So let’s summarise these 3 points
- How the Crime is Committed
- What a Consumer can do to prevent it
- What the industry has to do to prevent it
How the crime is committed
In my specific example, I targeted a genuine business need and want.
All businesses are on social media, all URLs on social media get shortened, all businesses want to keep their brand recognition.
But more importantly, I tailored it around consumer advice.
The reason I do this is that I know that consumer advice has to consider consumer confidence as well as increasing industry, so if something is too hard, too complex or too off putting to a consumer, it will not be covered by consumer advice.
So that is the trick of it, I focus my efforts around consumer advice.
My Phishing process is no different than a business concept process. I look at how I can communicate with the consumer, where there is a consumer market for my service/product, how I market that product, it is all reasonably straight forward.
I then use the same tools as everyone else and rely on conditioning that is done for me.
So lets say a consumer checks an email
- The URL goes to the website it says it does
- It came from a LinkedIn contact
- The email address matches the URL
- It is addressed to you personally
- It is a service offer to get you on my website, no money requested, no personal information asked for, no rush, no obligation
- Has been run through Grammarly
None of this means it is legitimate, but it is what you are told to look for. Essentially an email that does not contain the above 6 workarounds that I put in place to circumvent your consumer advice.
What a Consumer can do to prevent it
- Don’t click links in emails
- Only click links from people you know personally
- Navigate to websites directly if you want to visit by typing the domain part of URL
- Delete all marketing emails
- Anything trying to offer a service
- Anything advertising or promoting something
- Job board emails
- Emails from Recruiters with jobs you did not apply for directly
- Delete all emails from senders you do not know personally where you have not initiated the action
- Treat any email from any service you use as a “Notification”, all you need to do in that scenario is see the sender name, see the subject title, then delete.
- For example, If it is your bank or a utility provider, log onto the account to see what they are communicating about, if there is nothing there, then assume someone is trying to phish you.
- Delete all emails from “No-Reply” senders
- Except your email provider, they are the only people who can send emails from “No-Reply” for a legitimate reason.
- Automate your inbox to remove or file these emails automatically so it is easier to check what remains
These points are generic, they cover both good and bad grammar, they cover people asking for information, they cover people asking for money, they cover people pressuring or threatening in emails.
Because while grammar, asking for money etc. are indicators that it is a phishing email, if they are not present in the email, it does not mean the email is not a phishing attempt.
The points cover this by essentially taking the approach of “delete all the crap from your inbox”, the advice then helps you automate that deletion.
Anything not picked up by the automation has to be checked, which would result in new automation rules to clean your inbox or identifying a phishing email.
I’ve just implemented this solution on my personal inbox, a large sum of emails were unread and were moved. I couldn’t find anything really that I lost which I cared about, the only example was a pal sending me a forwarded advert for “Lego Voltron”, but I can add exceptions to my rules to have allowed this to come through.
What can the industry do to prevent it
- Provide generic advice that works
- Don’t put links in emails.
- If I am a customer of a company then I would know the URL, I don’t need to see this on the email.
- If you do put your website address on an email, make sure you do it in a way that does not compromise the consumer on various different application and email services.
- Don’t use Short or Dynamic URLs in social media or at all (this includes your own 301 or 302 services)
- Don’t use no-reply addresses
- Don’t use complex domains
This allows you to send out marketing emails, but in a way that doesn’t condition your customers into methods that people can take advantage of.
We have a guide that covers the URL issues for this on our practice what you preach pages.
From the consumer side, it is easy when you think about it, you treat your inbox like you treat your mailbox.
85% of what comes through your door goes from floor to recycling bin, it is no different just because we are on the internet.
From the industry side, we stop conditioning users into bad behaviour, we practice what we preach.
If you shouldn’t be clicking links in emails, don’t put them in.
If Outlook is OK for links, but webmail isn’t, find a suitable workaround for when you send out links in emails (like the one given on the link above, it will show true links in Outlook, but webmail should just display as text)
Finally, if you should only click on links when you can see where they go, why are you using short links?
There is a workaround for LinkedIn and Twitter, not a good one, but as a business, you can always start complaining to service providers like LinkedIn and Twitter.
Anyway, hoped this article helped you, you can find more “How I Would Commit Cyber Crime” on the links below.