It’s the second week of Cybersecurity Awareness Month 2021, and this week’s theme is an alliterative reminder: Fight the Phish!
Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think it’s what computer scientists or mathematical analysts call a solved game.
Tic-tac-toe (noughts and crosses outside North America), for example, is a solved game, because it’s easy to create a list of every possible play, and figure out the best possible move from every game position on the list. (If neither player makes a mistake then the game will always be a draw.)
Even games that are enormously more complex have been “solved” in this way too, such as checkers (draughts)…
…and in comparison to playing checkers, spotting phishing scams feels like an easy contest that the recipient of the message should always win.
And if phishing is a “solved game”, surely it’s not worth worrying about any more?
How hard can it be?
Simply put, the phishing “game” only has two moves: the scammers always play first, trying to trick you, and you always get to play second, after they’ve sent out their fake message.
There’s little or no time limit for your move; you can ask for as much help as you like; you’ve probably got years of experience playing this game already; the crooks often make really silly mistakes that are easy to spot…
…and if you aren’t sure, you can simply ignore the message that the crooks just sent, which means you win anyway!
How hard can it be to beat the criminals every time?
Of course, as with many things in life, the moment you take it for granted that you will win every time is often the very same moment that you stop being careful, and that’s when accidents happen.
Don’t forget that phishing scammers get to try over and over again.
They can use email attachments one day, dodgy web links the next, rogue SMSes the day after that, and if none of those work, they can send you fraudulent messages on a social network:
The crooks can try threatening you with closing your account, warning you of an invoice you need to pay, flattering you with false praise, offering you a new job, or announcing that you’ve won a fake prize.
They may pretend to be your ISP today, they may masquerade as Apple iTunes tommorrow, and yesterday they might have said they were a courier company trying to delivery your latest online order.
In contrast, you only have to make one mistake for the crooks to win.
You might be tired, or in a hurry, or simply get caught up in an unlucky coincidence where the subject of a phishing message happens to match up with something you just did online.
Phishing isn’t a “solved game” after all, and phishing scams are still the main way that crooks get their first toe over the threshold in online cyberincidents such as ransomware attacks.
Keep yourself informed
To stay ahead of the phishing crooks, both at work and at home, start by reading up on our Top Ten Phishing Treacheries:
We’ve listed the email topics that catch out people the most when you train them using the Sophos Phish Threat toolkit, and it’s often the friendliest messages that trick the most people.
(In case you’re wondering, one of the top phishing lures in our tests was also one of the simplest: “Headlights left on. Is this your car?”)
You should also read our aritcle Phishing tricks that really work, and how to avoid them, which gives you useful insights into the psychological tricks that scammers use:
Learn how to get your anti-phishing act together at work with our explainer Gone phishing: workplace email security in five steps:
And learn about the many different ways that phishing crooks can adapt their game in our technical analysis entitled Serious Security: Phishing without links – when phishers bring along their own web pages:
Remember, when it comes to unexpected messages that want you to hand over information that you think you should keep to yourself: IF IN DOUBT, DON’T GIVE IT OUT!
DEFENDING AGAINST RANSOMWARE: WHAT WORKED (AND WHAT DIDN’T)
Finally, here’s an easy-to-follow video you can share with your friends and family to help them keep ahead of the phishing crooks, too:
David Heath
Who was it said, “I am a phisher of men?”
Paul Ducklin
IIRC, the saying is actually, “I will make you fishers of men.” (Jesus to two of the Apostles who were already fishermen in the literal sense, that being their day job.)
The “ph-” in phishing, as an aside, was added to mirror the “ph-” in the late 60s/early 70s word “phreaking”, which was the portmanteau word invented to describe hacking the phone system, known colloquially as “phone freaking”.
Ironically, in some countries, the one type of messaging network that the word “phishing” *doesn’t* cover in law is the phone system, which is still regulated separately from other communications networks, such as the internet in general, and SMS, email, IM and so on in particular, Indeed the word “phishing” is almost never applied to voice-call-based scams, even when they’re automated robocalls.
So the “ph-” in “phishing” is a bit of a bogus prefix, really, given that the one thing is *isn’t* is “phone fishing”. These days I often use “scam email” as a synonym, with the note that “all scams are spams but some spams, at least in law, aren’t strictly scams”. (But if you want to use the word “spam” as a synonym for “scam email”, don’t let me stop you :-)
Steve Pomfret
That’s a great article to remind people that cyber attacks aren’t all high-tech, complex and aimed at large organisations.
Phishing is simple, frequent and aimed at anyone and everyone.
And the reminder that we’re all risk, just a moment’s lack of concentration for whatever reason. You list several.
Thanks
Paul Ducklin
Thanks, glad you found it useful.