As technology has improved, the risks have changed.
As I was reading a report of yet-another-vulnerability in some application or operating system, something struck me: almost all recent vulnerabilities rely on one specific thing to be able to inflict their damage. If that one specific thing doesn’t happen, the vulnerability has no impact.
The software should still be fixed, of course, mostly because that one specific thing can’t be fixed.
But you should be aware of it.
Become a Patron of Ask Leo! and go ad-free!
The biggest risk to your security
Phishing attempts have become one of the most common ways that malware spreads and account compromises happen. Be it a malicious download or a fake sign-in page, it’s critical to be on your guard.
It’s phishing
The biggest risk to your security is phishing.
In the past, it was malware that spread in some automated fashion without your interaction, or was included in software you downloaded and installed.
While both still exist, as do other threats, successful phishing attempts have leapt ahead in terms of successful malware installation and account hacking.
A successful phishing attack can sidestep all the greatest and most up-to-date security software and protections. Couple that with an unpatched software vulnerability present on your machine, and all bets are truly off.
There are two broad classes of phishing: phishing for malware and phishing for credentials.
Phishing for malware
In phishing for malware, the goal is to fool you into running malicious software on your machine. Malware, of course, can do anything, so you might be exposing your data, installing a bot or keylogger, or opening yourself to perhaps the worst form of malware, ransomware.
Hackers use two techniques: attachments and links.
Malicious email attachments
You receive a message, often urgent, indicating you need to open an attached document for more information about something. A common example is a notification of some kind of shipment awaiting your instructions. Sometimes the document is encrypted and password protected — for your security, of course — but the password is right there in the email. All you need to do is download and open the document.
Except the document’s not a document at all. It’s malware. When you “open” the document, the malware runs and infects your machine with its payload.
Malicious links
The same result can happen from malicious links in phishing emails.
Just clicking a link usually doesn’t cause a problem, since most of the time it simply downloads, but does not open, the malware. Sometimes browsers automatically open what they download, though. Whether the browser opens it or you take the extra step of opening what you just downloaded, the result is the same: the malware runs and infects your machine with its payload.
Phishing for credentials
The second broad class of phishing is what I refer to as phishing for credentials.
You receive an email that attempts to get you to click on a link. For example, the email might look like it came from Microsoft, or your bank, or some other service, and includes a link you need to click to confirm or otherwise resolve an issue with your account. Another approach appears to confirm your purchase of something from a retailer, with a link to click for more information or if you need to cancel the order. Of course you never placed the order, so you click on the link to cancel it, right?
The common theme here is: click the link.
When you do, you’re greeted by a sign-in page for the service that sent you the email.
Except that service didn’t send you the email, and that login page isn’t from that service at all, but a cleverly crafted look-alike page.
So far, if all you did was click the link, you’re probably still safe.
If you don’t notice that it’s fake — by the displayed URL in the browser’s address bar not being correct or other symptoms, like your password vault not auto-filling the credentials when normally it would — and you do proceed to sign in, you’ve not signed in at all.
You’ve just handed your login credentials to a phisher.
How headlines mislead
I came to this conclusion about phishing based on what I consistently see in announcements of new vulnerabilities and zero-day attacks.
Many, if not most, describe a serious vulnerability somewhere — in an application or an operating system — and go on to detail how, once exploited, it can be used to do all sorts of nasty things. Even in the most serious tech press reports, the wording is often quite sensational.
And yes, vulnerabilities are important to be aware of and to resolve. It’s why everyone keeps telling you to keep your system as up to date as possible. As soon as a fix is available, you want that vulnerability off your machine.
However, often buried deep in the news article is a phrase describing how malware gets in to exploit the newly found vulnerability in the first place. The vulnerability rarely causes problems simply by existing. It requires a trigger to do its dirty work.
That trigger? Malware.
How does that malware arrive?
Phishing.
For that vulnerability be exploited, someone has to be fooled into falling for a phishing attempt that installs the malware onto their system.
Without successful phishing, the vulnerability, while present, would never cause a problem.
Do this
Hopefully the takeaway is clear: you and I are the weakest link. Without us “biting the hook” of the phishers, many of the vulnerabilities we keep hearing about so urgently are completely ineffectual.
The single most important thing you can do? Be skeptical.
The next most important? Learn to recognize phishing attempts, and don’t fall for them.
And, of course, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Fortunately, not all phishers are competent at their evildoing.
One phishing message sent to me, supposedly (I can’t even dignify it with the word “ostensibly,” it was that bad) from my ISP, did not look anything even remotely like something my ISP has ever sent me. Actually, the phrase “not even remotely” is an understatement; it was so totally different that my guard wasn’t just “up,” it was shooting for the moon! They hadn’t even taken the simple (and obvious) step of accessing my ISP’s webpage to see what their style looked like. And just to reinforce their incompetence, a quick glance at the mail headers (one needs a E-Mail program that displays full headers for this — many E-Mail programs do NOT provide this functionality) as I say, a single glance at the headers set me laughing uproariously. Not ONLY was the E-Mail NOT from my ISP — which I’d expected — but it was actually from a mass-mailer service that actually included a self-advertisement within the headers themselves (which was something I DIDN’T expect)! LOL!!!
As long as “phishers” are like THAT, spotting them should be easy.
Mind, I’m careful to stay on my guard and not take any chances — but so far I haven’t met a “phisherman” I couldn’t spot fairly easily. The effort required varies — not all are the low-grade idiots* I’ve described above; others can be much more challenging. But none so far have been beyond my ability to spot — a fact I find cautiously encouraging. :)
—–
*Low-grade idiot – In the deprecated terminology of a bygone era, this term referred to someone with an Intelligence Quotient of exactly zero…
Don’t get a false sense of security. Some phishers really do their homework. I once got a phishing email purporting to be from a bank where I don’t have an account. The website it led to was a perfect copy of the bank’s website. I filled in some fake information, and it sent me to the bank’s real login page. If someone falls for that scam, they won’t have a clue they were phished until their account was emptied. The only safe thing to do is to assume it’s phishing and not click on any links in an email.
I’ve never seen such a well done phishing site since, but I’m sure there are more.
I think you’d be surprised at how many consumers have no idea what to look for, or even have an understanding of what “looks different” even means or why it might be important. That you know what to react to is great, but I can tell you that assuming others can see what you see is a bad assumption.
There’s also an odd argument that sometimes these emails are intentionally bad, so as to purposely target the more ignorant.
I’ve read of that argument, but I can’t understand how that would work. My theory about the poor language is because most phishing is done by non-native speakers.