Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday August 20 2019, @05:54PM   Printer-friendly
from the do-you-have-a-phishing-license? dept.

Phishing is still the most common way for cyber attackers to gain entry into networks. Whether it's crooks looking for financial gain or state-backed hacking operations engaging in cyber espionage, it almost always starts with a message designed to make someone click a link or give away sensitive information. Just one person falling victim can be enough to provide hackers with the foothold they need to gain access to the whole corporate network and the confidential information stored within.

But blaming the victim rarely solves anything – especially given how phishing emails can be so highly tailored towards victims, meaning it can be almost impossible to distinguish a real message from a spoofed one created as part of an attack.

"It's fairly easy for an attacker to get hold of an email address and pretend to be somebody," says Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting.

[...] "There's a power play going on in a lot of these emails. There's somebody impersonating a position of authority, of seniority, effectively saying don't ask questions, just get it done, which is effective," says Tim Sadler, CEO of email security provider Tessian.

"When people send spear-phishing emails, they're taking on the persona or identity of a trusted person. That personalisation makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do," he adds.

[...] "There's very little to let the person receiving the email know the person they're receiving it from is who they say they are. It's a little asymmetric, asking a person to do the hard bit, then making not life easy for them," says James Hatch, director of cyber services at BAE Systems.

This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by AthanasiusKircher on Wednesday August 21 2019, @12:18AM (1 child)

    by AthanasiusKircher (5291) on Wednesday August 21 2019, @12:18AM (#882871) Journal

    It's good advice, but you are relying on the victim to be sufficiently un-trusting and wary. And everyone has to get on board, stoners, the elderly, everyone... or someone still falls for it.

    What's your solution then? It's fine to complain about imperfect ones, but do you have something better?

    Because I don't think there is really one if people are freely allowed to make phone calls in a society. Sure, there are efforts to cut down on spam calls now (and we should try that), but that will never stop all scammers. I remember my grandmother getting scam calls 30 years ago. I also remember a scamming salesman coming to her door even longer ago than that. Scams are nothing new, and if you get rid of one form of it, scammers will try a different one.

    I don't really know why anyone would give ANYONE personal information upon request, unless they had a specific need for it. I've been to stores in the past decade that will ring my purchases up at the register and say, "Can I get your phone number?" I simply say, "No." Usually it causes them to look up in slight surprise, because I'm not impolite about it, but I'm also quite blunt. "Well, can I get an email?" "No." "Can I have your ZIP code?" "No." "Sir, our system just requires me to enter..." At that point, if I'm buying an item I can easily get elsewhere, I often just say, "Nevermind. I'll go somewhere that doesn't need my complete biography in order to sell me a lightbulb. Thank you," and leave. If I really just want to make the purchase, I'll just say, "Well, I'll give you a fake ZIP code." And usually the clerk is just happy to accept it.

    Similarly, many websites ask for all sorts of personal info for no apparent reason to sign up or register or whatever. I'm not giving them any personal information. If I'm making a purchase and they need to verify my payment address and phone number, I'll enter it then, but sort of that, nobody gets my personal data. You want a birthday? I'll give you a fake one. You want my address? I'll give you a fake one. I have a few I use regularly for these situations, so if I'm ever asked again, I can guess what it was. You want an email? I'll give you a fake one, unless you need to a confirmation to let me use your page, in which case I'll give you my spam email account that I never check except to establish those sorts of accounts.

    So, some random person calls you on the phone and starts asking you for personal information? Why the hell would you give it to them? I don't give it to ANYONE unless it's really necessary. (E.g., I have an established business relationship, and *I* made the contact. Or I am trying to establish an ongoing business relationship that requires such information.)

    Honestly, kids should be taught this from an early age. Elderly people likely have encountered scammers at some point in their lives, but if they've become gullible or unfamiliar with novel types of scams, they just need to be told not to give out any information to anyone who asks unless they made the contact themselves. If they can't do that, they need to have limited telephone access (keeping outgoing calls for emergencies, but screening incoming), or perhaps even live-in help. Just like children who aren't aware enough of scams, the elderly need assistance and watching. If you have another solution, we're all ears.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by vux984 on Wednesday August 21 2019, @03:42AM

    by vux984 (5045) on Wednesday August 21 2019, @03:42AM (#882942)

    "What's your solution then?"

    I agree there isn't a solution. You can't fix stupid.

    But I do think fixing caller id properly would go a long way.
    -Don't let people generate numbers at will en masse, that have no bearing to reality, and spoof numbers that don't belong to them.
    -Local Numbers belong to entities within the country Telcos should know who is using what numbers, and enforce validation before letting a number through.
    - Give people the tools to block them / report them. If I get a spam call claiming to be a number from inside the US; the callerID should be traceable back to a US entity that's responsible for knowing who is making calls with that number, and taking responsibility for what their customers do. (e.g. cut service)
    - Show true call origin information. If the connection is coming from India then that should be made known. If they are 'proxying' through a US forwarder so it looks like its coming from the US, fine, but then see the point immediately above.

    You also had a good idea.
    - provide inexpensive call screening to all customers or even build it into basic services, or free if you are over 65. Really, how many people call my grandmother?? A handful of friends and family members who would rapidly have their numbers whitelisted, and then everything else goes to a professional reception service that screens calls, manages whitelisting, and then connects people -- even offering a short introduction/warning prior to connecting and staying on the call for a minute or two. Major utilities and services could register their registered call out numbers for whitelisting in advance. Local businesses that generate a lot of calls out -- dentist appointment reminders, carpet installers etc, could register to be whitelisted locally or whatever, etc.

    So most legit calls wouldn't get need interaction. With all that in place human screeners would only need to be involved in exceptional cases -- family checking in grandma from a hotel in Bangladesh or a payphone in Florida; and a couple bucks on your monthly bill would cover that.

    Hell... if the incoming call isn't whitelisted, the caller pays 25 cents before connecting. With all above in place, you might not even need human screeners -- simply charging suspicious callers ought to to ruin the economics of mass-robodialing for victims. Worried about scammers stealing someone's phone service and using it to mass call... default to a $2/month suspicious call limit at which point you need to call customer service to authorize increasing it. So a stolen phone service is good for 8 calls.

    There isn't a single good reason this stuff can't be done.