Anatomy of a Phishing Attack: Don't Take the Bait
- Technical skills, New tech, Digital, Usability
The email arrived in my wife’s inbox on a very average Thursday evening. She was relaxing on the couch with the dogs, going through the 1,637 unread emails in her personal email account. At the top of her inbox was an email from iTunes; it arrived just after she sat down.
The email notified her that an app, one she didn’t immediately recognize, would automatically renew, and she would be charged $100 if she did not act right away. In fact, the renewal date was that very day.
Although she didn’t remember subscribing to this app, it was possible. With all the in-app purchases she’d made over the last few months, she could’ve done so in error; mistakes happen. Given the urgency – the renewal date was that very day, right? – and the fact that $100 was at stake, she clicked the link to cancel the subscription.
The email, emblazoned with the Apple logo, suggested that this app was purchased through the App Store. The link she clicked led her to a website with a login screen which requested her Apple ID and password. She obliged. Oddly, nothing happened when she hit return. Ten minutes later, she forwarded the email to me. adding that she was confused since the app was not listed in her App Store subscriptions on her phone.
Her confusion was warranted: the email was a phishing attack, an attempt by a hacker to convince her to give up her Apple ID and password. Unfortunately, the attack was successful.
While the attack itself was successful, the consequences of the attack were mitigated by a few good cyber hygiene practices she employed:
- She has a good awareness of the online threats to her personal information,
- She uses strong, unique passwords for her online accounts, and
- She activates multi-factor authentication on many of her accounts.
First, despite clicking on the link, she is usually a smarter-than-your-average-bear target. As a geek dad, I send my family occasional “Phamily Phishing Phriday” texts with examples of attempted attacks I get in my personal accounts via email (“phishing”), text (“smishing”), and voice (“vishing”). When I encounter a suspicious message, I take a screenshot of the attempted attack, mark it up by circling the red flags, and send it along with some commentary to our family chat. I know, I know, really pegging the Geek Meter here.
Pegged Geek Meter or not, however, statistics suggest that consistent and frequent reminders of good cyber hygiene practices are better than one-and-done approaches. Remember when organizations used to conduct “annual” cyber awareness training? Nowadays, more and more organizations have moved toward frequent education-based approaches often including random phishing tests. The latter is a better approach.
Recognizing her mistake within minutes after clicking the link and then emailing me, likely decreased the potential severity of this attack.
Second, she uses a password manager to create – and remember – strong passwords. The password manager allows her to use unique, strong passwords for every online account she has. Plus, she never has to remember a password. The app remembers it for her.
Third, she uses multi-factor authentication, or MFA, also referred to as two-factor authentication, or 2FA, for all accounts that offer it. In addition to a user ID and a password, accounts protected with MFA adds an additional layer of authentication beyond the user ID and password, often a PIN or a randomly generated one-time code.
The random code is often sent to the user’s verified mobile number via a text message, although some services allow the codes to be sent to the user’s verified email account. Another way to receive these one-time codes is to use an “authenticator app” like Microsoft Authenticator, Google Authenticator, or Authy.
Now, even though these three things decreased her exposure, we weren’t out of the woods. She had entered her Apple ID and password into the hacker’s fraudulent website.
To mitigate this damage, we navigated to the Apple ID website by entering the address directly into the browser address bar, logged into her Apple ID account with her current (now compromised) credentials, and fully authenticated our login request with the MFA one-time code.
Once logged in, we verified that all her information in the account was correct and hadn’t been altered and then updated her password with a new unique, strong password from her password manager.
Lastly, we ran a virus and malicious software scan on her computer; this came back clean. We cleared her cookies and website data in all her web browsers and restarted her machine. We ran another virus and malware scan, again, clean, and called it a night.
Has this happened to you?
Here are several things you can do right now to lower your risk of these types of threats:
- Refresh your knowledge of phishing attacks by reviewing this resource: https://www.phishing.org/what-is-phishing.
- Go to https://haveibeenpwned.com, enter your email address in their search engine, and see if your email has been part of a breach. If it has, change those account passwords immediately.
- Invest in – and use – a password manager. Wired has an excellent article on these: https://www.wired.com/story/best-password-managers/
- Enable multi-factor authentication/two-factor authentication at a minimum on your financial and social media accounts. Check out this piece from the Electronic Frontier Foundation to learn more: https://ssd.eff.org/en/module/how-enable-two-factor-authentication
- Routinely scan your computers for viruses and malware.
While these things will not eliminate the threat, employing even a few could lower your risk.