If You Think Phishing Is Only Your Employer’s Problem Think Again
If you work for a company, you probably think about phishing attacks in a distant sort of way. In other words, phishing may be a problem, but it’s not your problem, really. It’s your employers’. Right? Wrong.
According to a recent article on the Phishing education website KnowBe4, an employer in the UK sued an employee for $250K for falling victim to a phishing scam. According to the article, “Patricia Reilly, who was working for the UK Peebles Media Group fell for a CEO Fraud Scam where the criminals sent her emails pretending Mrs. Reilly’s boss.”
She’s being sued because she should have known better. The remarkable thing is the company didn’t provide her any training on how to spot online fraud. Maybe Mrs. Reilly ought to countersue her former company for lack of proper training. Or maybe she’ll countersue them for not using inexpensive and readily-available technology to keep the darn phishing email out of her inbox in the first place.
Now Just Booking a Vacation Can Get You Hacked
If you fly, then you know that airlines send check-in links by email 24 hours before your flight. What you might not know is that some airlines send links that initiate a connection over HTTP instead of HTTPS. And that puts you at risk for being hacked.
According to an article on security news website Security Week, “check-in links sent to customers by several major airlines from around the world can allow hackers to obtain passengers’ personal information and possibly make changes to their booking.” The airlines found to have been doing this by security firm Wandera include Southwest in the US and KLM in the Netherlands.
According to Wandera VP of Product Michael Covington, the link itself includes a record locator, the origin of the flight and its destination, and, in some cases, the passenger’s name. Theoretically an attacker could intercept a user’s traffic and leverage these credentials to gain access to the targeted user’s online check-in page.
Once at the check-in page, the attacker might have access to other, more personal data, such as
- email address,
- name, gender,
- passport information,
- nationality,
- phone number,
- partial payment card information,
- booking reference,
- flight details (flight number, seating data), and
- even the complete boarding pass.
It may even be possible in some cases for the attacker to make changes to the data provided and print the victim’s boarding pass.
Sill think you don’t need advanced phishing prevention technology?
Looking for a Hobby? How about Phishing.
Would you be surprised to learn that phishing has been around since 1996? That’s like year 2 AD in internet time. You’d think after almost a quarter of century phishing would be gone by now. In fact, just the opposite has happened.
In case you’re wonder why phishing rates continue to rise, check out this list of resources for the aspiring attacker:
Expert assistance:
Incredibly, there are actually places on the internet novices can go to learn how to phish someone. They can purchase step-by-step tutorials and templates to conduct their own phishing campaigns.
Spoofing:
Just like there is for phishing, there are resources on spoofing techniques. They include everything from how to create, compromise or find a SMTP server from which to send the spoofed emails, to how to prevent emails from ending up in spam folders or the hosting IP from ending up on blacklists.
Cloning websites:
For aspiring phishers, a website cloning or mirroring service known as XDAN CopySite makes it easy. All you need to do is enter the domain of the website they want to clone, and within seconds they have a static version of the site – enough to be convincing at first glance.
When someone tells you to try phishing for a hobby, go out and get yourself a rod and reel.