Gone phishing: Look for red flags to avoid scams

  • Published
  • By Don Branum
  • Academy Spirit staff writer
U.S. AIR FORCE ACADEMY, Colo. --  If you're looking to hook someone with a phishing scam, you have to be nefarious, one of a dozen cadets in the U.S. Air Force Academy's cyber operations course explained not too long ago. But if you're looking to avoid becoming a victim, all you have to do is keep an eye out for things that don't look right.

Cadets in the cyberwarfare fundamentals course, aka Computer Science 438, study both offensive and defensive techniques. Much of the course emphasizes theory, but cadets also get to practice application in a controlled environment, said Maj. Michael Chiaramonte, who directs the course.

"We had a section of the course devoted to social engineering this year, and the cadets had a spear phishing lab," Chiaramonte said. "It was a good, eye-opening exercise."

In a spear phishing attack, a perpetrator researches his target and crafts a message that's likely to get the recipient to click a link to a website. That site, in turn, may carry a virus designed to infect the target's computer system, exposing the user to additional vulnerabilities. Often the originator's email address is forged; in spear phishing attacks, the sender's email address may be forged to resemble someone the victim knows.

"The premise was using information available to anyone to fool someone into trusting you," said Cadet 1st Class Jared Peterson, a computer science major in Cadet Squadron 12. "We searched the 'Net for any and all information -- anything that could be useful. Once we had that, we worked on crafting an email to hopefully fool the target. We might pose as a high school coach or a company they'd be familiar with from back home."

The cadets' emails had no malicious payloads; just a "gotcha" letting the cadet who crafted the email know that he or she had succeeded.

"You had to be very nefarious," Peterson said. "You had to look at everything that could possibly make them trust that email, find anyone on their contact list who would be more trustworthy. Who do I need to become?"

Fortunately, Airmen can defend against spear phishing attacks by double checking anything that seems out of the ordinary, Peterson said.

"The email may not 'sound' genuine," he said. "Find a way to contact the person and ask, is this email genuine?" And while a digital signature on an email isn't a 100-percent guarantee of authenticity, a non-digitally signed email coming from a military email address is a potential red flag.

"While extremely preventable, a well-crafted spear phishing email can fool even the best of us," he said. "It's important to be vigilant even with something that may be digitally signed. It's all about finding discrepancies, anything that doesn't seem quite normal.