Go Phish! What do thieves get from stealing our data?

If black hats were sharks, then our emails would be a school of innocent, unsuspecting guppies nonchalantly drifting along. For black hats or malicious hackers, getting into the average person’s email is as challenging as overeating at a buffet.

After all, e-mail is the most successful federated communication system ever built, with over 281 billion emails sent per day and growing. We’re helpless without email. Most people cannot imagine an hour going by without checking and answering emails, let alone a day. Over email, you send updates on your address and banking information to your service providers or clients, health information to your university or insurance agent, and more. Despite this, email traffic generally does not have end-to-end encryption, leaving it highly vulnerable. And 91% of cyber attacks are carried out through e-mail. Fish, meet barrel.

And for whatever e-mail scanners or antivirus you have running, know that black hats are developing their own predatory tools at a much faster rate. Social engineering, baiting, and placing malicious links in places as seemingly harmless as unsubscribe buttons are just a few items from their arsenal of tricks. Cybersecurity companies are getting better at detecting threats and identifying suspicious emails or links, but most people are just not tech savvy enough to avoid these pitfalls.

Many think that they don’t even need to bother, which you have to realize is like walking blindfolded through the Temple of Doom and expecting to get out of there unscathed. Don’t be that person. Don’t be in that school of fish just waiting to be a shark snack. It’s time to understand why protecting your email is so important and how black hats are plotting your demise.

Data exploitation and ransom

With the amount of conversation happening lately about the importance of having control over your data, it should be clear how valuable data can be. Data can be used for consumer and marketing purposes or misused to fraudulently conduct purchases on e-commerce sites. It can be sold to other parties who will use it for illicit or illegal purposes, or even just to steal even more data from your friends and family. Equifax was one of the more famous data breaches that occurred recently. It affected over 200,000 people and compromised their credit card information, social security numbers, credit scores, and other very sensitive information.

Now if you’re not in the 1%, you probably think you’re not the type to be subject to be a ransom attack, but you’d be wrong. You don’t need to be famous or powerful for people to try to bleed you dry in this way. Ransomware attacks, or attacks that are meant to hold on to your data in return for ransom money, rose by 250% in 2017. WannaCry is an example of an infamous ransomware attack, which caused an estimated $1B in damage or more.

Identity Theft

The dangers of identity theft may be obvious, but many people don’t understand to what extent it can really affect their future. Identity theft may actually be the worst thing a hacker can do with your information.

In 2017, the direct and indirect cost of identity theft in the US was estimated at $16.8 billion. Identity theft harmed 16.7 million people,  which is about 7% of American adults! And one weakness leads to another – back in 2014, the Department of Justice estimated that about ⅓ of Americans who suffered a data breach subsequently became victims of financial fraud. Now in 2018, this is only likely to have increased.

Here are just a few things thieves can do with your identifying information:

  • Open credit cards or take out loans
      • Aside from your name, if black hats also obtain your Social Security number, birthdate, and address, they can open credit cards and apply for loans in your name.
  • Intercept your tax refund
      • The tax refund you are excited about may not come after all if you get hacked. People who wait until the last moment to declare are more vulnerable and thieves may counterfile a fake tax return using your identity.
  • Use it to receive medical treatment
      • By obtaining your SSN and health insurance account numbers, black hats can use or sell your information in order to receive medical treatment. According to a study from Michigan State University, there were nearly 1,800 incidents of medical data breaches with patients’ information from October 2009 to December 2016. These breaches can be used to receive treatments, prescriptions, and even put your own health at risk if the thief’s medical information is now mixed up with yours.
  • Travel with your airline miles
      • Airline miles can be exchanged for cash, gift cards, and products or upgrades. Millions of miles have been stolen easily through phishing emails and other simple email scams.
  • Open utility accounts
    • 13% of 2016’s fraud incidents were related to phone and utility accounts. Thieves can open an account with a gas, phone, or electric company using your stolen SSN and then run up huge bills in your name, right under your nose.

Outsmarting the sharks

The first and simplest step you can take to defend against email fraud is to learn to avoid phishing schemes. A phishing scheme is when someone emails you pretending to be someone they’re not. (Think Nigerian princes or friends who suddenly find themselves abroad without a wallet when you could have sworn they were at the bar Friday night.) They could also be pretending to be from your email or healthcare provider asking you to log in. These e-mails often include links to phishing sites that will collect your passwords and personal information.

You may have heard that using passphrases instead of passwords can help protect you, and it’s true that they are more secure. They’re even stronger when you include special characters like quotation marks, and use languages other than English. This is the best known practice for generating strong passwords. But these passphrases can still be stolen through phishing, just like any password. So don’t let a clever passphrase lull you into a false sense of security.

Phishing is extremely prevalent. About 1.4 million of these fake sites are created each month, and around 135 million phishing attempts are made via email every single day. Here are some main rules of thumb to avoid phishing, and all they take are common sense:

  1. Don’t follow any links that don’t have https in the URL. Avoid links that lack the S.
  2. Don’t enter your password after following any link from any e-mail. Even if it really looks legit. If it’s from your bank, for example, just enter your banking app normally to complete whatever the e-mail is asking you to do. Do not follow the e-mailed link. Chances are, you’ll discover your account is normal and requires no attention at all. Bullet dodged.
  3. Keep your accounts secure with two factor authentication – that means adding an extra step to your login process, like receiving a security code to your phone. This is annoying for sure, but it does help keep predators out until a better solution is offered to the masses. We’re looking at you, e-mail security industry!

We’re in dangerous waters these days, and the hacker sharks are circling, but you’re not helpless if you pay attention. Treat your e-mail with the same careful consideration with which you’d (hopefully) treat your wallet or other tangible assets, and you’ll go a long way towards avoiding the worst. Good luck out there!

Author BioGeorg-Vereign

Georg Greve is the Co-founding Chairman and Head of Product Development at Vereign, an intuitive software platform on a mission to bring authenticity and privacy to day-to-day online communication. Georg is also a software developer, physicist, and entrepreneur, with two decades of experience working closely with Red Hat, IBM, and Google as well as the United Nations, European Commission and various countries. His interest in information security dates back even further. He previously worked on the secure messaging platform Kolab, and as Founding President of the Free Software Foundation Europe (FSFE), where he received the German Federal Cross of Merit on Ribbon for his groundbreaking work on Open Standards and Free Software.

Read Next

Dark Web Phishing Kits: Cheap, plentiful and ready to trick you.

Using machine learning for phishing domain detection [Tutorial]

Meet ‘Gophish’, the open source Phishing Toolkit that simulates real-world phishing attacks

*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Guest Contributor. Read the original post at: