Spoofing and Phishing Attacks

Steve Ripper and Dave Hodgdon from Portsmouth Computer Group (PCGIT) discuss spoofing and phishing, what they are, and what companies can do about them.

Mike: Steve, you brought up a very good point. I was telling people this morning that we’re going to talk about spoofing and phishing. We’re not talking about the ones where you put the worms on the line here. Spoofing and phishing, that’s the P-H-I-S-H-I-N-G, spoofing and phishing attacks. And you think because the country is all discombobulated here between civil unrest and COVID-19, is that why we’re seeing spoofing and phishing attacks at an all-time high? I mean, let’s talk about this, because people are prone to this stuff and they may fall for it.

Steve Ripper: Yeah, I’m not sure, Mike. I mean, it’s hard for me to draw the correlation except for just the coincidence. But we wanted to do this show, Mike, because just as much as there’s unrest going on out in the country, there’s unrest going out on the internet, in cyberspace and in security. It’s really scary right now. So many of our customers are reporting spoofing attacks, just putting tickets into a thing, “Hey, can you take a look at this? This isn’t from someone in my company, but it’s addressed as them.” It’s a phishing attack, it’s a spoofing attack.

And we’ve had several other radio shows now where we’ve explained to everybody out there what a spoofing attack is, a phishing attack. We’re going to talk a bit about it this morning. I’m going to jump right to the chase. If you get anything from the show today, it’s, be careful. Read every email. Hover over every link, to slow down, because right now, it is at an all-time high, right, Dave? I mean, they are just working over the uncertainty that’s going on right now?

Dave Hodgdon: Steve hit it right there, Mike.

Mike: I wanted to ask you, Dave, the phishing and spoofing, is that just all about fake emails or is it something more than that?

Dave: It’s someone trying to capture your email address to make it look like you, and Steve hit it on the button right there that, look at the content. Is this really what Dave would send to me when they’re saying, “Hey, I’d like to catch up with you.” Really understand, is that what your boss or your coworker might be saying to you? And as I pointed out, Mike, around two or three months ago, the predictions, and I predicted the same thing, cyber attacks will be an all-time high with the COVID with people working from home. The security measures aren’t the same, they’re not as alert, we talked about being at home, the kids with school, but you just need to be on a … that was a perfect thing to say, slow it down. If you’re on the phone, just don’t reply to emails. Take your time and look at what you’re responding to.

Preventing Spoofing and Phishing

Mike: So let me ask you this, Steve, when you get something like this, you get an email and it looks like a normal email and they ask you to click on a link, you need to be careful about that, how do you know not to click on that link?

Steve: So there’s a couple of things you can do, Mike, and I always lead people through a couple of steps. So the first thing is, is they just look at the email address. That sounds very basic, Mike, but a lot of us go so fast because we’re trying to get 35 things done every half hour or more. Every one of us goes so fast that we see that it came from so-and-so, it must be fine, but really, the first thing you need to do is look at the email address. What email address is literally lifted? And honestly that doesn’t always work. Sometimes it’ll just be a strange email address and you’ll catch that and that’ll be your first warning. Other times, it’ll just say it’s from the person that it’s from, even though it’s not. So depending on how sophisticated the “they” were, the bad people.

The second thing you want to do is, and it’s a skill that I try to teach everyone I come across, is to hover your mouse over the link without clicking it. Your email client and all of them do it in some way, will show you where it’s taking you before you click on it. Look at that. If you get an email that wants you to log in to Microsoft but he comes from Google or some other address, some other place, it’s not real, so stop right there.

And then the last thing I always tell people to do is, “Listen, if you do click the link and you do get to a login page where it’s asking you for a log on, the rule is every time, these days, stop and verify before you put your credentials in.” Anytime you see someone or something is asking you to log in, stop, look at the address bar at the top, where are you on the internet when it’s asking you this question? It’s a very important skill.

Dave: One more tip on that, Mike.

Mike: Yeah.

Dave: The name, a lot of times when you see the email, who it’s coming from, it could show that it’s coming from Mike, but actually, that’s where someone else’s email, somebody from a Gmail, is actually there. So even though the name is filling the auto fill in your Outlook, it looks like it’s coming from you, that’s what Steve said, you need to hover over it and then look at the content. “Hi. Do you have time for a moment?” Just really be careful when it looks like the person coming in, that you hover over and know who it’s really coming from.

Mike: You know, Dave, I got a similar email like this just yesterday actually. It was from someone that I knew.

Steve: It’s at an all-time high, Mike. It’s at an all-time high.

Mike: Yeah, I can imagine, I can agree with you, but here’s the interesting thing. I knew it had to be fake because it was from somebody I knew and there was nothing in the body of the message, nothing, except a link. There was nothing there. So I’m saying to myself, “What is this link?” I didn’t click on it. I just deleted the whole email because I knew that I wasn’t going to go there, that this person would get in touch with me another way, number one, as well, and not this way. And all it was, was a one line link. There was no saying, “Hi, Mike. How are you doing? This is what you need to do for your financial planning,” stuff like that. There was nothing to explain anything. So I just deleted it.

Dave: Well that’s why they’re calling it a phishing right there, and you did the right thing. First of all, you knew it wasn’t right, the content wasn’t right, it was missing stuff. They are just throwing that book out there and just hoping … as Steve said, you’re busy, you have a hundred things going on, you’re going to click it, and once you click it, they got you.

Mike: Yeah. So I was going to say, Steve, that is basically phishing, right? That’s basically phishing, that type of-

What is Phishing?

Steve: That is phishing. So phishing by definition, Mike, is an attempt to trick you into giving them your information, whatever that information is. Phishing is a broad category, but typically they want logins. They want usernames and passwords for whatever it is they’re trying to trap you for. Typically, very often it’s Office 365, so it could be your Dropbox password, it could be your Amazon password, could be your banking password. They want information.

So phishing is, they’re phishing for your information. That’s where we get that from.

What is Spoofing?

Mike: So what is spoofing attacks?

Steve: Spoofing, Mike, is when they are pretending via an address or electronic means to be someone they’re not. So if I get an email from a bad person but it’s dressed as Dave, to make me think, “Well, it’s from Dave. I work for Dave. I got to read this email. It must be fine.” That’s spoofing, when they’re pretending through IT means. They’re using IT abilities. They’re changing the address, they’re building a server that can get that, and then putting a address on there, our email addresses, and then they’re pretending to be us. So that’s what spoofing is.

So a lot of people will ask me straight up, they’ll be like, “If my friend got hacked, if he fell for this, how do they know about me? I’ve only emailed maybe one time with this person.” The truth is, they don’t have to hack you to spoof and phish you. They can hack a friend of yours and they know every email address that ever has been associated with your buddy’s email, your friends, your coworkers, your colleagues.

Mike: Wow. Really? That’s interesting.

Steve: They know every single one of them. So people will ask me, Mike, all the time, “Could they get it out of my contact list?” No. These are computers. They ran a script against your mailbox and they then sent an email to every single address your mailbox ever has ever had anything to do with.

Mike: Oh, okay. I’ve heard about that. Okay, very good.

Steve: And that’s how they get it out. That’s how they push it forward.

Dangers of Spoofing and Phishing

Mike: So, Dave, I wanted to ask you. When you say they want to get your credentials, what kind of credentials are we talking about here?

Dave: Well, I think one of the most important ones, if in fact they can get into your email box … I mean, hopefully from a financial side, you’re not giving them credit card information or bank information, but if they could actually get into your email or have your credentials … Think about that, Mike. Everything you do that you email, so high-level, again, financial, banking, checking, credit card info, your email, your password. If they can get passwords into something, now the key, when you ask the question, they want a password because that password to my email, 365, could be my same password for my bank, and that’s where they start using the robots or computers to start trying, “Well, let’s see what we can do to get in.”

Protecting Against Spoofing and Phishing

Mike: I see. All right. We got a couple of minutes here. I know you started to talk about this, Steve, earlier in the segment here, but what can users do about the best thing to protect themselves?

Steve: Yeah. So the first thing is verify, as I mentioned earlier. Verify, verify, verify. Is this real? That’s the question you’re asking yourself all the time. Is this real? These days, that’s all we do is walk around and ask, “Is any of this real, what’s happening?” But you’re doing that in cyberspace. If you’re dealing with email, you’re dealing with a website, you’re dealing … is this real?

The second thing is, slow down. As part of the verification, slow down. The third thing is, turn on MFA. So we’ve done whole shows on MFA where you’re connecting your phone. We don’t have enough time to go into it, but I think you can look it up. The MFA, where you’re connecting your phone to the login, it’s a second way of verifying that you’re you. That way, if you do fall for one of these scams, these bad actors still can’t log in with the credentials they got from you because they also don’t have that second method.

So those are the big ones. Verify, ask questions, talk to your coworkers: “Hey, did you send this?” And then MFA. Protect yourself with multi-factor authentication.

Dave: And hover, hover, hover over those links and just make sure that you really feel, and ask your coworker, ask a friend when this comes in. Just don’t think, “Well, I’m not sure.” I’d rather have them ask.

Mike: Sounds good.

Steve: Yeah. And the last one is always, err on the side of caution. If you don’t believe it, delete it. They can always send it again, you can always talk about it over the phone. Delete first.

Mike: Absolutely, absolutely. We’ll make that the final word. You can call Portsmouth Computer Group at 431-4121. That’s 431-4121, or visit their website: and learn more about improving your security posture or minimizing those risks about phishing and spoofing as well.

All right, guys. Thank you so much, Dave and Steve, from Portsmouth Computer Group, with convenient locations in Portsmouth and Dover, Manchester, Portland.. Always a pleasure to talk to you guys. Our tech tip of the week, stay away from that spoofing and phishing stuff. Thank you, guys.