Phishing is the name given to the act of sending someone an email that looks like it comes from a legitimate organization but that is actually from a malicious source. The email will either contain a link or attachment that, once clicked on or opened, will install spyware, rootkits, or remote control software on the victims PCs. Another, more personal version, of this attach is called Spear-phishing. This is a fake email crafted just for you, usually from a specific friend of co-worker. Spear-phishing was used to hack into Google, IBM, and multiple government agencies.

Let’s look at the most common types starting with recent versions of this attack.

Booby-trapped Attachments

These emails contain an attachment that once opened will do all sorts of bad things on your computer (or network). The attachment is usually a zip file or PDF document. Some of the more recent phishing attacks pretend to come from the following sources:

• iTunes Store – Fake $50 gift certificate attachment
• UPS/FedeX/DHL – Fake attachment that supposedly contains tracking info

Here is an example of the new iTunes scam email:

Links to Malicious Web Sites

The most common version of phishing scams looks like an email from a legitimate organization that is requesting you click on a link to either verify some sort of information (e.g., account settings, address, bank balance, email address, etc.) or to ‘activate’ an account. Once you click on the link you will either be brought to a web page that looks real or the link itself will launch the attack. Some of the most common examples pretend to be from the following sources:

• Banks and investment companies (Sun Bank, Citizens Bank, Fidelity, Bank of America, etc.)
• Paypal, eBay, Amazon.com
• Government Agencies  (IRS, Dept of Veterans Affairs, Social Security Admin)
• Software companies ( Apple, Microsoft, etc.)

Here is an example of a fake email:

How to protect yourself and your business

The  best way to protect yourself from these sorts of attacks is to use some common sense. First, if it is too good to be true, it is. Second, nothing is for free. Third, ask yourself if you ever provided your email address to the organization. Lastly,  would the information that they are requesting allow someone access to my information.

You should educate yourself and your employees to never open unknown attachments or click on links in email. Also, if you have even the slightest question, call up your bank or online vendor and ask them if they sent it.

There are also technical solutions to these types of attacks. If you would like more information please email contact us. Wireguided can help you decide what solutions can best protect you and your business.