Ok, phishing is not the "official" threat of the month, but if you follow any security blogs, you'll notice that the topic is coming up in several circles at the moment. First out was Symantec's "A Brief History of Phishing" Part I and Part II. Then came a piece from the Think Smarter blog titled Balancing Security and Usability: The Human Factor. And, lastly, Bruce Schneier has posted a piece citing two new bits of research on phishing. What does it all mean?
A Quick Levelset
Phishing is a form of social engineering. Social engineering, in the security context, is the manipulation of people to reveal data/information when such a release is not authorized. Phishing, then, is a specific set of techniques to perform social engineering against people. In the real world, we most commonly see phishing as emails with embedded bad links or through suspicious IM messages, possibly appearing to come from people we know. Hackers may also try to phish using voice calls, though that's more common with help desk and call center personnel than with traditional office staff.
The Problem
Humans are generally trusting, by nature. As is noted in the first research paper cited by Schneier, we're particularly trusting of people we know. Unfortunately, with the Internet, there's really very little way to know convincingly who is at the far end of an email or IM message. This is not to say that we should employ identity proof techniques as used in Harry Potter and the Deathly Hallows. Nor do we have files of code words, as was the case in The Bourne Ultimatum, that could indicate an "all clear" or "under duress" situation. A little bit of bloody paranoia can be used to weed through suspicious email and IM messages, though, to reduce our susceptibility to phishing.
From the first study cited by Schneier:
"Even though the spoofed link directed browsers to an unfamiliar .com address, having it sent by a familiar name sent the success rate up from 16 percent in controls to over 70 percent in the experimental group. The response was quick, with the majority of successful phishes coming within the first 12 hours."
A Little Paranoia Goes a Long Way
Employing paranoia and skepticism is an excellent method to help you determine if a suspicious email or IM message is real or, in fact, a threat. When you receive a message that seems suspicious (perhaps asking you to do something, possibly in a very short period of time, or maybe promising an offer that seems too good to be true), consider the following questions:
- What am I being asked to do?
- Is this part of my normal job duties?
- Is this something that I would normally be asked to do?
- Does the offer seem too good to be true?
- Why am I being asked to do this?
- Would my financial institution (bank, credit union) actually need me to verify my information with them?
- Would they (financial institution) actually send me an email like this to confirm this information?
- Why is timeliness important?
If I've already authenticated to a site and/or provided information in my profile, why would I be required to provide that information all over again?
If all else fails, call the person or organization directly directly and ask them to confirm their request.