Phish are always in season
Some of my fondest childhood memories were made in the Adirondack Mountains of upstate New York. In particular, fishing for rainbow trout in the clear cool water of Bear Creek. My father once shared a memory of his youth, fishing the creek with his Uncle Gilbert, a year-round resident of the Adirondacks. One unusually warm winter morning, Gilbert asked my dad if he was up for fishing. Dad replied “I wish! But the season hasn’t started, yet.” His uncle laughed, “This far north the only seasons are salt and pepper.”
Present-day hackers subscribe to Uncle Gilbert’s view of a perpetual phishing season. And like all anglers, hackers use different (click)bait and techniques, depending on the quarry and time of year.
Listed here are a few of their most coveted prey.
Cutthroat Consumer Fish (amazonian primus) Most prevalent during the early winter months, this fish is an avid hunter/gatherer and often loses track of inventory due to the sheer volume collected. Emailing a cleverly branded digital invoice to the Consumer Fish will often entice it to investigate further, clicking links to review unfamiliar purchases. Those links can lead to consumer website doppelgangers designed to steal login credentials and credit card information.
Large Mouth Tweeter (social medius divulgus) This fish has quite a story to tell and enjoys constantly doing so. Given the chance, the Tweeter will share details of schools (hah!) attended, pictures of delicious bait, where they met their spawning partner, and favorite vacation waters. All of which can be used by the experienced angler to provide the secret question responses needed to reset account passwords and link checking accounts to mobile device payment apps.
Great White Whale (executus exploitus) Considered by many to be the ultimate trophy fish, netting a Whale requires specialized luring techniques. An email message sent with details of the Whale’s company, recent professional achievements, or other personal information can convince the Whale to authorize distributions, divulge privileged information, or click a link that installs malware. The Whale is elusive, but well worth the effort if caught.
Fortunately, even the most skillful digital anglers can be evaded by following a few simple rules:
- Beware of unexpected email messages, especially those containing links. Should you receive a notice from your bank, for example, open a browser and navigate to the bank’s website directly instead of trusting links in a message. This will ensure you are going to the bank’s legitimate website.
- Be especially wary of email messages requesting urgent action on your part, under the threat of undesirable consequences. “Validate these recent charges now, or we will deactivate your account” is a common ruse. Don’t take the bait.
- Validate ALL transactions via phone, especially financial distributions. It’s much easier for a hacker to phish a client than an advisor. A popular tactic of the cyber fisherman is to gain access to the client’s email account and then use it to send bogus distribution requests to the advisor. Expect bogus requests to be convincing, well-written, and sent as part of an existing email conversation. Take the time to call your client now to avoid a call from them, asking why their account is short.
- Train and test your staff. Fraudsters frequently target entire organizations in hopes of finding a weak link. Low-cost training and testing tools are available online to keep your staff and coworkers on their toes. Managed properly, a testing program can not only elevate your organization’s game but also create a healthy competitive spirit.
Trout season is now well underway, but there will always be hooks in the water. Don’t get caught!
The views expressed are those of Brinker Capital and are not intended as investment advice or recommendation. For informational purposes only. Brinker Capital, Inc., a registered investment advisor.
Tagged: Jim O’Hara, technology, cybersecurity, phishing