Google blocks 100 million spam messages a day
By this time of the year, we are almost half-way through 2024. And yet, phishing, vishing and smishing are still the top attack vectors in data breaches and other cyber incidents divulged worldwide! As a matter of fact, according to Google, TensorFlow is allowing the technology company to block 100 million spam messages including phishing messages – from reaching on a daily basis the inboxes of Gmail users and Google Chrome Web Browser users1.
[1] Google Workspace. Neil Kumaran, Group Product Manager – Gmail Security & Trust.Spam Does Not Bring Us Joy – Riding Gmail of 100 Million More Spam Messages with TensorFlow, 6th February 2019. https://workspace.google.com/blog/product-announcements/ridding-gmail-of-100-million-more-spam-messages-with-tensorflow
Phishing as Social Engineering Attacks
Nowadays, probably everybody knows what phishing is all about, right? Just in case, let’s remind ourselves by repeating its short definition. Phishing attacks are social engineering attacks where the target victim is contacted through:
- Email (phishing)
- Smartphone/mobile phone (vishing)
- Text message – SMS (smishing)
By someone who is posing as a legitimate colleague, organization, institution, governmental body or company, and trying to entice or trick such target victim into providing:
- Credentials/identifications,
- Personal data/Personally Identifiable Information (PII),
- Confidential or sensitive data.
Within a typical phishing attack, scammers send fake emails to thousands of people, asking them for sensitive information (such as banking details), or containing hyperlinks to harmful websites. They might try to ensnare you into sending money, steal your personal information to sell it elsewhere, or they may have political or ideological motives for accessing your SME information.
Phishing emails are getting harder to spot, and some will still get past even by the most observant users. Whatever your SME business operations, however big or small it is, you will eventually be targeted by phishing attacks at some point or another.
One of the main goals of phishing attacks is to entice the target into clicking FAST on the links! And by FAST, we mean without thinking too much. In order to do this, threat actors rely on a very simple physical aspect of the human brain. Provided a certain stimulus, we tend to switch to “lizard mode” and act impulsively due to fear.
This is why so many phishing messages are about alerts purporting to be from your Email Service Provider such as Microsoft 365 and Google Workspace, informing you about an issue with the security of your account, from your bank (name of your bank here) about a fraudulent transaction or an account restriction, from a well-known parcel delivery service about a missed delivery due to incorrect address, etc. A common pattern here is inducing fear of being locked out of your digital property, financial property, consumer habit.
Unusual Grammatical Compositions
Many phishing attempts are not properly written, contain typos, change of fonts, and unusual grammatical compositions. There are several theories about this. The primary theory is that threat actors are trying to avoid detection on email security systems, thus employing various stratagems to render the final text in a legible way while obfuscating it from text analysis engines. Another theory is that threat actors make intentional mistakes, which will be caught by most but the least cautious ones, increasing the likelihood of successful harvest.
Phishing Emails Inspection
One of the simplest things to do is verifying the real sender’s address, not the “From:” displayed field. Most email client software tends to just hide it unfortunately. Keep in mind that the “From:” field can be totally altered by the sender. It is not trustworthy! Period! Verification of the real sender’s email address varies per email client.
Practical Tip
Six (6) Revealing Signs of Phishing Email Messages1
Phishing is a cyber-attack that attempts to steal your money, or your identity, by getting you to reveal personal information – such as credit card numbers, bank information, or passwords – on websites that pretend to be legitimate. Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake message, which contains a link to a phishing website.
Phishing is a popular form of cybercrime because of how effective it is. Cybercriminals have been successful using emails, text messages, and direct messages on social media or in video games, to get people to respond with their personal information. The best defense is awareness and knowing what to look for.
Hereunder are six (6) ways to recognize a phishing email:
- Urgent call to action or threats – Be suspicious of emails and Microsoft Teams messages that claim you must click, call, or open an attachment immediately. Often, they’ll claim you have to act now to claim a reward or avoid a penalty. Creating a false sense of urgency is a common trick of phishing attacks and scams. They do that so that you won’t think about it too much or consult with a trusted advisor who may warn you.
- First time, infrequent senders, or senders marked [External] – While it’s not unusual to receive an email or Teams message from someone for the first time, especially if they are outside your organization, this can be a sign of phishing. Slow down and take extra care at these times. When you get an email or a Teams message from somebody you don’t recognize, or that Outlook or Teams identifies as a new sender, take a moment to examine it extra carefully using some of the measures below.
- Spelling and bad grammar – Professional companies and organizations usually have an editorial and writing staff to make sure customers get high-quality, professional content. If an email message has obvious spelling or grammatical errors, it might be a scam. These errors are sometimes the result of awkward translation from a foreign language, and sometimes they’re deliberate in an attempt to evade filters that try to block these attacks.
- Generic greetings – An organization that works with you should know your name and these days it’s easy to personalize an email. If the email starts with a generic “Dear Sir or Madam” that’s a warning sign that it might not really be your bank or shopping site.
- Mismatched email domains – If the email claims to be from a reputable company, like Microsoft or your bank, but the email is being sent from another email domain like Gmail.com, or microsoftsupport.ru it’s probably a scam. Also be watchful for very subtle misspellings of the legitimate domain name. Like micros0ft.com where the second “o” has been replaced by a zero (0), or rnicrosoft.com, where the “m” has been replaced by an “r” and a “n”. These are common tricks of scammers.
- Suspicious links or unexpected attachments – If you suspect that an email message, or a message in Microsoft Teams is a scam, do not open any links or attachments that you see. Instead, hover your mouse over, but do not click the link. Look at the address that pops up when you hover over the link. Ask yourself if that address matches the link that was typed in the message. In the following example, resting the mouse over the link reveals the real web address in the box with the yellow background. The string of numbers looks nothing like the company’s web address.
Cybercriminals can also tempt you to visit fake websites with other methods, such as text messages or phone calls. If you’re feeling threatened or being pressured, it may be time to hang up, find the phone number of the establishment and call back when your head is clear. Sophisticated cybercriminals set up call centers to automatically dial or text numbers for potential targets. These messages will often include prompts to get you to enter a PIN number or some other type of personal information.
[1] This section is an abridgment of recommendations provided by Microsoft Tech Support. Protect Yourself from Phishing. https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44
Practical Tip
Detection and Prevention of Phishing Cyber-Attacks1
1. Configure accounts to reduce the impact of successful phishing attacks.
You should configure your staff accounts in advance using the principle of least privilege. This means giving your employees the lowest level of user rights required to perform their jobs, so if they are the victim of a phishing attack, the potential damage is reduced. To further reduce the damage that can be done by malware or loss of login details, ensure that your internal staff use a distinct account to do Administrators work and that they do not browse the web or check emails from that account. An Administrator Account is a user account that allows you to make changes that will affect other users. Administrators can change security settings, install software and hardware, and access all files within the computer. Consequently, a cyber-attacker having unauthorised access to an Administrator account can be far more damaging than accessing a standard user account. Use multi-factor authentication (MFA) on all your accounts. This means that even if a cyber-attacker knows your passwords, they still will not be able to access that specific account.
2. Think about how you operate as a SME.
Reflect on the ways that someone might target your SME, and make sure your staff all understand normal ways of working (especially regarding interaction with other organisations), so that they are better equipped to spot requests that are out of the ordinary. Common tricks include sending an invoice for a service that you have not used, so when the attachment is opened, malware is automatically installed (without your knowledge) inside your computer. Another malevolent action is to trick staff into transferring money or information by sending emails that look authentic. Think about your usual workplace practices and how you can help make these tricks less likely to succeed in deceiving you.
Questions Regarding How You Operate
- Do your staff know what to do with unusual requests, and where to get help?
- Ask yourself whether someone impersonating an important individual (a customer or manager) via email should be challenged (or have their identity verified another way) before action is taken.
- Do you understand your regular business relationships? Scammers will often send phishing emails from large organizations (such as banks) in the hope that some of the email recipients will have a connection to that company. If you get an email from an organization with which you do not do business, treat it with suspicion.
- Think about how you can encourage and support your staff to question suspicious or just unusual requests – even if they appear to be from important individuals. Having the confidence to ask ‘is this genuine?’ can be the difference between staying safe, or a costly mishap.
You might also consider looking at how your outgoing communications appear to suppliers and customers. For instance, do you send unsolicited emails asking for money or passwords? Will your emails get mistaken for phishing emails, or leave people vulnerable to a cyber-attack that has been designed to look like an email from you? Consider telling your suppliers or customers of what they should look out for (such as “we will never ask for your passwords”, or “our banking details will not change at any point”).
[1] This section is adapted from online resources produced by the Canadian Centre for Cyber Security.
Cyber Security Guidance, August 2022. Don’t Take the Bait: Recognize and Avoid Phishing Attacks – ITSAP.00.101
https://www.cyber.gc.ca/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks
Detection and Prevention of Phishing Cyber-Attacks (continued)
3. Check for the obvious signals of phishing attacks.
Expecting your staff to identify and delete all phishing emails is an impossible request and would have a massive detrimental effect on business productivity. However, because many phishing emails still fit the pattern of a traditional cyber-attack, look for the following warning signals:
- Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor. Others will try and create official-looking emails by including logos and graphics. Is the design (and quality) what would you would expect from a large organization?
- Is it addressed to you by name, or does it refer to “valued customer”, or “friend”, or “colleague”? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
- Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like “send these details within 24 hours” or “you have been a victim of crime, click here immediately”.
- Look out for emails that appear to come from a high-ranking person within your SME, requesting a payment is made to a particular bank account. Look at the sender’s name. Does it sound legitimate or is it trying to mimic someone you know?
- If it sounds too good to be true, it probably is. It is most unlikely that someone will want to give you money, or give you access to some secret part of the Internet.
- Be cautious and mistrustful of scanning QR codes within emails, which criminals can use to mislead users into visiting scam websites.
- Email filtering services attempt to send phishing emails to spam/junk folders. Nonetheless, the rules determining this filtering need to be fine-tuned for your SME needs. If these rules are too open and suspicious emails are not sent to spam/junk folders, then users will have to manage a large number of emails, adding to their workload and leaving open the possibility of a click. Nevertheless, if your rules are too strict, some legitimate emails could get lost. You may have to change the rules over time to ensure the best compromise.
4. Report all phishing attacks.
Make sure that your SME staff are encouraged to ask for help if they think that they might have been a victim of a phishing attack, especially if they have not raised such an issue before. It is important to take steps to scan for malware and change passwords as soon as possible if you suspect a successful phishing attack has occurred. Do not punish staff if they get caught out. It discourages people from reporting in the future, and can make them so fearful that they spend excessive time and energy scrutinizing every single email they receive. Both these side effects cause more harm to your SME in the long run. If you believe that your SME has been the victim of online fraud, scams or extortion, you should report this to the appropriate authorities. Across Canada, SMEs victimized by online frauds, scams or extortion must contact the Canadian Anti-Fraud Center through their Fraud Reporting System, or by telephone at 1-888-495-8501.
5. Check your digital footprint.
Cyber-attackers use publicly available information about your SMEs and employees to make their phishing messages more convincing. This is often collected from your company’s website and social media accounts (information known as a digital footprint).
- Understand the impact of information shared on your SME website and social media pages. What do visitors to your website need to know, and what detail is unnecessary (but could be useful for cyber-attackers)?
- Be aware of what your partners, contractors, sub-contractors and suppliers give away online about your SME.
- Help your staff understand how sharing their personal information can affect them and your organization. This is not about expecting people to remove all traces of themselves from the Internet. Instead support them as they manage their digital footprint, shaping their profile so that it works for them and the organization
Spear Phishing Emails
Spear phishing is a more targeted approach than general phishing, and focuses on specific individual(s) in an organization. Threat actors prepare their campaign by collecting all possible information on their target using Open-Source Intelligence (OSINT). LinkedIn profiles, X/Twitter, Facebook, Reddit, Mastodon, etc. are all great places for such data gathering, allowing criminals to build a decent profile of their victim(s). By using such information, they may trick target users into believing the email is an internal communication or from a trustworthy source due to access to personal information. Often, spear phishing emails will contain a link to a shared drive, trying to trick you to access a malicious file. Time and again, such emails are most of the time unsolicited, outside regular activities, processes, projects that you’re working on.
Follow the @&^$#% Process
Outside of regular, official, authorized and validated processes, such an unusual request as Follow the @&^$#% Process should always be cross validated. Never bypass an official process. Always validate such a request through another communication channel. Write a new email to the person who supposedly contacted you, using your contact list info. Do not use a “reply to”. Write a direct message to this person using your instant collaboration tool such as Slack, Microsoft Teams, etc.). As far as possible, seek peer review/validation. Obvious attempts to gain your trust should be viewed with suspicion because the malefactors will try to justify themselves as trustworthy sources by providing unnecessary information about you. When links to shared drives are included in such unsolicited email, think twice before clicking. You should theoretically already have access to this shared folder/file, and even if not, if it was really shared within the organization, you can search for it by yourself in your already opened browser tab.
Whaling Attacks
Whaling is usually associated with phishing attacks targeting high-ranking executives, again for monetary gains or intellectual property acquisition (i.e. spying). In other words, the threat actor targets a CEO, CFO or COO by contacting him through email, LinkedIn message, etc. with very plausible details and knowledge of the company. There is a lot of preparation work put in, open-source intelligence research, company profile and business domain analysis, etc. Like for other types of phishing, one should always verify the real source email address of a sender instead of the “From” displayed field, question why you are contacted through alternate addresses instead of company’s official email domain. For instance, research a little bit into the past of a LinkedIn profile and company actual existence, etc
Business Email Compromise (BEC)
Business Email Compromise (BEC) is undertaken by impersonating the CEO, CFO, COO or any other executive, by trying to get a monetary benefit under the form of a wire payment (to a fake vendor, to a supposedly new client/vendor bank account, etc.), or by getting gift cards from an unsuspecting/fooled employee. This model works well for two reasons. The first reason, and we admit may be a hot take, stems from the socio-corporate model from the 1970s-80s, where executives were feared by most employees, and you could not question or second guess their requests. The second reason is the lack of strong validation processes (or lack of process at all) in vendor and purchase management.
Side note: police authorities in a Japan prefecture have created fake gift cards and placed them in convenience stores, and when the card is purchased, the police is immediately alerted and can save the target victim who has been fooled1.
[1] Bill Toulas, Bleeping Computer Information Security and Technology News Publication, 27th April 2024. https://www.bleepingcomputer.com/news/security/japanese-police-create-fake-support-scam-payment-cards-to-warn-victims/
Vishing or Voice Phishing via Phone Call
Voice phishing is a social engineering attack perpetrated by phone. Probably one of the most emblematic ones is the fake IT support call, targeting elderly peoples, and trying to hoodwink the victims into fraudulent purchase of security software and fraudulent mobile phone purchase refunds. An image being worth a thousand words, we invite the reader to look at a couple of YouTube Channels run by anti-scammer persons and groups1. These are quite revealing videos. Be careful out there, this is not an activity to be taken lightly, there are risks associated with giving the change to such organized crime groups.
Ten (10) Disclosing Indicators of Vishing Frauds2
- You receive an unexpected phone call from someone claiming to be from a government agency, financial institution, or well-known company.
- The caller asks you to verify personal information, such as your Social Security number, bank account number, or credit card number.
- They may insist that you are in trouble or that there is a problem with your account, and ask you to act quickly to resolve the issue.
- Resolving the issue in question may involve making instant cash transfers in order to receive a prize or avoid a penalty. It’s common for scammers to entreat payments via Zelle or even bulk gift cards.
- In other cases, the caller asks you to download a software program or click on a link, which could install malware on your computer.
- The caller contrives a sense of urgency, urging you to immediate action without taking the time to think about the request.
- The caller becomes aggressive or threatening if you do not comply with their request.
- Vishing calls employ other high-pressure tactics include threats to cancel your SSN or even arrest or deport you.
- The caller has a foreign accent or speaks with poor English, which could be a sign that they are not who they claim to be.
- The phone number or caller ID appears to be fake or spoofed.
If you recognize any of these indicators, don’t disclose personal information or make payments via phone. Instead, hang up and contact the company or government agency directly by using a trusted phone number.
[1] To name just a few of those eye-opening YouTube Channels, see the amazing work done by @ScammerPayback (https://www.youtube.com/@ScammerPayback), and KitBogaShow (https://www.youtube.com/@KitbogaShow).
[2] Summary of counsels offered by Emma McGowen, Norton Security Software Blog, 20th February 2024. What is Vishing? Tips to Spot and Avoid Voice Phishing Scams. https://us.norton.com/blog/online-scams/vishing
Smishing or SMS Phishing
Smishing uses the same principle as email phishing from your (supposed) bank, governmental services provider, parcel carrier, etc. The only difference is that smishing is doner through text messages to your cellphone. Remember: do not click on links contained in messages, use your regular banking app on your phone (if you have one), or connect to your usual bank website. If you don’t remember your bank website, use a search engine.
Five (5) Warning Presages of Smishing1
Be very careful about the smishing attack warning presages below to help determine if you’re dealing with smishing spam texts on your mobile device:
- Suspicious phone numbers: Smishing messages often come from numbers that don’t follow the typical 10-digit layout or use a series of the same number.
- Links and files from unknown numbers: Phishing through text messages often includes deceptive website links with unusual URLs that take you to an unsafe website.
- Urgent requests: Scammers often employ urgency to frighten their victims. But genuine companies give ample notice about issues. Therefore, delete these messages or verify them with the supposed sender.
- Money requests: Messages urging online money transfers are likely scams aiming to drain your funds.
- Prize notifications: Receiving prize alerts for contests you didn’t enter is a red flag; steer clear of engaging or clicking any embedded links.
Important : report all Smishing messages to your mobile phone operator by forwarding the message to the following number – 7726.
[1] Olga Knezevic, Norton Security Software Blog, 20th February 2024. What is Smishing? How to Spot + Avoid an Attack? https://us.norton.com/blog/emerging-threats/smishing
Phishing, Vishing & Smishing Risks Mitigations via DNS Security Solution
To mitigate the risks of accessing malicious links from phishing, vishing and smishing, one technical solution is to run a Domain Name System (DNS) security solution, and/or to use a DNS services provider that incorporates such feature in their offering.
How Does DNS Work?
DNS security pinpoints the staging areas for rogue domains. To stop both infiltration and exfiltration attempts, secure DNS servers reject queries arriving from these staging sites over any port or protocol. If compromised devices connect to your network, DNS-layer protection stops any malware they may try to send. It also prevents callbacks from your DNS server to the attackers who may be trying to hijack it1.
The simplest solution of all is to use a secure DNS provider instead of your regular Internet Security Provider (ISP). In addition to gaining a bit more privacy in your requests, compared to your ISP, those providers usually incorporate additional options to filter DNS requests against some criteria. Selection depends on the provider. Such options are generally: family safe content, known malware-hosting domain filtering, etc. CIRA, the Canadian name registry, offers freely this DNS service for personal use and for a minimal fee for SMEs across Canada. This DNS service is called the Cira Canadian Shield2.
A more advanced solution is to use a DNS security agent on your endpoint. Several providers exist on the market. The benefit of such advanced solution is that you can tailor the configuration based on your needs and context. Organizations with low requirements or business constraints can allow a wide range of target domain types to be reached. Organizations with elevated requirements (or even regulatory requirements, such as banks and financial institutions), will opt for a more thorough filtering strategy, such as blocking social media, VPN providers, gambling and NSFW-type domains, etc.
[1] FORTINET Cyber Glossary. https://www.fortinet.com/resources/cyberglossary/dns-security#:~:text=
[2] CIRA CANADIAN SHIELD. Free public DNS for Canadians. https://www.cira.ca/en/canadian-shield/
Phishing and Smishing Risks Mitigations via Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) solutions play a crucial role in protecting users from phishing and smishing messages. EDR continuously monitors endpoints (devices like mobile phone, desktops, laptops, etc.) and logs behaviors around the clock. It analyzes data for suspicious activity related to email interactions.
For instance, if a user opens a malicious attachment or clicks on a link a suspicious email, EDR detects such a behavior. Additionally, EDR hunts for unknown threats that bypass traditional defenses by identifying indicators of compromise (IOC) – patterns suggesting malicious activities. Even if a phishing email does not contain malware, EDR can still detect it based on these IOCs. When EDR identifies a threat, it generates alerts for security teams, prioritizing threats and providing context for breach investigations. In some cases, EDR can automatically limit or remediate threats before they spread. Remember that EDR complements traditional antivirus and antimalware solutions, enhancing protection against evolving threats.
For more information: you can refer to the December 2024 Newsletter on The Evolution of Cybersecurity: From Antivirus to EDR Solutions.
Why is Endpoint Detection and Response (EDR) Extensively Used by Organizations?
First recognized by Gartner in 2013, Endpoint Detection and Response (EDR) enjoys nowadays an extensive enterprise adoption and usage. And this is for good reasons.
Studies estimate that as many as 90% of successful cyberattacks and 70% of successful data breaches originate at endpoint devices. While antivirus, anti-malware, firewalls, and other traditional endpoint security solutions have evolved over time, they are still limited to detecting known, file-based, or signature-based endpoint threats. They are much less effective, for example, at stopping social engineering attacks, such as phishing messages that lure victims into divulging sensitive data or visiting fake websites containing malicious code. Phishing is the most common delivery method for ransomware. Traditional endpoint security solutions are powerless against a growing number of fileless cyberattacks that operate exclusively in computer memory to avoid file or signature scanning altogether.
Most important, traditional endpoint security tools cannot detect or neutralize advanced threats that sneak past them. This allows those threats to lurk and roam the network for months, gathering data and identifying vulnerabilities in preparation for launching a ransomware attack, zero-day exploit or other large-scale cyberattack.
EDR picks up where these traditional endpoint security solutions leave off. Its threat detection analytics and automated response capabilities can – often without human intervention – identify and contain potential threats that penetrate the network perimeter before they can do serious damage. EDR also provides tools that security teams can use to discover, investigate, and, prevent suspected and emerging threats on their own.
To dig deeper into EDR, please see the paper written by IBM1.
[1] IBM. Think 2024: Tech News, Education and Events. https://www.ibm.com/topics/ed
Conclusion
Let us recapitulate what we have learnt through this Newsletter by highlighting the following good pratices. While they are categorized, most of the subsequent recommendations are beneficial for all types of attacks:
Phishing:
- Think about how you operate as a SME
- Check for the obvious signals of phishing outbreaks
- Configure accounts to reduce the impact of successful phishing attacks
- Report all phishing occurrences
- Check your digital footprint
Vishing:
- Avoid responding to unknown callers.
- Do not pick up the phone if you see a suspicious number.
- Never reveal your personal information.
- Trusted organizations do not accept payment via prepaid or gift cards.
- Never give remote computer access.
- Restrict your VPN connections.
- Examine regularly your access logs.
SMISHING:
- Enable multi-factor authentication (MFA) for all your online accounts.
- Be cautious about unsolicited messages and do not respond to unknown or unwarranted text messages.
- Do not share sensitive information and personal data via text messages.
- Install security software and consider using an anti-malware app in your smartphone.
- Avoid clicking on suspicious links or files.
- Inspect new incoming phone numbers.
- Contact directly banks/retailers to circumvent impersonation. Scammers often impersonate banks/businesses.
- Educate, sensitize and train yourself and your employees about smishing.
Resources, Guides and Handbooks
Google Workspace. Neil Kumaran, Group Product Manager – Gmail Security & Trust. Spam Does Not Bring Us Joy – Riding Gmail of 100 Million More Spam Messages with TensorFlow, 6th February 2019. https://workspace.google.com/blog/product-announcements/ridding-gmail-of-100-million-more-spam-messages-with-tensorflow
Microsoft Tech Support. Protect Yourself from Phishing. https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44
Canadian Centre for Cyber Security. Cyber Security Guidance, August 2022. Don’t Take the Bait: Recognize and Avoid Phishing Attacks – ITSAP.00.101 https://www.cyber.gc.ca/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks
Bill Toulas, Bleeping Computer Information Security and Technology News Publication, 27th April 2024. https://www.bleepingcomputer.com/news/security/japanese-police-create-fake-support-scam-payment-cards-to-warn-victims/
YouTube Channels by @ScammerPayback. https://www.youtube.com/@ScammerPayback
Emma McGowen, Norton Security Software Blog, 20th February 2024. What is Vishing? Tips to Spot and Avoid Voice Phishing Scams. https://us.norton.com/blog/online-scams/vishing
Olga Knezevic, Norton Security Software Blog, 20th February 2024. What is Smishing? How to Spot + Avoid an Attack? https://us.norton.com/blog/emerging-threats/smishing
FORTINET Cyber Glossary. https://www.fortinet.com/resources/cyberglossary/dns-security#:~:text=
CIRA CANADIAN SHIELD. Free public DNS for Canadians. https://www.cira.ca/en/canadian-shield/
IBM. Think 2024: Tech News, Education and Events. https://www.ibm.com/topics/edr
K. Jansson & R. von Solms, 9th November 2013, Taylor & Francis Online Publishing. “Phishing for Phishing Awareness”, Behavior and Information Technology (BIT), Volume 32 (Issue 6): pp. 584-593. https://www.tandfonline.com/doi/abs/10.1080/0144929X.2011.632650
Ramzan Zulfikar (2010), “Phishing Attacks and Countermeasures”, in Mark Stamp & Peter Stravoulakis (Editors). Handbook of Information and Communication Security, pp. 433-447, Springer Publishing, New York, USA. https://www.amazon.ca/Handbook-Information-Communication-Security-Stavroulakis/dp/3642444598/ref=
Slade E. Griffin & Casey C. Rackley, 18th September 2008, Association for Computing Digital Library. “Vishing”, Proceedings of the 5th Annual Conference on Information Security Curriculum Development, pp. 23-35. https://dl.acm.org/doi/10.1145/1456625.1456635
Kevin F. Steinmetz & Thomas J. Holt, 5th April 2023, Saje Journals, “Falling for Social Engineering: A Qualitative Analysis of Social Engineering Policy Recommendations”, Social Science Computer Review, Volume 41 (Issue 2): pp. 592-607. https://journals.sagepub.com/doi/epub/10.1177/08944393221117501
Contributions
Special thanks for the financial support of the National Research Council of Canada (NRC) Industrial Research Assistance Program (IRAP).
Executive Editor: Alan Bernardi
Reviser, Proofreader & Translator: Ravi Jay Gunnoo