The creation of the Internet is one of the biggest achievements in human history. Unfortunately, with time, the Internet has transitioned from being the new neighborhood where everybody wanted to live to being a dangerous one. Now, you have to be cautious of falling for traps laid by criminals.
Currently, the Internet’s crime statistics can be really scary. Businesses, non-profit organizations, governments, and regular users, everybody is a potential target. The menu of criminal tactics is wide and growing.
What is a phishing attack?
Phishing is a fraud operated via digital communication. The illegal tactic’s purpose is to get sensitive information (credit card details, usernames, passwords, etc.) from victims, through impersonating trustable entities.
Criminals can cause severe damages to companies and users if they access their sensitive information. Finances, intellectual property, partners’ and customers’ trust, reputation, can be negatively affected.
The word “phish” comes from fish. In the 90s, the use of “ph” instead of “f” was a trend among hackers. The crime was referred to this way because it is about luring fish (users) with some bait. Throughout the article you will see how accurate the name is.
How does phishing work?
This attack mainly uses e-mails and fraudulent websites to make people:
- Install malware through which criminals can access and control their systems.
- Directly reveal their sensitive details in the fake websites.
Attackers impersonate well-known, trustable entities (banks, government agencies, health care offices, etc.) to establish digital communication (e-mail, text, or instant messages) with users. In such messages, they attach infected files, malicious links, or images for users to click on.
Sometimes just by clicking on them, you may automatically download malware. The malicious effects can be immediately visible or not. Malware can be discrete to remain longer inside systems for deeper damage. If it’s ransomware, the device will be disabled until the ransom gets paid.
In other cases, these links redirect users to fake websites where they are pushed to type in login credentials, bank card details, etc. This way the criminals keep the personal details for further fraudulent purposes (identity theft, stealing of money or intellectual development, unauthorized access or purchases, etc.).
The tricky part is that such messages and websites are professionally forged. It can be really hard to distinguish if they are legit or not. And they play on topics that really matter to people. If they say something is wrong with your savings, in the initial distress, you may not immediately check the legitimacy of the site/ link. If they offer an interesting software trial or recommend that you change your e-mail password due to strange activity, again you can fall for it while doing what seems correct.
Types of phishing attacks.
Let’s take a look at some of the most common ways criminals try to “phish” victims.
Basic e-mail phishing
This is the most basic type. Criminals register a fake domain to impersonate a respectable organization. Usually, there are slight differences in the name, like a single different letter. The attempt bets on people reading fast, not checking so much the full sender address: firstname.lastname@example.org
Once the domain is registered, they go phishing, meaning they send thousands or millions of generic messages with malicious links attached.
The criminals collect personal/work data (name, job title, current employer, e-mail address, marital status…) to create personalized e-mails for victims. Unfortunately, there are legit sources to get that information. Criminals get it directly from corporative websites, social networks, etc. The more information people disclose publicly, the easier it is for criminals to approach their victims. These attacks can avoid spam filters more effectively than generic messages.
This type of phishing is similar to the spear type but it is a more sophisticated version since it targets high-level executives from big organizations. Personalized messages require a different approach (speech), more convincing data, and bait. Moby Dick is not an easy catch!
Legit previous e-mails of a victim are modified by criminals. The conversations, topics, or files are the baits since they are familiar to the target. But criminals replace the original attachments with corrupted ones. The originally attached links are replaced by others to fake websites.
This word is a combination of voice and phishing. Criminals get confidential information from victims through e-mail, fake websites, etc. but they get stuck while trying to get the victim’s money because they need an SMS password or code to validate the transaction. That’s why they call you. They want to get the missing data from you directly.
The name comes from the combination of SMS and phishing. Criminals send text messages impersonating the writing style and design of common messages sent by reliable entities (online retailers, banks, health care offices, etc.). Malicious links and images can also be sent since the use of messaging applications have massively grown (smartphones). Again, users will be directed to fraudulent websites where they will get pushed to enter confidential data.
Social networks are big sources of personal data. Besides, they are proper spots to chat with strangers, a great arena for criminals to persuade people to disclose their sensitive data. Through normal posts, lots of malicious URLs are shared for people to click on which could result in downloading malware.
How to identify phishing e-mails?
Phishers forge their messages and websites very professionally to successfully cheat people. The disguise is really convincing. However, there are details that can reveal they are fake. Identifying them is critical for preventing frauds.
Public domain e-mails
See the complete sender’s e-mail address before opening a message. Reliable entities always send messages from their domain, using the organization’s official accounts, and not through a public service like email@example.com, firstname.lastname@example.org, email@example.com, etc.
Display the complete address. Don’t ignore the information coming after the @ symbol. If the organization’s domain is not familiar to you, do a quick online search to verify the message’s legitimacy.
Criminals can buy domains with very close names to the ones of the entities they are trying to impersonate. But nobody can buy a domain that is already owned, so they change a single letter to make a difference. Instead of @media, they use @rnedia. If read in a hurry, it can look genuine.
Attacks can come from everywhere in the world. But attackers will use a popular language to have higher chances of success. Read the content carefully so you can identify grammatical mistakes or a poor level of expression a bank or a government office wouldn’t use.
Suspicious files or links
Don’t open unexpected files or links. First, be sure they are genuine. Contact the sender via phone or chat. Remember, files could download malware to your system and links could direct you to dangerous destinations.
Read thoroughly the links, this way you can see if they match the context of the conversation. If the message comes from a taxation office and the link doesn’t contain a word about it or something related to the government, don’t trust it.
If your security software warns you about the content of a message, no matter if it’s coming from a genuine sender, confirm the attachments before opening them.
Phishers often focus on urgency. They know that under pressure, people can make mistakes more easily. Have second and third thoughts if a message urges you to do something like clicking on a link. Unexpected prizes, vouchers, coupons, great discounts, strange activity in your bank account, etc. these are all red flags that you should note.
How to prevent phishing attacks?
- Strengthen your security. SPF, DKIM, DMARC, MTA-STS can help you to detect spoofed messages.
- Anti-spam filters. Filtering is a good practice to eliminate different threats.
- Anti-virus software. Downloading malware can happen to any member of your organization. Scan PCs regularly to be safe.
- Use two-factor authentication (2FA). Adding another verification layer to your organizations’ systems and applications is very helpful. Currently, there are many multi-factor authentication methods for you to consider.
- Control employee’s devices in use. Every member in your organization should access your system only through verified, updated, and patched devices. Multi-access through many devices per employee makes things harder. Smartphones also must be protected (software).
- Block dangerous websites. IT people know how to identify risky websites, possible malware sources, etc.
- Keep private critical information. Some phishers can target high-level executives. Not all details about employees, positions, contacts should be public.
- Secure practices. Train your employees. They should be able to understand the threats’ scope and consequences. Provide them with secure practices to prevent phishing and other illegal activities. Password policies, forged e-mails, and dangerous links identification, public and private information, are some topics you should consider for their training.
- Check messages in detail and when you have enough time. Opening and reading messages in a hurry or on the way to a meeting won’t allow you to check the details that can save you and your organization from phishing. The less careful people are, the more successful the attacks can be.
Phishing attacks are really harmful. The best way to handle them is to be aware of them and take preventive measures in advance. Security against phishing and all its variants involves the use of efficient technology, combined with proper training.
If you are interested in the topic of virtual security, we suggest you read our next article: