What is Phishing?

Phishing is a category of online scam in which criminals mimic legitimate organizations through email, text message, advertisement, or other ways to rob susceptible information.

Examples of specific phishing risks and their sequelae to the shipping industry

Spear phishing emails – requesting payment or goods to be sent to a seemingly familiar and/or legitimate destination.

• a case in which a PDF attachment titled ‘Mearskshippingdetails.pdf’ was sent to attempt to replicate the way the legitimate service operates. Please note, this was not related to their communications or a vulnerability within Maersk, but rather an attempt by a threat actor to use their name to legitimise the phishing email being sent. It is an indication that threat actors will use the reputation and name of some of the well-known companies within marine and offshore.
• An email was observed attempting to impersonate a “Maersk” employee using a subject line of “Maersk New Shipping schedule details due to COVID-19- Shipment notification.” The sender includes “Maersk” and “COVID-19” in the subject line to trigger the recipient to believe the message is urgent and related to the current Corona Virus Pandemic.
• In another malicious email, with subject line “COVID-19 SUSPECTED CREW /VESSEL.” analysts see the World Health Organisation being leveraged to spread malware. There are two malicious attachments.  One is an MS Word document and MS Excel spreadsheet. Both were detected as malicious by Antivirus software.  The sender and recipient email addresses are shown as alias’ but otherwise appear legitimate. The attached MS Word filename is the exact same as the subject line listed above (COVID-19 SUSPECTED CREW /VESSEL.doc).  Microsoft AV indicates both malicious attachments exploit CVE-2017-11882.  Malware of this family consists of a .doc or .docx document containing a script that can be run in Microsoft Word (Visual Basic for Applications). Interestingly, the Word document shuts down Windows defender, but the Excel spreadsheet is detected and quarantined immediately.

Consequences – Damage to reputation, delay, monetary, identity theft and financial losses.

5 Common Attributes of Phishing Emails

• Crowd pleasing – Remunerative offers and eye-catching statements that are designed to attract people’s attention instantly.
• Perception of urgency – A  tactic where cybercriminals ask you to act swiftly because the deals are only for a limited time. Occasionally, they might tell you that your account will be suspended unless you update your personal details right away. However, most of the reliable organizations give adequate time before they terminate an account and they never ask their clients to update their personal details over the Internet.
• Hyperlinks – A link that is not actually what it appears to be. Hovering over a link for a few seconds displays the actual URL, clicking on which you will be directed to your true destination. A hyperlink could be something entirely unrelated, or it could be a trap hiding in plain sight in the form of a misspelled website, for instance www.angloeastemshipmanagement.com – the ‘r’ and ‘n’ is actually an ‘m’, when you cautiously look.
• Attachments – Any attachment in an email that you were not expecting or if it is not plausible. Such extensions often contain malicious payloads like ransomware or other viruses. The only file type that is always secure to click on is a .txt file.
• Unfamiliar sender – Irrespective of whether any link seems to be shared by someone known or unknown to you, if anything seems unusual, out of place, or just plain doubtful, there are high chances that it is a cyberattack.

Phishing Techniques

Various techniques are used to acquire personal/confidential information from users. With technological advancements, the techniques used by cybercriminals are evolving as well.

Phishing Techniques

Traditional phishing uses a ‘spray and pray’ approach, in which multitude emails are sent to as many people as possible. On the other hand, pear phishing is a much more targeted strike in which the hacker knows their specific individual or organization of interest, performs investigations so as to implement a tailor made attack, and thereby enhances the probability of trapping his target.

Phishing through Search Engines

This technique entails search engines where the user is guided to product sites that may present inexpensive products or services. When the user seeks to purchase the product by entering the credit card details, it is retrieved by the phishing site. There are multiple counterfeit bank websites handing out credit cards or loans to users at low prices, but they are phishing sites.

Email/Spam

The classic phishing technique of delivering the same email to millions of users with an appeal to fill in personal/confidential information. These particulars will be used for illegal activities by the phishers. Majority of the messages have an urgent note attached to them which demand the user to enter credentials so as to update account information, change details, or verify accounts.

Vishing (Voice Phishing)

The phisher makes phone calls with a hoax caller ID to the user and requests the user to dial a number. The motive is to acquire personal information of the bank account via phone.

Link Manipulation

A technique in which the phisher dispatches a link to a malicious website, on clicking which the user enters the phisher’s website instead of the website referred to in the link. Hovering the mouse over the link saves users from falling into this trap by displaying the actual address.

Smishing (SMS Phishing)

Phishing run through Short Message Service (SMS), a telephone-based text messaging service. This may be enabled by attaching a link in the text message that leads to a phishing website.

11 Ways to Avoid Phishing Scams:

Some of the anti-phishing techniques to protect yourself and your organization from falling prey.

1. Beware of Pop-Ups – Phishing attempts often involve pop-up windows. Pop-ups can be blocked in many browsers, or they can be allowed on a case-by-case basis in others. In case you come across one, don’t press the “cancel” button; such buttons often lead to phishing sites. Rather, press the tiny “x” in the window’s upper corner.
2. Anti-Phishing Toolbar – Anti-phishing toolbars can run quick checks on the websites you visit, compare them to identified phishing sites lists, and send out warnings if any site is suspected of being malicious.
3. By modifying the browser settings, you can prevent fraudulent websites from being accessed, hence allowing only trusted websites. The Address is blocked by the browser that keeps fake website information, or displays an alert message, and security patches are released for popular browsers all the time.
4. Implement strong email defences – Installing a mail filtering system and blocking unneeded emails for business (for example macro-enabled Office documents) and install mail filtering software.
5. Firewalls – Firewalls serve as barriers between you, your computer, and intruders from the outside world. There are two types of firewalls to use: a desktop firewall which is a is a software type and a network firewall that is a hardware type. They dramatically minimize the chances of hackers and phishers infiltrating your device or network when used together.
6. If an email contains a link, hover over the URL first and then visit secure websites that begin with “https” and have a valid Secure Socket Layer (SSL) certificate.
7. Monitor networks to detect malicious traffic, and systems to detect unusual access or data access.
8. Make sure security updates are promptly applied to systems that deal with data or messages from untrusted sources.
9. Use Antivirus Software – Antivirus software includes special signatures that protect against proven code workarounds and loopholes. Only make sure the program is up to date. New meanings are introduced on a regular basis to keep up with the constant emergence of new scams. To avoid phishing attacks, users should use anti-spyware and firewall settings, and they should upgrade their programs on a regular basis.
10. Think Before You Click! – Clicking on links that appear in random emails and instant messages, however, is not such a smart move. Before clicking on any links that you’re not sure about, hover over them. When in doubt, rather than clicking a potentially dangerous connection, go straight to the source.
11. Provide security awareness training for staff who send and receive emails.

You don’t have to live in fear of phishing scams. By keeping the preceding tips in mind, you should be able to enjoy a worry-free online experience.

Reference

https://blog.nettitude.com/the-top-8-cyberthreats-to-marine-and-offshore-organisations-part-1-phishing-and-physical-infiltration