Speaker Key: PB: Phil Brown, DW: David Whelan
it’s Phil Brown and I’m here with David Whelan. Today we are going to
talk about phishing, whaling, spear fishing and water holing.
right. And you do not have to have a boat to do any of them. These are
all things that could come in your email, and depends on what type of
threat you are receiving and on which category you fall into.
before we get into what each term might mean to a lawyer or a
paralegal, one of the things we always need to be aware of is managing
our email - emails coming into the firm or coming into your home. I
guess one question would be, “Would a spam filter be enough?”
probably will not be enough. The interesting thing about all of these
techniques is that they are not really spam. Some of them might sound
like spam when we talk about them. The interesting thing that is
happening with these emails is that they are being customized in a way
that they look a little bit like a real email, and the more deliberate
emails will actually look as though it comes from somebody you know.
For example, it has an attachment you are expecting and that sort of
thing. So it really is something that your spam filter, and probably
antivirus and other things, would not necessarily catch.
PB: So let’s start with the one that most people might know, phishing with a “ph”.
Phishing with a “ph”, just like the jam band from North America.
Phishing is the most generic version of this thing. It is an email
that is sent to lots of addresses, has a subject line and some text
inside that is asking you to do something. For example, you can think
of it along the lines of your bank account information has to be
updated, and the instructions to “please click on this link to confirm
your username and your password for your bank account”. It is a pretty
generic sort of thing and they are guessing that the bank in their
email will hit a certain number of customers that actually bank at that
bank, and a certain percentage of those people will click through the
link and go to a page that looks like they have arrived at the bank.
PB: When you look at the page and the URL that you are being taken to, there are usually some significant differences.
The actual page itself could look identical to a page that you have
logged into many times on the actual bank’s website. So if you ever do
click through a link like that, and there is no reason you shouldn’t
because you might actually have a link from a bank. But do look at what
the URL, the address of the web page is, for the site that you have
been directed to because in most cases it will not be the bank address -
it will be an address sent somewhere else.
And there are usually some other links on the same page which might
be, “contact us” or “update your information”, or any of another number
of links. If you click on those other links instead of just updating
your info, you will often find they do not work.
right. Because the people have just copied the actual website and
moved it over. They are often too lazy to fill it out so it works like
the real site. And again, phishing is typical of your Nigerian print
scam where you often have a sense that something is not quite right
there. But phishing starts to look a little bit like something you
would want to do because it is an account or it feels like an account
you think you have. You should still be looking at the email to see if
it is your bank of course, and also look for spelling errors and things
like that, things that you would not expect from a corporate email or
the kind of email you received.
PB: Anyone is
vulnerable to these sorts of invitations. Recently, the Canadian
Department of Justice had an experience with phishing emails which they
had generated internally just as a security check.
was a great story because almost 2,000 staff at the Department of
Justice clicked on the link and activated the phishing scam so it was a
good test to see how many people… what was it? It was a high
percentage of the people who received it.
was about 37%. Now just as an example, there is one statistic that
suggests there is almost 160 million of these emails floating out there
every year globally.
DW: Yes it is a
staggering number. I look in my spam folder and often find these
emails in there. I look at the source, and the addresses are coming from
all over the place.
PB: So that is phishing
in a nutshell. Let’s talk about some of the other ones, spearfishing,
water holing, whaling and what those might be about.
and whaling are really the same thing. Spearfishing is a targeted
email where they have actually figured something out about you. So if
you have a LinkedIn profile for example and you talk about the company
that you work for, or the types of clients that you deal with, then you
might find someone who has targeted you. The email you receive looks
like it is coming from those clients or it looks like it is from
someone else at your company talking about those clients, so it has more
details where they have actually picked you out. It is not just the
“drive-by”, “I hope someone clicks on the link” that you get in normal
phishing. Whaling is a subset of spearfishing where if you are really,
really important like a CEO or something, then not only are you
targeted but you are targeted in a very specific way, and essentially
those are the same two categories.
PB: Sure. So they could be partners in a law firm versus an associate or someone else.
sure, and that is what happened to a lawyer in Pennsylvania very
recently. They received an email that looked like it was from their
firm, and it had an attachment that looked like a voicemail that came
from their voicemail system. When the person clicked on it, it infected
their computer with ransomware.
PB: We will talk about ransomware in another podcast, so stay tuned for that. What about water holing?
is an interesting mixture. It is similar to spearfishing in that they
have identified you as a target but rather than sending you an email
and hoping that you click on a link, they infect a website that they
would expect you to go to. So for example, lawyers in Ontario perhaps
go to the “Canadian Lawyer” website to read the magazine online or some
other legal publication, or perhaps visit the Law Society’s website.
Someone who is interested in water holing would actually infect that
website so when you went there you would be infected by merely visiting
the website. It is not the same as email but they have still targeted
you in the same way.
PB: So how best to combat these types of problems?
in most cases it is common sense. And it all sounds like good common
sense now, but when you are in the moment you may mistake it. It is
really a matter of thinking about what you click on. A lawyer at a
recent seminar I was in asked whether it could happen just by opening
an email, and in fact, it can. If you open an email and it is displayed
as a web page in HTML, and if something is running or is called from
within that email, then it can immediately access and begin to download
without you knowing it. So one of the things you can do is turn off
HTML emails, attachments or pictures so that you can read an email when
it comes in but do not necessarily activate it. The second thing you
can do is watch those links that you click on. If you get an email,
even if it is from someone you know, move your mouse pointer over the
link so that you can see the little tool tip that will pop up and tell
you where it is going to go. If it does not look like where you think
it is supposed to go, then do not click on it. The other thing to do
is if it is something significant, like a bank, and it is telling you
that they want to verify your username and a password (it is very
seldom a bank will actually do that in an email) but if it is, then
close your email, go over to your web browser and type the URL to the
bank and see if you can log into your account there and get the same
prompt to update you information. Do not go through the link that has
been provided to you so that you do not end up on a phishing web site.
And I know we spoke about this in other podcasts, this is where your
internet usage policy for your law firm comes in handy.
right. It is amazing really, to think that training more than anything
else will save you from phishing or a spearfishing attack, or even
suffering water holing. By training yourself and your staff to be very
wary about clicking on links, and even weird links on weird web
pages. I was listening to music on my PC and a link popped up and said
your player is out of date, so I clicked on the link that took me to a
web page that looked just like an Adobe Flash download page. I looked
at the URL and it was actually nothing to do with Adobe, but they had
copied the entire page. I am still not sure exactly where that link
came from other than it came from the website that was sending me the
music. You have to be vigilant any time that something like that
happens - to look at all of the indicia of the website and where you
are, and that you are going where you expect to be.
PB: That’s great. So think before you click.
DW: There’s the answer.
PB: Alright, that is our look at phishing, whaling, spearfishing and waterholing. Thanks very much David.
DW: Thanks Phil.