“Are you a phish for a hacker?”
By: Magdalena Trabinska
Are you a phish?
There is nothing as relaxing and enjoyable as a lazy afternoon on a boat with a father or grandfather, who shares his knowledge and fishing techniques passing it to you in the most accessible way. Despite the fact that fishing requires certain virtues, such as patience, and tools, such as a fishing rod, it is a relatively easy activity. And for those who ever tried it, it gives much satisfaction, pride and esteem among the fishers that is hardly comparable with other sports. Now, close your eyes, and try to imagine a bit of a different situation. Instead of fishing on a lake, try to imagine that you are a fish that does not have much to do, but from time to time sees shiny objects that are moving in the water. It seems very tempting to take a bite… and once you (as a fish) do it, the game is over. You are being pulled out of the water and thrown into a little basket with many other fishes. Now, come back to reality. The “fish” exercise is not so far from the reality in which we are living. However, instead of having shiny objects that are thrown into the water, we are very often victims of a different kind of crime, called “phishing.” So, are you a “phish” or not?
What is phishing?
According to the most recent studies, over 60% of Americans say that they or the people they know were victims of a so-called “security scam” or in other words “phishing.” Phishing is “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.” Experts say that this information is later used to access important accounts and can result in identity theft and financial loss.
It is important to emphasize that phishing can be about money, but it can also be about personal data, that can sometimes be actually more valuable than money stored on the financial accounts. Phishing is a very successful and highly developed branch of fraud. Its popularity stems from the fact that the perpetrator(s) remain anonymous, hiding behind the screen of their computer, sometimes thousands of miles away from their victims. The phishing scams can be general or targeted (so-called spear-phishing or whaling). The latter require from the hackers some initial collection of information about the person that is being targeted, and typically these are either famous or wealthy people, known to the public. Spear-phishing is a personalized version of phishing. Many however could be tricked believing that spear-phishing is the most profitable business. It is rather the regular phishing that brings the most revenues to the criminals, and here absolutely no-one is safe. So how can one distinguish phishing from normal activity?
Features of phishing
In the messages that people receive every day it is very easy to overlook phishing attempts. It is both because the criminals have at least basic psychological skills and they understand how we react to certain impulses, and also because of the advancements in technology that allows hackers to make phishing attempts look innocent. Common features of phishing contain: a) hyperlinks, b) attachments, c) unknown sender, and they all try to either create a sense of urgency or contain information that is typically too good to be true. Moreover, in some types of phishing, like “vishing” or “smishing” hackers use voice solicitation techniques to either encourage people to do something (i.e. transfer money) or provide hackers with certain sensitive information (social security number, address, bank account number, Credit Card number etc.).
Is it really, really successful?
If one doubts the success of the phishing techniques, he should see how easy professional hackers are obtaining sensitive information about anyone just by using their phone or e-mail. One journalist attending the famous hackers’ conference allowed some of the professional hackers to “hack” his personal accounts on Verizon. It took them just two minutes to solicit all the necessary personal information in order to change the security setup including with the security password.
More sophisticated hackers (mostly from the outside of the United States) have long been posing a threat to the elder segments of society. Specialized groups from India and Pakistan are able to call the US numbers looking for potential victims. Once they find one, they encourage him or her to buy a gift card and send them an activation code to that gift card. Fortunately, in the sense of civic responsibility some bloggers, like Kitboga are dedicating their time and resources to fight against the scammers. While it is fun to watch how effectively they tease the hackers it is nevertheless a drop in the sea of needs.
How well does Marymount University protect students against phishing?
In order to better understand how phishing affects people it is reasonable to assess how knowledgeable about phishing are current students and how well their Universities are prepared to protect students’ cohorts. One of the well-known universities from the DC area, Georgetown University, offers basic information about phishing on their website. However, this is rather an exception. Marymount University, which is located just on the other side of the Potomac river from Georgetown does not enclose any relevant information about phishing to the student community. Moreover, students do not have any additional tools that would help them in fighting phishing, such as “Report Phishing” buttons in their university’s e-mail boxes. In order to have a full picture on how the youngest generation is protected and what is their level of understanding the phishing problem, it is useful to collect more detailed information on existing safeguards and training opportunities of educational institutions.
The MU Student’s views
MU student Ana Schneider Jerez had little knowledge about phishing. As a first line of defense she would use common sense and in more complicated situations she used to ask her mother. Regarding the level of knowledge about phishing at MU, she said she didn’t notice any information in this regard whatsoever, since she joined MU last year. However, after explaining her basic premises of phishing, she said that education about the phishing should be as important in the student life as the education on alcohol and drugs. Moreover, she emphasized that this is one of these important topics, about which “no one talks about.”
The MU staff’s view
Dr. Diane Murphy, professor of information management, data science and cybersecurity, explained how hard it is for the University’s IT department to recognize phishing, as “it looks so much like the site they [hackers] try to simulate.” Dr. Murphy seemed to have full knowledge about the problem. She emphasized that over the course of time hackers’ techniques evolved to reflect the most profitable solutions. In this regard, they are now sending less emails and more text messages and making more phone calls. She also said that big vendors such as Google, have good filtering mechanisms that do not let phishing emails go through. However, she stressed that “sometimes, some emails go through.” She also said that she understands that phishing for the international students might be a new thing, while most of the US students had basic training on information security during their computer safety classes. She finally said that she would be willing to see more awareness training on cybersecurity during the orientation for new students.
What ought to be done?
As a part of the student community, some students are unaware of the phishing threat. The consequences of a successful phishing scam are not well understood by the students nor fully by the faculty of Marymount University. There is no orientation day training in this regard, no obligatory on-line course nor training in person. Moreover, students’ e-mail system lacks a “report phishing” function for those emails that “would go through.” Most of the students would not distinguish a fake email from the real one, thus causing security problems for themselves and other students. Marymount University has not established a robust anti-phishing tool or program that would help students to better understand this important dimension of technological life.
MU staff could focus their attention on upgrading their information security policies, providing basic training on phishing and engaging students with the experts in the field. Moreover, it would be good to see a fully-functioning website dedicated to cybersecurity with a page dedicated to phishing more specifically. This would increase the overall level of self-consciousness and help to respond to the existing needs. Would the MU authorities take up the challenge? There are many students who would benefit from it.