How do you prevent phishing attacks when phishing attacks are at an all-time high?
Phishing attacks make up a large portion of what we consider as “hacking” or “cybercrime.” According to the RSA Fraud and Risk Intelligence team, phishing attacks have seen a tremendous rise in use, as of 2018. They accounted for almost half of all frauds during 2018’s last quarter, with Canada and the United States being the most targeted nations.
Also, phishing attacks have also started being used via fraudulent apps and mobile browsers. To date, the RSA has identified over 9,000 such dangerous apps, and their number is believed to be much higher. Another developing trend is voice phishing, or “Vishing,” where automated language systems are used by malicious hackers to try and acquire sensitive information through the phone. Though at present vishing accounts for only 1% of all phishing attacks, fraudsters are beginning to use false telephone numbers and information on reputed websites to call their victims and make them disclose data.
While these attacks are targeted towards everyone, those businesses and entities in the finance and healthcare industries need to pay extra careful attention. Personal, medical, and financial information are in high demand on the black market. An estimated of over 5.5 million credit cards are believed to be compromised already, while electronic medical records can be worth as much as $1,000 to hackers.
The purpose of this article is to help you and your business prevent, detect, and protect yourself against phishing attacks. We will provide you with a comprehensive guide detailing the characteristics of phishing, how do these attacks work, as well as the means to identify and guard yourself against them.
What Are Phishing Attacks?
Contrary to many people’s belief, the criminal act of hacking doesn’t always involve fancy or complicated software (viruses) to get into company systems or individuals’ computers. Granted, malware does play a part, even in phishing, the primary means of attack exploits a different kind of vulnerability – the end-users.
Phishing attacks are nothing more than fraudulent attempts by cybercriminals to obtain personal or sensitive information (usernames, passwords, email contacts, SSNs, medical, financial, customer data, etc.). They do this by posing as a trustworthy figure or entity and communicate with their victims predominantly over email or instant messaging. Once trust is established, the victims will be redirected onto a fake but legitimately-looking website where they’ll be asked to enter their personal information.
Phishing makes use of something called “social engineering.” In the context of IT security, social engineering is the psychological manipulation of internet users into performing specific actions against their best interest. Also, it is to have them divulge information such as usernames and passwords.
In most cases, this is only the first step as part of a larger fraud scheme to, either gain access to more people or to infiltrate a company’s system by using the employee’s (victim’s) credentials.
The truly frustrating part about phishing attacks, among all other types of cybercrime, is that they’re the easiest to protect against. Despite this, they are also the most absolute and successful; wreaking havoc across the digital space.
Phishing attacks come in different shapes and sizes. Nevertheless, there are specific common characteristics that most have in common that will help us identify a potential phishing attack. In broad terms, however, most types of phishing attacks can be broken down into two main categories based on what they try to get the victim to do.
- Handing over sensitive information – These types of emails and messages are trying to trick people into thinking that they’re talking to a trustworthy source such as a bank, a service provider, an online store, a governmental entity, social media platform, etc. The purpose here is to convince the victim into divulging sensitive data – most commonly usernames and passwords. Usually, these emails will look quite authentic, with a legitimate content format, logos, and everything. The message is tailored in such a way to convince people to provide their username and password. They will usually be asked to click on a link, which will redirect them to a malicious web page where they submit this data, allowing the hacker to access their accounts.
- Downloading malware – These types of phishing emails aim to get victims to infect their computers with malware. Like with the examples above, these types of emails will be presented as originating from a trustworthy source and directing victims to download an infected document, .zip file, etc. These malicious emails, however, can also take on other forms. If a friend’s or coworker’s email was compromised, hackers could send you downloadable malware from their account. Similarly, HR staffers could receive emails from pretending candidates with a “resume” containing the malicious embedded code. The possibilities are almost endless.
Different Types of Phishing Attacks
Another way of classifying phishing attacks is in terms of their targeting method. While some attacks use no specific targeting and are sent to thousands of inboxes, others are tailored towards specific people. Below are some examples of phishing attacks:
- Bulk Phishing – The most common type is the bulk phishing. These are the most easily-recognizable, contain mistakes, inconsistencies, and are generally roughly-made. They’re sent to hundreds of thousands of inboxes, hoping that some will fall prey to the scam.
- Spear Phishing – Spear phishing, on the other hand, is more targeted. It will use personal information (name, position, company, phone number, and whatever primary data they have on you) to convince you into following their commands.
- Whale Phishing – Also known as “whaling” this type of attack is similar to spear phishing but aimed at the big fish – CEOs, board members, or others in key management positions. Even though hackers need more time and energy to gather data and tailor the emails to perfection, the payoff will be well worth the effort.
- Clone Phishing – This attack will target specific individuals or organizations by copying/cloning a previously sent, legitimate email and making it look almost identical. It’s then sent to the target containing a corrupt link or attachment. The email is also spoofed (forged sender address) making it seem like it came from the original sender. These are often made to look like a resend or update of the initial email.
- Pharming – Instead of baiting people, the pharming attack targets a DNS server, changing the IP address associated with a website you want to access. So, even if you enter the correct name of the site into your browser, you will still be redirected to a malicious version of that page.
- Tabnabbing – Similar to pharming, tabnabbing doesn’t target the victim directly. Instead, it loads a fake page in one of the user’s open tabs. If, for instance, you visited your banking account at some point but left that tab open, hackers could replace it with an identical-looking one – just waiting for you to reintroduce your username and password sometime in the future. Both pharming and tabnabbing can be prevented by using a two-step verification (2SV) security system or by observing the “https://” at the beginning of the website address. Secure websites always start with “https://”
Phishing Attack Red Flags
So, how can you tell if you are a target of phishing emails? Well, as we said, there are several telltale signs that most, but not all, have in common.
- Grammatical errors – Spelling or grammar mistakes, particularly in an email supposedly from a legitimate entity, such as a bank, for instance, is a red flag. Such organizations use qualified copywriters and editors to ensure that these mistakes don’t appear.
- A sense of urgency – Phishing emails will often instill a sense of urgency in their messaging. They could say that there’s been an unauthorized login attempt, or that your account has been suspended for some reason, among other such examples. They will then tell you to enter a link and verify your security information. Keep in mind that no actual legitimate entity will EVER request you to do such a thing online.
- Vague Identities – Emails that address you as “Dear Customer,” or something similar, or those that don’t provide a signature at the bottom of the email are also red flags of a potential phishing attack.
- Odd Requests – Targeted phishing attacks, however, will contain more detail about you. Even these emails will usually require something from you that you don’t regularly receive.
- Stories too good to be true – Emails claiming you won some prize and are requesting your personal and financial information to declare it, is a more obvious example of a scam.
How to Keep Yourself Safe From Phishing Attacks?
There are several things you can do to keep yourself, your company, and your sensitive data safe from phishing scams.
- Never Give Out Personal Information – As a general rule of thumb, you should never give out personal, financial, or security information over the internet. Trusted entities and organizations will never ask you to do this, anyway.
- Don’t Click on Suspicious Links – Instead of clicking directly on a link in an email, hover your mouse cursor over it. Malicious web pages will have strange-looking embedded links. Also, make a habit of checking the address (URL) of a website, even if it looks legitimate. Secure sites always start with “https://”.
- Avoid Pop-ups – Hackers like using pop-ups as legitimate lookalike components of a site. Most browsers will allow you to block these pop-ups, but if some manage to slip through, it’s best that you don’t click on the “cancel” button, but the “x” in the upper corner of the window.
- When in Doubt, Contact Directly – If the email seems suspicious and the purported sender is someone you know (friends, colleagues, etc.) contact them directly to see if they sent that email. Use your phone or other means of communication than the email. If they haven’t sent it, forward a copy of the email to the IT team so they can assess the situation. If the suspicious email is from an entity (bank, school, government, service provider, etc.), research their contact information on their official website, call them, and ask about the email.
- Don’t Use the Same Password Everywhere – Hackers are well aware that most people use the same password on different accounts. If they manage to get their hands on it, they may have access everywhere, including your company’s systems. Use a password manager tool to help you keep track of different passwords.
- Don’t Post Personal Information Online – Posting too much personal information about yourself on social media (birthdate, education, past employment, relationship status, etc.) can be used against you in more targeted phishing attacks. Try limiting this information as much as possible.
- Use Firewalls and Antivirus Software – Firewalls and antivirus software will keep your computer and systems safer from outside intruders. Firewalls will prevent things from getting in, while the antivirus will detect and eliminate them if they do.
- Keep Everything Up-to-Date – Though many of us look at system updates and patches as an inconvenience, we could do without, they are incremental in keeping our systems in line with the latest developments in the world of cybercrime. Updates are everything from firewalls, antivirus software, operating system, browser, etc. whenever new patches are available.
- Use Office 365 – Microsoft has gained a reputation for being well suited to dealing with various cyber threats. It’s advisable that you use Microsoft Office 365 as a tool for your business to keep your data safe. It comes with numerous security features designed specifically for this purpose. You can set up the Office 365 spam filter. It will be able to identify and block specific recipients and report junk email and phishing attacks. With the Advanced Threat Protection option, you can make sure that dangerous emails will never make it into your inbox. Similarly, the multi-factor authentication module will make it harder for attackers to access your account.
- End-User Awareness Training – Probably the best defense against phishing attacks is knowledge. You can train yourself and your staff on these issues, trends, and best practices so that you don’t leave yourself or your organization exposed to ransomware or data theft.
Phishing attacks are the most manageable cyber threat to protect against. It is more of a matter of recognizing the danger and not acting on what the cybercriminal wants you to do. Humans are the first and last line of defense when it comes to phishing attacks so being educated is the best first step in prevention.
There are many ways to keep your business safe from online threats. Use these tips to stay safe online and protect yourself from phishing attacks.