What is Phishing and How to Spot it | EP 001
In our inaugural episode, I thought it best to give you my take on what phishing is, and for those that already know what it is, I’ll share with you some ways to spot it and prevent it.
Watch the full episode below or listen on Apple/Spotify Podcasts. (links to Apple and Spotify on the Gone Phishing page!)
Episode 1: Listen on Apple
Full Episode 001 Transcript:
00:00:00:12 - 00:00:23:20
Connor Swalm
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swan, CEO Phin Security and welcome to Gone Phishing.
00:00:27:16 - 00:00:48:21
Connor Swalm
Hey everyone, and welcome to the first episode of Gone phishing. My name is Connor, and over the course of this show, I want to give you insights and advice around the cybersecurity space, as I believe it's going to be an important, if not an essential, part of every business in the coming years. Some episodes are just going to be me, but for others, I'll bring in experts and will unpack certain topics in greater detail together.
00:00:49:08 - 00:01:05:13
Connor Swalm
Today I thought it best to give you my take on what phishing is because, well, it's in the title of the show. And for those who already know what phishing is, I want to share with you some ways to spot it, some ways to prevent it as these scammers are getting more and more advanced these days. All right.
00:01:05:15 - 00:01:34:02
Connor Swalm
Let's dove into it. So first, it's in the title. It has a p h instead of an F. So, you know, we're not phishing for actual phish here. But what is phishing with a. Well, simply put, if you want to talk about it from like a higher level, phishing is just any organization or any group of people that are attempting to steal information, access for money by impersonating an individual at a company or by misrepresenting themselves.
00:01:34:02 - 00:01:56:23
Connor Swalm
So these are malicious individuals who are attempting to steal access information and sometimes just actual cash. Sometimes it can look really, really realistic, incredibly hard for you to detect. And then other times it's as simple as noticing that it comes from an email address that has a million different letters in it and a million different numbers that you know that it can't possibly be.
00:01:57:00 - 00:02:16:02
Connor Swalm
Amazon reaching out to you about $1,000,000 gift card that you have waiting for. You just could collect it. So from the top level, it's just people trying to steal things from you. That's really it. And sometimes it's not just an individual. Sometimes it's an organization that's been funded. Sometimes it's a group of people who have gotten together. Whatever it is, it's.
00:02:16:02 - 00:02:43:03
Connor Swalm
It's just somebody attempting to steal stuff from you. So phishing can look very different. Phishing is a type of something called social engineering. And social engineering is a broader sense of an individual misrepresenting themself and then again attempting to steal information, access and money. So phishing is like the direct act of trying to do it. And social engineering is the broader concept, so it can look super different.
00:02:43:11 - 00:03:13:04
Connor Swalm
All of you listening to this are, and I imagine are incredibly familiar with email phishing. That is just somebody sending you an email. That's clearly not real. That is, I don't know, trying to get you to click it, go somewhere on the Internet. Sometimes it's trying to get you to change banking information on an invoice. Sometimes it's just asking you for information that you shouldn't really be giving out, like bonuses and compensation and other information about the employees at your company that should be given out.
00:03:13:07 - 00:03:31:17
Connor Swalm
And other times it's just, Hey, can you give me that two factor authentication code that you just received on your phone? Or maybe it was emailed to you, and so it can look different. But an email phishing specifically is just an email you get that you didn't expect, and that is very malicious in a certain sense. So that's email phishing.
00:03:31:17 - 00:04:05:11
Connor Swalm
Everybody should be aware of that one. One kind of twist on email phishing is a concept called business email compromise, where it's actually somebody who is attempting to represent that one of your internal folks got compromised. So it's somebody pretending to be an employee at your company that you may work with on a regular basis all the way up to it could be that that employee's email actually is compromised and somebody is a malicious actor on the inside representing that employee improperly and then trying to exfiltrate information, access or money representing themselves as an employee of your company.
00:04:06:07 - 00:04:27:20
Connor Swalm
So depending upon, you know, the scale of the phish itself, email phishing could look a little differently. But at the end of days, just people are trying to steal stuff from you and they're using your email address to do it. Secondly, one want the second type, rather, that should be very, very familiar for all of y'all is spear phishing.
00:04:27:20 - 00:04:47:10
Connor Swalm
And spear phishing is simply put, somebody has an incredible amount of information on you. So it's not a common attack. It's not something that was clearly blasted to tens of thousands, if not hundreds of thousands of people at a time. This is they targeted a company. They targeted an industry. They targeted you at your company for specific reasons.
00:04:47:10 - 00:05:05:03
Connor Swalm
Maybe they pulled your information offline. Maybe they went to LinkedIn and just found every single employee you worked with and the dates that they started. So they could kind of figure out maybe who you report to, whatever it is they have information about you, they have information about your organization. And spear phishing is the act of leveraging that information to attempt to phish people.
00:05:05:10 - 00:05:24:02
Connor Swalm
And so it's just a more targeted attack style, if you want to think about it like that. Then common phishing, like, hey, you have an inheritance that you need to claim from overseas or I'll bring up Amazon again. You got $1,000,000 gift card in your Amazon account. If you just log in real quick, you'd have access to it.
00:05:24:13 - 00:05:47:03
Connor Swalm
One thing we want to go back to email phishing that you should remember is the actual phish can have many different what I call directed actions. So a directed action in in my own words is what exactly is this phish attempting to get you to do? For some it is. Can you go to this website and can you log into your Microsoft account?
00:05:47:11 - 00:06:09:02
Connor Swalm
So in between you getting to the Microsoft website and clicking this phish, maybe it's actually not routing you to Microsoft and it's going to steal your username and your password that you used to attempt to log in. Maybe the directed action is just can you send me a spreadsheet of X-Y-Z information? Maybe the directed action is can you change the banking information on this one invoice?
00:06:09:02 - 00:06:27:16
Connor Swalm
Because we just changed our our business address and our banking information, whatever it is, the directed action is really important to pay attention to. That's something we pay attention to. It in a lot is essentially what kind of directed actions are people more likely to take as a result of the information we're gathering on them? So it's super important to keep track of that.
00:06:27:16 - 00:06:54:03
Connor Swalm
And the directed action is real important in terms of individuals are vulnerable to all sorts of directed actions. Some of them are more vulnerable to others. Another type of phishing is I hate using these words, but I'll use it here because you'll probably recognize that Vishing and Smishing. Very simply put, somebody uses a voice mail to phish. You are phone call and SMS phishing as I like to call it instead of Smishing is just text messages.
00:06:54:11 - 00:07:15:00
Connor Swalm
Text messages and voicemail. phishers have become super, super popular, way more popular. And in my mind, at least from what we're seeing, that email is just simply put, because they're so they're so darn effective. So if you get I, I always used to do these cybersecurity presentations for small business development centers and small business groups and, and chambers of commerce and whatnot.
00:07:15:10 - 00:07:35:11
Connor Swalm
And I would always have to put a disclaimer that the IRS is never going to call you the IRS is never going to leave you a voicemail. The IRS is not going to reach out to you via your phone and attempt to get you to pay off some massive debt that in theory, you have because you didn't pay your taxes.
00:07:35:18 - 00:07:51:15
Connor Swalm
I would always put that in there. I would always get a question about it. And a person somewhere would always ask me, are you sure that's real estate? Because this happened last week. The me, my mother, my uncle, my aunt, whatever it was, everyone seemed to have a story about it. But the realistic scenario is the IRS isn't going to do that.
00:07:52:01 - 00:08:24:16
Connor Swalm
And then for SMS phishing, one of the reasons this is so effective as SMS phishing is because people trust their cell phones. People don't necessarily inherently trust email as much as they do their cell phones. So when somebody gets a text message and there's very little to no information in it other than your PNC Bank account has been hacked and you need to log in or you need to confirm that the malicious activity was actually malicious activity so we can get rid of the charges, whatever it is.
00:08:24:20 - 00:08:48:00
Connor Swalm
There's often really little to no information in it. And SMS phishing as of now, how it's kind of evolved is it's just click a link, click a link that's going to send you to a website. It's going to do something. Maybe at that website they attempt to steal your information or they try to get you to log in or they try to lure you in, no pun intended, because this is actually how it's working.
00:08:48:05 - 00:09:16:03
Connor Swalm
Maybe they try to lure you end to some kind of deeper scheme that will give them greater access to information, money and access to the other pieces of your organization. So estimated phishing. We've seen a lot about one thing. One thing I'd like to put here is I wholeheartedly believe, especially if you're provisioning work funds for your folks, that you should have SMS phishing as a piece of your awareness training program.
00:09:16:08 - 00:09:41:16
Connor Swalm
So one of the philosophies we have here at Phin is what we should be doing to train people to recognize real life social engineering is we should attempt to do real life social engineering and then teach them how we did it. So if your people have phones provisioned by the organization, that's, you know, part of the attack surface because it's a mobile phone that has access to company information, then you should also be SMS phishing.
00:09:41:16 - 00:10:01:19
Connor Swalm
Those folks. That's a belief that I have. I'd love to have a discussion with you all about it, if you have any, if you feel any differently. But so far, that's exactly what I thought. And people have seen a lot of value, at least from our partners, as to when they've done this emancipation. So what are the risks of getting phish?
00:10:01:19 - 00:10:26:02
Connor Swalm
Really, every single person is at risk of getting phish. So another philosophical belief that I have and one of the reasons I started Phin, is that every human is unique, right? Everyone that works at your organization, everyone that you work with, every friend that you have is a unique individual. That also means that their vulnerabilities are unique. So you remember how I harped on earlier for seemingly way too long about it actions?
00:10:26:08 - 00:10:55:22
Connor Swalm
The reason that I do that or that I did that is because directed actions are a piece of a unique vulnerability someone may have. So everybody is at risk of getting phish just because everybody is vulnerable in some way to a social engineer or to a phish to if somebody sent you the right kind of communication via the right methodology, either text, email, spear, phish or whatever it would be, maybe it's a LinkedIn DM at the right time of day and you're in the right frame of mind or you're emotionally distraught.
00:10:56:10 - 00:11:21:00
Connor Swalm
It's we're human and we're going to fall prey to that. At some level. There's a capability that that's going to happen. So everyone needs to be not necessarily worried. I never want to paint a picture of fear, uncertainty and doubt, but I do want to paint a realistic picture of this is applicable to everybody. So to the C-suite, listening to the owners, listening to the managers, the directors, to everybody, listening at the top is an organization.
00:11:21:15 - 00:11:40:21
Connor Swalm
You too are vulnerable to this. You're no different. You are also vulnerable to this in some way, shape or form. So what can you do to prevent this? So I'll go way further into this in in greater detail in other episodes. But basically how you prevent this is a multilayered approach. Anyone who sells you a secure cybersecurity, silver bullet is lying to you.
00:11:41:11 - 00:12:03:10
Connor Swalm
There is no one single thing that you should be doing to prevent all security incidents and breaches and reduce risk as much as possible. It's a layered approach, so there's a lot of things you could do on the technological side to prevent phishing from turning into an enormous problem. But one piece and the one that I have specific expertize in is awareness training.
00:12:03:14 - 00:12:30:05
Connor Swalm
It's launching awareness training programs, running them effectively, and measuring the results that you get from that. So that's one thing that I focus on greatly. But again, security is a layered approach. So everyone, thank you for tuning in. That's it for today. Next time, I'm going to talk about a concept called human vulnerability and what that is, why it's so important, why it's relevant to you, and how we can leverage that to create safer human beings.
00:12:30:17 - 00:12:54:13
Connor Swalm
Until next week. But thanks so much for tuning in to Gone phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits. Then check us out. Phin Security at Phinsec.io.
00:12:54:23 - 00:12:58:06
Connor Swalm
Thanks for phishing with me today, and we'll see you next time.