Phishing: Don’t Take The Bait

By Eileen Cahall, Systems Administrator at Digital Technology Partners

How Phishing Works

Unbeknownst to Mr. John Smith, his email has been phished. He opened a message he received from someone he recognized, which had a document attached. Wanting to see what the document was about he opened the attachment and was prompted to enter his email address and password in order to view it. What he didn’t know was that email was a phishing attempt sent by an attacker who successfully phished the mailbox of the person he received it from. What he also didn’t know was that by entering his email credentials in order to see the attached document, he became the attacker’s newest victim and had given the attacker control of his email account.

As soon as the attacker had control of Mr. Smith’s email, they knew he had to keep Mr. Smith from finding out what they were doing, so the attacker added a rule to the account which marked all new incoming messages as read and moved them from Mr. Smith’s Inbox to one of his other folders.  The attacker then downloaded Mr. Smith’s email messages and his contact list. Next, they sent a new phishing email to every one of Mr. Smith’s contacts. That message contained a ‘payload’ to trick the new victims into giving up their account information.  Depending on the attacker’s goal, that payload could be an urgent document that needs to be looked at, a demand to remit payment, a warning that an account has been suspended, a request to verify a large purchase has been made, or some other lie. This email will appear to its recipients as completely legitimate – it won’t be marked as ‘spam’ because it came from Mr. Smith, who is someone they’ve communicated with before.

Sally Jones is one of the people who received the email the attacker sent from Mr. Smith’s account and, believing it to be legitimate, opens it and clicks the payload. Just like what happened with Mr. Smith, Sally is directed to a web page that “looks” like the login prompt she sees for her email. Believing she needs to log-in to see what she mistakenly thinks was sent by Mr. Smith, she enters her username and password. The problem though is that the payload is hosted by the attacker. Remember: the attacker sent the document or link, so the attacker can make it point wherever they want.

Once Sally enters her username and password, there may be a (fake) document that shows up, there may be an error, there may be something else entirely, but it doesn’t matter; she didn’t just log in – when she entered her username and password it went straight to the attacker who now has her email credentials. And the cycle continues. The attacker will now repeat this process using Sally’s email account, downloading her messages, emailing her contacts, setting up rules to kill incoming messages so she doesn’t know.

What To Do If You Fall for a Phishing Email

• Contact your IT provider IMMEDIATELY. They’ll help you secure your email account by doing things such as: changing your password, searching for and removing the rule(s) the attacker added to your account, and scanning your computer for malicious applications and malware then removing it.
• IMMEDIATELY change all passwords to all your other accounts, such as banking, credit cards, online shopping, etc. Most people have the habit of using the same username and password for every account they have.  Now that the attacker has those credentials, they can go through the information that was phished from you to find what other accounts you might have and logon to them.
• Remember that although you did fall for the phishing attack, you are the victim in the situation, so don’t beat yourself up. These bad actors pride themselves on tricking people and are very good at it. Use this as a learning experience to become more aware of what phishing attacks can look like and help teach others so they can learn to identify and avoid them.

How To Prevent Future Phishing Attempts

The best thing you can do to prevent being phished is to enable Multi-Factor Authentication (MFA) on all your accounts if the account provider offers it. With MFA enabled, if you do fall victim to a phishing attack enough to have submitted your username and password, the attacker won’t be able to log on to any of your accounts due to not having your MFA code.