Written in Partnership with Ayush Mehta
Ever wondered how your Facebook or email got hacked? How an attacker learned your password? Rajvardhan Oak, a leading Cyber Security researcher tells us that the most common tactic used to steal passwords is phishing. Oak obtained his Masters Degree from University of California, Berkeley where his research focus was on machine learning applications for cyber security, and usable cyber security for low resource organizations. Leveraging a variety of open source resources, Oak has created a toolkit that can be used by organizations for phishing training. The toolkit allows organizations to set up a phishing testbed, complete with stock email templates, fake profiles, phishing policies and campaign tracking. Oak is one of the very few security researchers developing free tools for social good at such an early age. Through the Center for Long Term Cybersecurity at Berkeley, he has driven cyber security operations for vulnerable non-profits across the world. One of his recent studies demonstrates how surprisingly easy it is for an attacker to evade hate speech detection. This particular toolkit of his is a game-changer because it is the first of its kind that is completely free to use. To spread awareness about phishing and his toolkit, he recently conducted a training session at the 2019 Cyber Security Summit of the National Science Foundation (NSF) held in San Diego. As a leading expert on cyber security and phishing, we talked to Rajvardhan Oak about phishing and how to protect ourselves from it.
Q: What does a phishing email look like?
A: A phishing attack is where an attacker sends you a link to a page that looks exactly like a genuine website that you frequent; it can be Gmail, Facebook or Amazon. Unsuspecting users enter their login credentials, which are harvested by the attacker. Typical phishing strategies are attackers pretending to be a system administrator or the government (IRS, USCIS, DHS) and creating a sense of urgency (pretending that your password has expired and you will lose access to your account soon, or showing that $10,000 has just been deducted from your account). Some attackers also tailor the email for a particular victim; they can pretend to be your family member, doctor or professor.
Q: What are some tell-tale signs one should look for?
A: Emails that come from suspicious senders, in particular emails originating from a personal inbox (gmail.com, hotmail.com) where you would expect an institutional email. For example, an email sent by registrar_berkeley@gmail.com instead of registrar@berkeley.edu. Another tactic that attackers employ is to misspell words in the email, so that it can bypass machine learning classifiers and spam filters. So be especially suspicious of emails that spell money as m0ney or credit cards as cred!t c@rds.
Q: How can people protect themselves from phishing attacks?
Phishing emails will try to redirect you to a malicious website; one that harvests your information. This website will often have the look and feel of an actual website but will have a different URL. When clicking on a link, hover over the hyperlink and see what URL it directs you to. An email sent by Amex should not contain links that take you to creditxamex.com. Most modern email clients are smart enough to flag such emails, so trust Gmail when it says that an email contains suspicious links. If you are unsure whether an email is genuine, go directly to the source through another channel; so if you receive an email claiming issues with your tax filing, contact the IRS through a channel listed on the IRS official website. Finally, if you suspect an email of being a phishing attempt, immediately report it to either your organization or email provider; this helps them investigate the sender and fine-tune their algorithms.
Q: How can organizations spread awareness on phishing?
The most challenging aspect is convincing people that phishing is a real threat, and it can happen to anyone. Some phishing campaigns are so sophisticated that even the most tech-savvy people are unable to spot them. Organizations should mandate regular training sessions where employees are exposed to the latest phishing attacks that were attempted. A strategy that many companies use is to regularly send out phishing emails to test employees.
Advertising disclosure: We may receive compensation for some of the links in our stories. Thank you for supporting LA Weekly and our advertisers.