Phishing attacks and their purpose
Phishing is a form of online social engineering where the attacker sends a seemingly-legitimate message designed to trick the receiver into revealing sensitive data. It’s a way to gather information from someone under the guise of someone or something else.
Most phishing attacks try to get you to disclose things like your name, live location, login credentials, physical address, phone number, banking details, photo, and employment data. However, another purpose may be to infiltrate your computer with malware, giving the perpetrator access to your files or the chance for a ransomware threat.
Over the last few years, phishing has been the most common online attack performed by cybercriminals. Interestingly, the term ‘phishing’ came in 1995 as a leetspeak variant of fishing. The idea was that Internet scammers of the day used emails to lure people into revealing sensitive data in the same way people used bait to hook fish.
Examples of phishing attacks include email phishing (the most common), spear phishing, whaling, smishing, vishing, and page hijacking.
What dangers do phishing attacks demonstrate?
Regardless of the technique, the aim is to manipulate their victim into urgently clicking a link, opening an attachment, or revealing confidential details. It can be any other way that would allow someone access to your accounts or computer system.
To explain how the process works, here is an example:
With email phishing, the phisher aims to masquerade as a trusted entity. This involves creating an email sent to thousands with the same typeface, logos, phrasing, and other visuals as the actual company.
They can even go the extra mile by creating a copycat website of the company they are mimicking. Here’s one trick: you may receive an email from ‘PayPal’ advising that your account has a problem.
The message will have a place where you can click to fix it. Before long, the criminal has access to your login credentials. If there is money in your account, they can easily transfer it to theirs.
What’s more, scams linked to payment processors are a gold mine for hackers because it’s where you have likely stored your card or bank account details.
Impacts of phishing attacks on individuals-
Without proper knowledge of preventing phishing attacks, this can have devastating effects:
Financial loss
This is the biggest threat and concern in the impacts of phishing attacks on individuals and organizations.
Unauthorized access to your device
Even if this hack doesn’t cause you to lose money, it leaves your computer or phone vulnerable. If there is malware, this can affect your user experience and personal accounts significantly.
Moreover, it can enable the phishers to access your precious files, which it may use in ransomware (this could cost you money).
Unwanted distribution of personal information
Think of someone creating a fake ID or passport in your name to do illegal activities in another country; or a scammer using your card details to purchase expensive items. Without protection from phishing attacks, phishers can use personal data unscrupulously.
What percentage of phishing attacks arrive by email?
Most research companies have carried out recently suggest at least 90% of major phishing attacks come via email, an overwhelming rate. Email is particularly effective for a few reasons. Of course, you could be spoofed through SMS or a social media account.
Yet, many people without these will most likely use an email service. People’s interaction with many brands occurs through this medium. Coupled with the relative ease of internet and computer access and it’s simple to see why email phishing attacks are prevalent.
How do spear phishing attacks differ from standard phishing attacks?
The main difference is that spear phishing targets a specific organization or a select number of victims. On the other hand, a regular phishing attack works en masse. In this case, the phisher doesn’t have a specific individual in mind but hopes even a tiny percentage of people get spoofed.
With spear phishing, the perpetrator will perform extensive research on their target to establish familiarity and increase their probability of a successful attack. They may impersonate a family member, business associate, or colleague.
Spear phishing often aims at people working in large financial departments to access a company’s accounts. ‘Whaling’ is a popular type of spear fishing targeted at senior executives.
Alternatively, it may be any influential person with information on trade secrets or privileged access to a large money transfer.
How many businesses are targeted by spear-phishing attacks each day?
According to the Phishing Activity Trends report, made by APWG:
Over 1M of phishing events attacks were recorded in Q1 of 2022,
There is a 7% increase in the theft of credentials in enterprises,
Financial industry is the most victimized through phishing (35% increase since the last quarter), with 23.6% of all attacks in Q1 of 2022.
Is two factor authentication good at preventing phishing attacks?
Over the years, 2FA (two factor authentication) hasn’t always been effective in protection from phishing attacks. As with any crime, attackers update their underhand tactics to keep up with the increased security.
So, 2FA is breakable in some cases with a few sneaky techniques. For example, let’s say a phishing page directed you to enter your credentials. At this point, a hacker can use those details to log in to the actual site.
When you receive your 2FA code or PIN to your device, the phisher can access that and use it on the legitimate page.
Still, it doesn’t mean 2FA isn’t worth implementing. It is effective with the strongest security knowledge and mechanisms. You have to stop phishing attacks from the get-go and use the most secure authentication method possible.
How to detect phishing attacks?
The latest phishing attacks are well-crafted, making it challenging to spot the legitimate from the hoax. Fortunately, we have listed solid tips below to keep you safe.
Know how phishing scams look like
The phishing attacks solution starts with looking for common attributes in such con tricks.
A phishing email or message often uses generic salutations (like ‘dear valued member,’ ‘dear customer’ or ‘dear account holder’) instead of your real name.
Grammatical errors have always been an easy tell-tale sign of a potential scam.
Always look at the domain name when receiving emails from a company. Usually, a phishing fraud alters the address with a few numbers and special characters. For instance, it could be “do_not_reply@paypal32.com” instead of “do-not-reply@paypal.com.” If in doubt, you can always verify with the real company.
Similarly, a phisher will use an incorrect email URL that doesn’t fit the purpose of the content. For example, you could receive a message from Google about an account compromise from a “@news.google.com” address.
Don’t fall for urgency and scare tactics.
A legit company shouldn’t send you an email with a link you need to access externally. Also, they are not supposed to ask for sensitive information like banking information and passwords.
Think before you click on that link
With the above tips in mind, you should never click on any links in a phishing email or message. There are several ways to tell a suspicious link without clicking on it. One is using a browser plug-in that could provide info on whether a link directs users to a bad site.
As previously mentioned, scammers will alter original links with different numbers and special characters. Another tip is to never click on any attachments that may accompany an email, as an authentic company will never do this.
Don’t trust seemingly legit websites
In the bid to achieve phishing attacks prevention, these are signs of an fake site:
Checking the SSL certificate is one of the first steps. Here, you look at whether the site begins with “HTTP” (unsecured) or “HTTPS” (secured). Fortunately, most browsers will inform you beforehand if a site is safe to use.
What’s more, a legit site will have a closed padlock before its URL on the search bar, suggesting a secure and private connection. Anything else will typically show a hazard sign or an open padlock with a cross.
Always check the URL for typos, missing letters, or grammatical errors. It can even be something like Google written as ‘g0ogle.com’ or ‘g00gle.com.’
Watch out for an old-school or poorly designed website.
With tools like Whois Lookup, you can verify the ownership by looking at the registered individual or entity tied to it, along with contact information.
Regularly rotate your passwords
Computer security experts recommend that people should change their passwords after three months. Still, you should immediately change them if you suspect a phisher has targeted you.
As a rule of thumb, never use the same password across all your accounts. If cybercriminals were to access it, they could compromise all your other accounts. Lastly, ensure your password is strong by:
Using a length of at least eight characters
Combining hard-to-guess numbers, letters, and special characters
Never entering your password on unsecured websites, Wi-Fi hotspots, and computers you don’t own
Ensuring no one nearby sees your password
Be wary of pop-ups
Pop-up windows when browsing the internet are annoying. The most common ones we see on legit websites are pop-up ads. However, you may encounter suspicious ones like warnings of your device being virus-infected or claims of a lucky prize.
Unfortunately, these pop-ups will likely bring malware into your device or lead to websites asking you for financial information. But you don’t need to worry. One simple and effective trick is using an ad-free browser that offers a much cleaner user experience.
Alternatively, others will have a pop-up blocker. In general, make sure you’re visiting only secure websites that aren’t scammy.
Don’t share your private info
Unless you’re interacting with an entity you know and have verified as being legitimate, never reveal any personal data. This includes names, addresses, locations, banking details, phone numbers, ID numbers, photos, etc.
In personal circumstances where sharing is unavoidable, you can use Duckist.com. It’s a service designed to transfer passwords and other secret messages or files securely and simply. With front-end encryption, no one can access your data at any stage of the transfer.
Don’t ignore updates
Another component in the phishing attacks solution is ensuring your OS (operating system) is in tip-top shape. This involves updating it as soon as an update is available. We know that software gets outdated after a while.
This is great news for hackers as it exposes vulnerabilities in a computer system. So, a software update minimizes the chances of malware and protects your data. It makes your OS run like a well-oiled machine each time and even comes with little new enhancements.
Desktop firewalls and network firewalls
This is anyone’s first line of defense in cyber security. Firewalls act as a barrier between your computer and untrusted external networks, while protecting you from malicious sites.
Some black hats could still bypass a firewall. However, the key is not to fall prey to any phishing tactics. So, with this due diligence and the existence of a firewall, you should be fine.
Use Antivirus software
A firewall should be accompanied by the latest antivirus software. This helps to remove any malware that may have seeped from infecting your device. Many cyber security companies provide anti-phishing software for your browsers and email clients.
This may be better targeted to identify phishing content and prevent you from getting hooked.
Summary
Phishing is the art of deception designed to manipulate victims into taking immediate action to resolve something supposedly. As people, we are curious, fearful, and sometimes gullible.
Fortunately, we have provided enough tips in the phishing attacks defense, so you don’t fall victim to any con tricks online.