So I got phished. What’s the worst that can happen?

Lynnetta Eyachabbe

Today we’re excited that our IT Security Analyst, Jason Close, agreed to share his insight on phishing and scams.

Scammers have turned their attention away from trying to sell fake products, and instead, trying to capture your identity.  Why?  Because inside your identity lies a small fortune.

Some things that scammers may do with your identity are:

  • Encrypt your private and job-based digital data, holding it for ransom.
  • See all your private communication housed in your email and other repositories.
  • Gain access to secure and sensitive areas at your workplace.
  • Impersonate you in order to attack other systems or people.
  • Create charges on credit cards that are issued in your name.
  • Send money to other accounts from your bank account.
  • Know your location by having access to any service that logs your location via GPS.
  • Perform malicious acts, like having your utilities disconnected.
  • Make your most personal information, communications, and online photos public.

Identity Theft cost Americans $16 billion in 2016.  Phishing, and its impact on businesses, was a large part of this bill.  That is $16 billion taken out of the wallets of Americans.  Even when credit card companies invalidate fraudulent charges, it was still at a cost, as businesses, banks, and credit card companies charge their customers more to make up the differences in these costs.  Those entities will pass the costs back onto patrons and taxpayers.

Phishing emails are often the means of someone gaining access to an identity.  If a malicious person can trick someone into clicking on a link, logging into a site, and entering email credentials, the scammer has immediately obtained access into the user’s identity.  Very quickly, credit card phone numbers and email addresses can be changed, so that the scammer can receive and authorize all of the confirmations for large purchases and money transfers.

Phishing emails can also affect the workplace.  Scammers often copy the login pages of the employer, and then trying to trick a subset of the workers into entering in their credentials on a fake login page.  This is all done via very well-crafted phishing emails.  In some cases, the scammers have been able to compromise the actual website(s) of the employer. This makes users much more susceptible to phishing campaigns, as a web page hosted within the employer’s own web domain would be seen as extremely trustworthy by employees.  From there, the scammers use the credentials to log into privileged systems that are hosted by the company.

In University and corporate settings, scammers are logging into online HR portals, and are changing the direct-deposit routing numbers that belong to employees. The common response by Universities and corporations is to tell their employees that they are simply out-of-luck, and that the employee will not be repaid.  Why?  Because it is the employee who did not keep their credentials secure.  A stolen identity is not a compromise for the University or corporation; they did nothing wrong.  In that case, the employee was compromised, and they must therefore absorb the cost.

I hope I’ve thoroughly scared you! Ensure that you are doing what you can to protect your identity.  Do not replicate your passwords across websites.  Use two-factor authentication where possible.  Take the time to look at the URL bar when clicking on links, in order to determine authenticity.  And routinely back up your data to a trusted location.

In a later post, I will discuss how to recognize these phishing emails.  I’ll discuss the ways the attackers format their emails and destinations in a manner that doesn’t trigger the suspicion of the user.

Thanks so much, Jason!