Have you noticed an increase in phishing emails to your inbox? Have you ever wondered why? What is motivating the attackers to do this? What is the endgame?
Contrary to what you may hear Jessie J singing about: It is all about the money. Fraudsters are trying to obtain as much money as possible with minimal effort. They use automation when it makes sense and will put in the manual effort to mount a very targeted, sophisticated attack when they see the potential for a big payoff. We have processes for our operations, and so do they.
COVID-19: The perfect lure
Most people don’t fall for the Nigerian Prince scam anymore. Most people know that gift cards aren’t used to pay taxes. And the notification from the courier you received? Most people have a good idea what they ordered recently, right? COVID-19 affects us all. We worry about our safety and the safety of our loved ones. The pandemic has disrupted our lives in every way imaginable; and the scammers know this. Of course, we’re going to pay more attention to any and all email about the pandemic. Given this, the attackers do not discriminate their targets for pandemic-related phishing email. The initial goal: Gain control of an email account, any email account.
They are reading your email
Once the fraudster gains control of an email account, they will often secretly set-up an Inbox rule to forward all of that account’s incoming email to a random Gmail or Yahoo! email account.
Why? So they can monitor online conversations.
Maybe there’s a conversation involving a financial transaction, or the potential for one.
Impersonation
Some of us are boring to fraudsters. That doesn’t mean our email accounts have no value. No discussions of a financial nature? No problem. The account is good for sending more phishing emails to other accounts, to gain control of those.
Are you a researcher negotiating with a sponsor? Are you a manager corresponding with a supplier? Maybe you are looking to onboard a contract employee? When a fraudster gains control of your account through phishing, they are going to pay very close attention to these email threads. The next step is to carefully devise a convincing email to inject themselves into an existing email thread, impersonating someone in that conversation.
Profit?
Ultimately, the goal of the fraudster is to convince you to deposit/transfer money to a bank account that they control or somehow manipulate (often belonging to a victim of another fraud).
How much money is that research grant? How much money do we owe that large supplier?
Do your part
The University of Waterloo is a very large organization and has a decentralized approach to managing many aspects of its operations. This presents us with a number of challenges when putting in place an effective control framework to prevent and detect fraud. Even with all participants being vigilant, no control can be 100% effective for all transactions. To help improve this effectiveness, the University has layers of controls that work together. Some of these layered controls rely on each individual involved in a transaction to be watching out for unusual or unexpected activity. This is where you can help to protect the University from fraud!
Protect your accounts with two-factor authentication (2FA)
2FA refers to something you know (e.g. your password) and something you have (i.e. a token). The token can be an app on your smartphone, or a security key. If you have not already done so, you need to act now to protect your University of Waterloo account with 2FA. 2FA will be mandatory on many UWaterloo services this November, so if you don’t set it up soon, you will not be able to access our systems. Please visit https://uwaterloo.ca/2fa/ for more information.
Recognize phishing
Some hints on recognizing phishing:
- Does the email make sense? Scrutinize the content for reasonableness, spelling, and writing style.
- Verify the email address of the sender. Is it the real domain, or is a letter different?
- Hover over hyperlinks. Does the link displayed match the actual link?
Resources
- IST's Cyber Awareness website