Fight the Phish

[00:00:20.500] – Steven Maresca

Hey there.

[00:00:20.890] – Jason Pufahl

Hey Steve. We had a lot of debate about what to call phishing. I think we settled on it being the scourge, maybe, of the cybersecurity social engineering world. You asked me to define social engineering a little bit as we’re prepping for this, and I don’t want to over-blow it, right? Because in reality, it’s anything that sort of seeks to leverage a human response to maybe a question or an inquiry, right?

[00:00:52.370] – Jason Pufahl

So we’ll get emails, we’ll get text messages, we’ll get voicemails, there’s a whole variety of ways that phishing works. All of it’s generated to try to get some person to take action on the requester’s behalf. And maybe that’s an oversimplification. Maybe you want to add to that.

[00:01:06.680] – Steven Maresca

So social engineering in general, it’s a discipline that basically uses deceit to get people to act how they want. That could be a guy showing up in a cable company uniform, it could be somebody sending an email. Today, we’re talking about phishing. It’s about communications, not necessarily in person, but it’s the sense of making people behave in a certain way for malicious means to acquire information or get that recipient to do something on their behalf.

[00:01:37.060] – Jason Pufahl

So I guess the question I have is, why does it work so well, right? I mean, let’s face it, there’s a ton of different types here. We’ve seen phishing evolve over 30 plus years. Originally, it was poorly written, typically the grammar was terrible. People still sort of succumbed to it. I think we’ve seen it mature a lot, and they almost look like legitimate business emails. Why is it so successful?

[00:02:05.280] – Steven Maresca

At the core of it is psychology, ultimately. People are forgiving, people want to be helpful, people respond to authority or perceived authority. Communications, when directed to you as an individual, prompt a response. It’s polite to at least try to service the request, even if in some capacity, it doesn’t make a great deal of sense.

[00:02:25.780] – Steven Maresca

People try to be helpful. And if that innate reflex is compounded by fear or urgency, it makes the message all the more successful. And I’m confident that most people listening will have received some sort of phishing communication that, in fact, aims to do precisely those things.

[00:02:49.960] – Jason Pufahl

So is your advice to people, don’t be forgiving and don’t be helpful?

[00:02:55.120] – Steven Maresca

Just as with everything in security, trust but verify. Do your due diligence, look at what you’re receiving. Does it make sense? Is it a reasonable message from someone? Is it the person you normally expect to be communicating on the subject? Use some basic critical thinking to determine whether you’re doing something that should be done.

[00:03:20.060] – Steven Maresca

And here’s the trouble. All these messages seek to catch us in a moment of vulnerability. That might be at tax time. You’re expecting some sort of message from HR or finance regarding your tax return. You’re more likely to react to that message because you’re primed for it already.

[00:03:39.720] – Jason Pufahl

So I know you’re referring to a specific event that you and I dealt with in the past, right? And what made that interesting was it really did rely on that sense of urgency, right? People received an email that had what appeared to be a screenshot from a legitimate website. It told people that if they didn’t act very quickly, their W-2s would be taken down. They wouldn’t have them available during tax time.

[00:04:06.170] – Steven Maresca

Which is, of course, ludicrous.

[00:04:08.000] – Jason Pufahl

Ludicrous, right? And I think if people take a second step back and say, “Would this reputable organization ever withhold my W-2 if I don’t click on this link in the next five minutes? Of course, it makes no sense when you say it out loud. But people are running to a meeting, people are stuck with deadlines all the time. They do tend to overreact or try to solve problems as quickly as they can. Huge issue, right? Providing your credentials to a tax portal or an HR portal, which is ultimately the outcome of that particular phish.

[00:04:40.180] – Steven Maresca

Right. Again, psychology. It’s W-2. People feel like they need to comply. They’re expecting it. And the tax return, people like the money. So it’s sort of a multipronged carrot to get you to act in a way that effectively undermines you and the organization in the same fell swoop.

[00:05:00.350] – Jason Pufahl

So staying on that same phishing example, the one that we just talked about, the W-2 example, there were tell-tale markers in that, that if somebody looked at critically, I think they would’ve been able to say, “This doesn’t seem legitimate.” Right? The sender address was wrong, right? It wasn’t the institution’s domain. There were clear errors in essentially what they did to spoof the website of the company. There were markers, right? At a quick glance, it looked reasonably good. But there are ways to sort of go through that and figure it out.

[00:05:34.110] – Jason Pufahl

I’m intrigued by examples such as some of the text-based phishing that we see nowadays, right? And we received an example, or just before the podcast actually, somebody pointing out a text they got from their bank that is really short, right? Four or five lines basically, with a URL to click. There isn’t a lot of information in that case to be able to make a qualified decision about whether it’s legitimate or not. To be perfectly candid, I don’t even know sometimes how you make that determination short of not clicking on anything you receive maybe in a text.

[00:06:10.240] – Steven Maresca

Right. I mean, especially when you feel, essentially, an obligation to save your money, and your bank’s telling you your accounts are on hold or something to that effect. You’re probably going to click even if you don’t know what it is. There are lots of banks that actually advertise the fact that they communicate in that convenient way. And that can be undermined rather readily.

[00:06:33.250] – Steven Maresca

Another example I had the pleasure of receiving myself was a text message purporting to be about my Netflix subscription. Granted, banks, Netflix, I’m not sure it’s all that unclear which is more important, but people care about that. Kids need to be occupied. We’re bored. It’s just another example. It was easy to tell, Netflix wasn’t spelled correctly. But if you’re distracted and just inclined to click things you get in a text message, you might end up at a website that looks remarkably like Netflix and try to sign in.

[00:07:06.140] – Jason Pufahl

Right. So our general guidance though, would be if you got an email, or rather, maybe if you got a text message from Netflix or from a bank, contact the bank directly, right? Don’t click the links that were sent. If you’re worried about protecting your money, call your bank and say I received this text message. I’m concerned about the fact that you’re placing my account on hold or whatever the case may be.

[00:07:28.670] – Steven Maresca

That’s an approach that applies to everything. Text messages, emails, voicemails purporting to be from entities of authority. Just call. You’d probably have the number handy. If not, go look it up online. It’s easy to find a reputable source. Question, bottom line. That’s the right response to all of this.

[00:07:49.900] – Jason Pufahl

And people are sent phishing content, right? Text, emails, whatever the case may be, because it works, because they do get people when they’re unaware. To your point earlier, people do want to be helpful, right? They want to be responsive, even if they feel like what they’re receiving doesn’t seem right. They’re getting a text message from their CFO, who they’ve never spoken to, asking them to buy gift cards. It doesn’t feel right, but they want to be helpful.

[00:08:22.300] – Steven Maresca

Right. The best defended business can be undermined by the release of an identity and access control. You give away your password, an attacker can get in, bypassing all of the defensive measures that have been put into place at great cost. And frankly, somewhere in the neighborhood of 80 to 90 percent of all of the incidents we deal with have at least some route in revealing information of this sort via phishing or some other similar means.

[00:08:50.040] – Jason Pufahl

So it brings us back to a discussion we have all the time, which is that your employees are one of the greatest sort of avenues for an attack institutionally, but I think they can also be some of the best allies if educated or trained properly. And we talk all the time about making sure they really understand what threats exist, how to identify phishing emails, and how to protect their credentials. The reality is they’re that first line of defense for a business, and they need to be trained accordingly.

[00:09:19.120] – Steven Maresca

Right. Security awareness in general, that’s the aim. It’s the requirement to defend against these things. And vigilance is the way we sidestep these problems.

[00:09:29.490] – Jason Pufahl

And they’re easy to fall victim to. I do this stuff every day, and the reality is I’ll get emails where I have to look twice to figure out whether they’re legitimate or not, right? And we’re in that chain of individuals that sends us something and says, “Can you verify this?” And I find I have stare at it. They’ve gotten really good where they used to be kind of child’s play to identify the Nigerian prince who is going to give you the $30 million, right? Those days are gone.

[00:09:58.770] – Jason Pufahl

And they really are, that in many cases, that initial attack vector for companies being sort of compromised, where attackers then get the credentials and deploy ransomware and some of these other sort of second-stage attacks, right? Very often it is the release of credentials through some sort of attack like that by an individual who thought they were doing the right thing. Nobody typically is doing it maliciously.

[00:10:25.680] – Jason Pufahl

I’m not sure how much else there is to cover about phishing. I mean, it’s a pretty straightforward topic. I think our advice here typically is be mindful of what you receive. Try not to be too helpful too quickly. Certainly don’t shut responsibility, but don’t jump at it either.

[00:10:44.000] – Steven Maresca

If you’re an individual, pay attention to your personal emails. Be critical of something that you receive from a relative who never sent you an email. If you’re in a business setting, it’s not necessarily likely that the VP of some business division is going to send you a personal email. Both of them are important. You’re receiving messages of this sort in each sphere. The same rules apply.

[00:11:10.740] – Jason Pufahl

So be mindful of what you receive. Don’t be too helpful too quickly. And just note that phishing is the scourge of the Internet at this point.

[00:11:23.510] – Jason Pufahl

And as always, we want to thank you for listening. We hope that you’ve found some value in this discussion. Feel free to reach out to us at Twitter @VancordSecurity, or follow us on LinkedIn. And of course, subscribe to the podcast at Spotify, Apple Podcast or a variety of other locations. Thank you. And thanks, Steve, for joining.

[00:11:46.370] – Speaker 1

Stay vigilant. Stay resilient. This has been CyberSound.