direct people to a form to fill out, even just clicking the link or opening an attachment can trigger the attackers’ scripts to run that will install malware automatically to the device. 

Why it is so effective 

Urgency, a willingness to help, fear of the threat mentioned in the email. Phishing uses our emotions against us, hoping to affect our decision making skills so that we fall for whatever trick they want us to fall for. 

Once you’ve fallen for the trick, you are potentially completely compromised unless you notice and take action quickly. 

Black hats, bad actors, scammers, nation states etc all rely on phishing for their nefarious deeds. Generally it’s the first thing they’ll try and often it’s all they need. 

How to defend against it 

If something seems off, it probably is. Trust your gut. 

Check the sender, hover over any links to see where they go. 

If it looks like your boss or friend is asking you for something they don’t normally, contact them in a different way (call them, go see them) to confirm whether they sent the message or not. 

You can always call or email IT as well if you’re not sure.  
it@trentu.ca 
705 748 1010 

We don’t generally need to be informed that you got a phishing message, but if you’re not sure and you’re questioning it, don’t be afraid to ask us for our opinion. 

As well, look for the following warning at the bottom of external emails (a feature that’s on for staff only currently) as this is another sign that something might be off : 
Notice: This message was sent from outside the Trent University faculty/staff email system. Please be cautious with links and sensitive information. 

If you happen to have fallen for a phishing message, change your password and inform IT so we can help you recover. 
 

what phishing attackers are looking for

For even more information, check out the Canadian Centre for Cyber Security. 

And stay tuned for more articles from us. 

Back to Cybersecurity Blog home

Stavros Tzagadouris - Level 1 Information Security Officer - Trent University

Tags

Cybersecurity
Challenge the Way You Think

Trent University respectfully acknowledges it is located on the treaty and traditional territory of the Mississauga Anishinaabeg. We offer our gratitude to First Peoples for their care for, and teachings about, our earth and our relations. May we honour those teachings.

Peterborough

1600 West Bank Drive
Peterborough, ON Canada, K9L 0G2

Toll Free: 1-855-MY-TRENT

Campus Map

Durham Greater Toronto Area

55 Thornton Road South
Oshawa, ON Canada, L1J 5Y1

Phone: 905-435-5100

Campus Map

Social Media Directory