Email security: A phishing tale

A few weeks ago my wife told me that she got an unexpected email from the Canada Revenue Agency. It wanted to initiate an Interac e-transfer of $980.99 into her account. The alarm bells immediately started ringing in my head.

  • We already received our tax refunds months ago.
  • They already have our direct deposit info, so an e-transfer doesn’t make sense.
  • It’s just too good to be true.

I took a look at the email she received. It definitely wasn’t from the CRA. Being the curious information security guy that I am, I decided to take the bait and click on the deposit link, in a virtual sandbox of course.

Screen Shot 2015-07-07 at 8.13.30 PM

As you can see above, the site is looking for valuable personally identifiable information (PII) that no one should have to provide over the Internet. I used my trusty Shodan browser plug-in to determine that the server resides in Romania. Now I know for a fact that CRA wouldn’t have an office in Romania!

Without entering any information, I clicked continue.

Screen Shot 2015-07-07 at 8.29.41 PM

Chrome warns me one page too late that this site may be suspect. I understand the risks to my security, so I visited the infected site.

Screen Shot 2015-07-07 at 8.31.21 PM

Now here’s where it gets really interesting. It is looking for information that can cause a world of grief if it fell into the wrong hands.

Needless to say, I didn’t enter any information or go any farther.

The evolution of phishing

Phishing attacks have been around for years. Financial motivation is still alive and well in these types of attacks. This method of duping people into providing their PII is still around (and will most likely be for years to come), but the targets are largely individuals versus organizations.

Phishing attacks have also evolved in recent years to include installation of malware as the second stage of the attack.

How can you protect yourself from phishing attacks? Be suspicious of emails asking for confidential information. Legitimate companies and organizations will never request sensitive information via email. Here are some other tips:

  1. Watch out for generic-looking requests for information. Fraudulent emails are often not personalized, while authentic emails from your bank often reference an account you have with it (even authentic emails from your bank will ask you to contact a representative directly). Many phishing emails begin with “Dear Sir/Madam” and some come from a bank or an organization with which you don’t even have an account.
  2. Never use links in an email to connect to a website unless you are absolutely sure they are authentic. Instead, open a new browser window and type the URL directly into the address bar. Often a phishing website will look identical to the original — look at the address bar to make sure that this is the case.
  3. Don’t get pressured into providing sensitive information. Phishers like to use scare tactics and may threaten to disable an account or delay services until you update certain information. Be sure to contact the merchant directly to confirm the authenticity of their request.
  4. Make sure you have anti-malware software installed to help combat phishing.

Now please pardon me while I respond to an email from a Nigerian prince.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMore. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.