This piece was originally written by Nav Bassi on September 17, 2020, for the now-defunct UVic CISO Blog. Reposting it here as much of the content remains relevant. The sad truth is that we’ve recently been seeing a lot of phishing emails coming from compromised accounts belonging to people the recipient knows. Even if the email is from someone you know, check for signs of phishing, like messages that don’t sound right for that person/organization or links that don’t go where they say they go.
If you get an email from someone you know but it feels a bit off, don’t reply to the email. The mailbox could be compromised or the email may have been crafted to send replies to a different, fraudulent email address. Either way, you could get a reply from the phisher saying that the email is legitimate when it really isn’t. Instead, verify in person, or reach out to a different contact method (such as by phone or video call) that you already have and know is legitimate.
Way back in 1993, Peter Stiener drew his “On the Internet, nobody knows you’re a dog” cartoon. It was referring to Internet anonymity but I think today, 27 years later, it is also relevant for impersonation email scams.
Most people understand that phishing is a form of social engineering conducted via email, and that it is often used to trick you into revealing your username and password. But what happens after you reveal your username and password? This depends on the attacker and their motivation. Some are loud and fast, they immediately use your username and password to log into your email account and use your account to send spam or more phishing emails. Others are quiet and fast, they immediately try to use your username and password to access services on your behalf to see what useful data they can steal. At UVic, just log into your online services and think about what an attacker could do if they could see and access everything as you! Some are both quiet and slow – hard to detect, and often patient enough to try something bold.
If you receive an email from someone out of the blue, and it doesn’t sound like them, you might get suspicious. Maybe it’s the wording or language, or maybe it’s even the topic of the message, but you might use your phishing awareness training to take a closer look at the From: address or even report it to your IT personnel and discover the sending address is wrong. This is an impersonation email, and we get them all the time: An email exchange with the President (not really).
What if you are already in an email conversation with someone, having a series of back and forth exchanges? Would you notice if suddenly the response to your last email was not from them? In this case, what has happened is an attacker has accessed a person’s email account and spent time, perhaps many days or weeks, monitoring emails going in and out of the mailbox until they see something of interest. For example, a conversation about payments, and perhaps direct deposit account information:
[Attacker has access to Person A’s email account]
Person A: “Sounds good, are you ready to transfer funds?”
Person B: “Yes, can you send me your direct deposit information?”
[At this point, the attacker takes Person B’s message and deletes or files it, and responds on their behalf]
Attacker as Person A: “Yes, here it is.”
The attacker also sets up a mail rule so all emails from Person B are no longer visible to Person A; from this point on, Person B is corresponding with the attacker impersonating Person A. How long before they can tell? Do they deposit the information in the wrong account? Does Person A catch on and decide to call Person B?
Takeways:
- Your username and password protect your accounts and the information they contain; protect them by making sure they are long and hard to guess. Expect attackers are phishing you, so take phishing awareness training and if in doubt, pick up the phone and call the sender.
- Do not share sensitive, confidential or highly confidential information via email without password protecting it (and don’t put the password in email either!); the example above was direct deposit information but it could have been any password – e.g. Interact e-Transfer password. If your email account is compromised, sensitive information is visible to attackers and they could impersonate you to anyone you’ve corresponded with previously.
- Check each email, even replies to emails you have sent, for signs of phishing. If you see any suspicious behaviour, pick up the phone and call the person you are corresponding with to verify.
The above post was prompted by a real event which was fortunately detected by a recipient who spotted the signs of phishing and took action.