Sometimes you’re the fisherman, sometimes you’re the fish.

During this first week of Cybersecurity Awareness Month, the focus has been on recognizing and reporting phishing. With all the training and testing, why is phishing still an important topic? Because people are still falling for it and the phishers are only getting more sophisticated. Those who phish are creative and always adapting to whatever security measures are put in place. New LLM-based AIs allow them to craft more compelling messages with fewer mistakes. All of the data breaches feed them more information to better personalize the attacks. And it’s a low-cost, high-reward business for the cybercriminals.

What is phishing?

If you’re not familiar with the term phishing, it refers to a variety of messages sent by cyber criminals with the intent of getting the recipient to respond or click a link. Once you click the link, they may try and have you download malware, enter payment information, or enter your login information. The intent is to steal something from you. It can be direct and obvious, such as a ransomware attack. Or you might never realize it happened, if they just have you enter your login into a fake website. The harm might be weeks later, or never even happen (especially if you have multifactor authentication). Overall, phishing doesn’t have a high dollar reward for the criminals (unless they’re lucky with a ransom), but instead is a volume business. The more people they can trick, the more they can sell to other criminals who will later exploit it.

Types of Phishing

Just as phishing has a variety of ill-purposes, it also comes in a variety of styles. Each is tailored to the way it’s sent and the type of information they want to steal. Here’s a short list of common types of phishing, and how to recognize them.

Email

This is the most common phishing message. It comes in a wide variety of forms – from promises of gift cards to threats that your account will stop working if you don’t click the link. They are often generated in bulk, sending to thousands of recipients. Sometimes there is a little bit of personalization with your company name or your own name. But nothing more detailed or personal. You used to be able to recognize these by their typos, formatting, or other technical problems. But the senders are more sophisticated, so the quality has improved quite a bit.

Typically, they are recognized because they just don’t make sense. They could be describing a business process which your company doesn’t have. Or they could suggest they are a phone system voicemail – but you don’t have such a system. If they pass the first sniff test, and seem like they could be real, then you have to hover over links (don’t click them!) and see if they go to real websites, or some sort of fake or redirect. Real emails will often include instructions on how to proceed without clicking links, such as providing a code you enter on the legitimate website.

Check out this real phishing message I received this week.

Best case? Don’t click links in emails and find a different way to perform the action if you think it might be a legitimate request. Or ask your IT or security team for a second opinion.

Spear phishing

While most email phishing has some level of personalization, it’s still a generic template which happens to have your name or company name in it. Spear phishing takes this one step further and is tailored to you. Based on breached information or researching your social media and other sources, the criminals prepare messages just for you. They may appear to be from businesses you frequent, family members, your boss, or other direct relationships you’re likely to trust. The goal of spear phishing is typically the same as regular phishing, but the attackers believe you have access to more valuable things. As a result, they’re willing to invest the time to personalize the attack.

Recognizing spear phishing follows the same rules as regular email phishing. Does the request make sense? Is it something the person would really ask you to do? Is there a different way to contact the person or business to see if it is legitimate? If so, you should, and not ever click on the links provided in the email.

Whaling

Whaling is spear phishing for high level executives. Its main difference is it will be even more researched and targeted. One example of whaling involved a faked email from an executive’s day care. They realized it was fake because their child was home sick that day. Any other day, they might not have caught the attack until it was too late.

Smishing

Smishing is when you get a phishing message via a text message. It will be very similar to regular phishing, but in the context of short messages. A very common version of smishing is a non-delivery text. The message will appear to be from a delivery service (such as UPS) or a company like Amazon. It will say they can’t deliver your package due to some problem. All you need to do is click the link to fix the problem, and your package will be delivered. If you are expecting an important delivery, it might just be convincing enough to trick you into clicking it. Smishing relies on short URLs, which everyone uses, to help hide their fake site.

The first way to recognize smishing is the number it came from. If official messages are coming from normal phone numbers (or worse, international numbers), it’s likely not to be real. There are also often typos in these messages – but you can’t rely on this as much. Beware of the URL as well – if it seems suspicious, it’s probably not real. Like with other phishing, try and find an alternative way to contact the person or company and verify the request.

Other types of phishing

If there’s a way for someone to send you a message, there’s a way to phish you. Voicemail, video messages, WhatsApp chat, or more – the criminals are using every technique to find their victims. As you have seen, the advice is almost always the same. Does the message make sense? Does the sender seem real? Does the request ask you to click on an unusual link? Is it asking you for login information, payment information, or to download software? All of these are clues you’re the target of a phishing campaign.

Be sure to report it.

If you’re phished at work, reporting the attempt via your company’s preferred method is important. You’re likely not the only person targeted. Reporting the phish helps find other attempts and pro-actively remove them before someone else might be tricked. It also helps train systems and ensure there’s appropriate awareness of something happening.

On personal channels, you can typically report phishing messages to the provider. Text messages can be reported on most phones. Accounts on LinkedIn, Facebook, or other platforms can be reported and eventually shut down. So, reporting phishing messages is always beneficial – even though you weren’t tricked – in keeping the particular method or account from being used successfully on someone else.

Through a combined awareness of phishing techniques and risks, we can all help make sure this pervasive cyber-attack is less effective and less valuable to the bad actors of the world.

Cybersecurity Awareness Month - Live Event

My live event is tomorrow (Monday, October 6th) at noon (12pm) Eastern time!

Join here! or watch the recording later!

Week In Review

My posts in the month of October are focused on Cybersecurity Awareness. So far, I've been focusing on phishing, but will shift to strong passwords, multifactor authentication, and updating software in the coming weeks. And I'll sneak some other posts in along the way.

Here's the cybersecurity posts so far:

• Cybersecurity awareness is for everyone (A poll)
• Happy Social Engineering Saturday (A poll)
• How do you report phishing (A poll)
• Recognizing a phishing message (A real example)

And a few other thoughts from the week:

• Do you have a Vendor Due Diligence Kit? (A poll)
• The Snowflake World Tour!

What was on your mind this past week? Do you find all the posts on cybersecurity awareness helpful? Or just too much of the same? What could we do differently to make it more valuable?

In Conclusion

Thanks for hanging out here with me through Cybersecurity Awareness Month! Our regular programing will resume in November (whatever that is).

Don't forget, if you are looking for a job and want to be in the job seeker spotlight, the You Just Found ME?? job seeker spotlight is still going, please reach out!

As I'm growing my business, I'm looking at how to engage with private equity firms, law firms, and start-ups facing their next challenge - so if you're connected to any of these worlds, let's chat soon!

Don't forget! I am offering referral bonuses to any work you bring me through Mirability, LLC - if you're interested. If there's anything I can help you with, I'd love to hear about it.

I hope this coming week is exactly what you need it to be!

Thanks, as always!

Be sure to check out my new online merchandise. Remember, 100% of the profits for any You Just Found ME merchandise goes to support that program for job seekers!

https://www.cafepress.com/shop/Mirability

If you want to keep up with everything I’m posting, click here and also the bell (??) to be notified when I post!

Follow You Just Found ME?? to help support job seekers!

Follow Mirability, LLC to learn more about how I'm solving unique technology problems!

Subscribe to my Substack here: https://ebspoke.substack.com/

I'm on Medium as well: https://ebspoke.medium.com/

Check out #EBSpoke for more of my recent posts here...

About Erik

Erik Boemanns is a technology executive and lawyer. His background covers many aspects of technology, from infrastructure to software development. He combines this with a "second career" as a lawyer into a world of cybersecurity, governance, risk, compliance, and privacy (GRC-P). His time in a variety of companies, industries, and careers brings a unique perspective on leadership, helping, technology problem solving and implementing compliance.

He's available to help you with any of this now too!