Dr. Seuss has a lot to teach when it comes to understanding the flood of phishing hitting the internet and your email box. Just think of the immortal lines: One phish, two phish, red phish, blue phish, old phish, new phish – or something like that. Yes, there is a lot of cybersecurity information in these lines you probably never thought about. Here goes a rhyming look at phish and the ways they can hook you more easily than ever.
One phish, two phish
Phishing is on a one-two growth curve. Prior to the coronavirus / COVID19 outbreak, it seemed that phishing was especially targeting companies and public administration organizations with ransomware. Remember Norsk Hydro and Riviera Beach?
That was yesterday, now today with COVID, there are even more advantageous conditions for the bad guys to use phish because they’ve got a nervous, captive, and multitasking audience of individuals. People are nervous about what is happening, and they are continually clicking on new sources of information. They are captive, sheltering in place with family and pets, with just Wi-Fi and the internet to amuse them. The most dangerous issue is that people are multitasking, mixing work and recreational activities on the same device and sometimes even on the same email accounts. While it is not clear whether the total volume of phishing attempts has increased in recent months, it is clear that the variety of COVID-19 attempts are topping the charts.
Red phish, blue phish
Technology means that phish are looking better than ever – more colors, better formatting. When Theodor Geisel was creating his books, he had a limited range of colors he could work with. Now there are programs for the bad guys that make it simple – even for the technologically challenged. These programs enable them to copy the art and graphics from a targeted website to create a more believable phish. Such phish could appear to be from the Center for Disease Control, for example, or even incorporate the latest COVID-19 data from the John Hopkins University. Then there are other subscription website and email services that the wanna-be cyber criminal can get to help them make a near-perfectly alluring phish. In short, it’s easy to make phish these days.
Black phish, blue phish
The anti-phished guidelines – things to look out for – are also changing. For example, that little black or green symbol of a padlock in your browser. It used to be that this little symbol – showing that the website was in the more secure HTTPS format – was a good sign that the website was the real thing. This logic was true several years ago when certification costs were more substantial and this was an indirect barricade to the bad guys. However, since then, the costs of certification have since dropped to near zero and some web browsers started flagged HTTP sites as untrustworthy. The bad guys have adjusted their tactics accordingly with around 70% of phishing attempts now using HTTPS. Even the FBI is warning people about this.
Old phish, new phish
Those old lottery and Nigerian princess scams are oh so yesterday. They were shotgun-style attacks that filled up the email boxes around the globe. Because they were so indiscriminate in their approach, it was an easy thing to laugh off – even though this approach was profitable for cybercriminals. But the new phish are much, much more targeted – and their victims are more likely to be multitasking job, the children’s online school, and domestic tasks all at one time. This is a dangerous combination.
Today’s phishing attacks tend to be spearphishing. The message is addressed directly to their target and the email can have the name of a person they might know from within the organization. Thanks to some major data breaches and malware collecting contacts, it’s not too difficult for the bad guys to get the email details of real people to work with. Messages are more believable than ever.
Then there is the multitasking issue in today’s COVID era. More often than before, people have work and personal emails on the same device. In addition, balancing competing demands on time with a limited attention span means that a person is more likely to get confused and click on a poisoned link.
Yes, you do smell something phishy
The flood of phish means that security apps such as those from Avira are working overtime to keep phish out of your mailbox and off the browser. In this battle, they are using a variety of techniques such as AI-driven analysis and blacklists. As has been written in the last century: From there to here, from here to there, phishy things are everywhere.