If something seems phishy, it probably is Cyber Security Awareness Month - Week 2

This week we will be exploring how widely phishing campaigns have spread, how they can impact you and the Laurier community, how they work and what you can do to avoid them.

Phishing by the Numbers

While we have all heard about phishing emails, few people know how much the phishing industry has grown over the past decade, the strategies these phishers are using or how lucrative their industry has become. Recent studies from Avanan, the Internet Security Threat Report, Proof Point, Spam Laws, the FBI, and Spamhaus have reported the following statistics about the growing phishing industry:

  • 1 in 25 branded emails are a phishing attempt.
  • The most common spoofed brands are Microsoft (43%) and Amazon (38%) making up a vast majority of the spam sent to individuals.
  • The most “successful” click rate for large-scale scam campaigns has been impersonating Dropbox, with a click rate as high as 13.6%.
  • Spam accounts for 14.5 billion emails sent per day, with phishing attempts making up 73% of this figure.
  • Victims of successful phishing attempts have lost over $12.5 billion USD worldwide over the past 5 years.
  • More than 90% of successful cyber attacks started with a phishing email.

What this means for us

To put these numbers into perspective, in the last month alone our email filter blocked over 8 million emails and quarantined over 37,000 emails that contained harmful links or attachments targeting approximately 3,000 Laurier staff and faculty email accounts. The image below indicates where many of these harmful attacks came from outside of Canada with the smaller circles representing minor attacks and larger circles and concentrations meaning bigger attacks.

How they work

The term “phishing” is very appropriate for the method these attackers use to gain access to your computers: they cast their net wide and wait for someone to “bite.” Specifically, it is done through the following methods:

1. Phishers send out a huge number of spoofed emails, impersonating a Dropbox file, Microsoft, or other entities requesting the user open a malicious file or click on a link.

Example 1: A common phishing email that has successfully targeted individuals in the past

2. After clicking on the link, malware is automatically downloaded on to the device or a spoofed website collects login credentials resulting in a compromised account.

Example 2: These spoofed websites that collect login credentials look almost identical to the legitimate websites.

3. Once the hacker gains access to your system, there are four main categories of phishing attacks:

  1. Credential Harvesting: these collect your personal information like passwords and payment info (40% of phishing attacks)
  2. Extortion: target the victims and demand money in exchange for keeping the leaked files secret (8% of attacks)
  3. Malware: Downloads malicious software on your system to either prevent your access to your files or use your system as a drone in their spam network (51% of attacks)
  4. Spear Phishing: targets high-level individuals specifically and collects detailed personal information and classified information (about 1% of phishing attacks)

The Key to Prevention is Early Detection

Most of these phishing campaigns can easily be detected by looking at two areas of the email.

1. The first is in the “From” field. As you will note below, the domain name was unusual: dropboxforteams.com. If it was actually from Dropbox it would have come from dropbox.com address. Always be sure to double-check (or even triple check) who the sender is and if it seems phishy, it probably is.

2. The second area that can help identify it as a phishing email is to hover over any links that are included. Often you will notice an unusual shortened URL or URL that directs you to some page that is not necessarily affiliated with the sender. If the URL does not closely reflect the service name refrain from clicking.

Best Practices to Avoid being Phished

  1. Use multifactor authentication whenever possible.
  2. Avoid sending anything sensitive over email.
  3. If it seems phishy, it probably is. Contact the sender directly by phone or in person to verify the request.

If you have been hooked:

If you have been a victim of an email scam through your Laurier account, please contact ICT Service Desk x4357. If it was through your personal email account, outside of work, please report it to the Canadian Anti-Fraud Center.​​


Created with images by Tumisu - "cyber security hacker security" • PhotoMIX-Company - "digital marketing technology notebook" • StartupStockPhotos - "programming developing startup" • Fabian Grohs - "untitled image" • genesis_3g - "hacker internet technology" • katielwhite91 - "ransomware cybersecurity cyber"