This is the big one. Phishing attacks have increased in frequency by 667% since COVID-19. (source).
Phishing attacks are so easy to set up, and yet very effective, giving the attackers the best return on their investment.
What it is
A technique carried out over the phone (vishing), email (phishing), text (smishing) or even social media with the goal being to trick you into providing information or clicking a link to install malware on your device.
You may have also heard the term spear-phishing or whaling.
Spear phishing is targeted phishing. This is even more effective as instead of targets being chosen at random, the attacker takes time to learn a bit about their target to make the wording more specific and relevant. They may even make the sending address something that will help trick that specific person Eg From: email@example.com.
Whaling is going after executives or presidents. They’re hoping for a bigger return on their phishing investment and will take time to craft specific messages in this case as well.
An incredible example of vishing
It can be very easy to trick people. If you only have 3 more minutes, skip everything else and watch this video. See how easy it can be for someone to call your cell phone provider and completely take over your account :
A student, staff or faculty gets an email from trent-it[at]yahoo.ca
“Click here and login or your account will be deleted”
*they don’t realize the email is a phishing attempt and click the link out of fear of their account getting deleted*
“Enter your credentials :”
*they enter their Trent username and password unknowingly into the attackers’ form*
That’s all it takes. Now the attackers have this persons’ email address, username and password.
Best case scenario, they’ll use these new phished credentials to start up another phishing campaign from this legitimate @trentu.ca email address they now have access to. It will look that much more legitimate than their last more generic attempt. They’ll likely get even more hits this time as a result, if it doesn’t get shutdown by IT first. Phishing can snowball in this fashion quite easily.
Worst case, they’ll use these credentials to log into MyTrent, or OneDrive or Outlook, and steal sensitive data.
These links don’t even need to direct people to a form to fill out, even just clicking the link or opening an attachment can trigger the attackers’ scripts to run that will install malware automatically to the device.
Why it is so effective
Urgency, a willingness to help, fear of the threat mentioned in the email. Phishing uses our emotions against us, hoping to affect our decision making skills so that we fall for whatever trick they want us to fall for.
Once you’ve fallen for the trick, you are potentially completely compromised unless you notice and take action quickly.
Black hats, bad actors, scammers, nation states etc all rely on phishing for their nefarious deeds. Generally it’s the first thing they’ll try and often it’s all they need.
How to defend against it
If something seems off, it probably is. Trust your gut.
Check the sender, hover over any links to see where they go.
If it looks like your boss or friend is asking you for something they don’t normally, contact them in a different way (call them, go see them) to confirm whether they sent the message or not.
You can always call or email IT as well if you’re not sure.
705 748 1010
We don’t generally need to be informed that you got a phishing message, but if you’re not sure and you’re questioning it, don’t be afraid to ask us for our opinion.
As well, look for the following warning at the bottom of external emails (a feature that’s on for staff only currently) as this is another sign that something might be off :
Notice: This message was sent from outside the Trent University faculty/staff email system. Please be cautious with links and sensitive information.
If you happen to have fallen for a phishing message, change your password and inform IT so we can help you recover.
For even more information, check out the Canadian Centre for Cyber Security.
And stay tuned for more articles from us.
Back to Cybersecurity Blog home.
Stavros Tzagadouris - Level 1 Information Security Officer - Trent University