Phishing? - Learn what to look out for to stay safe and secure!
What is phishing?
Phishing is a type of cyberattack/crime where individuals are contacted by email, telephone, or text message by someone often posing as a legitimate company or institution to lure the recipient into providing sensitive data or details such as personally identifiable information, banking, and credit card details, and passwords. This information is then stored by the attacker and used to access important accounts and can result in identity theft and often financial loss.
Phishing scams are evolving.
These scams were predominantly via email, where mass messages were sent to a large number of people, and they were often not very specific or targeted. However, over time, these attacks have become more sophisticated. Cybercriminals now use targeted tactics like spear phishing, where specific individuals or organizations are attacked. Whaling is another advanced form of phishing targeted at high-profile individuals like CEOs. Smishing (SMS phishing) and Vishing (Voice phishing) are newer forms, using text messages and phone calls, respectively.
Common Types of Phishing
- Email Phishing: This does tend to be the most common method of phishing we see, and it’s carried out daily. Generic emails are sent to many people; often include a request to fill in personal details on a fake website, if the attachment is to a html link it is often a phishing email!
- Spear Phishing: Targeted at specific individuals or companies, often using information gathered from social media or other sources to appear convincing before the phishing attack is made.
- Whaling: High-level targeting, such as company executives, with the aim of stealing large sums or sensitive company information, very targeted, very dangerous.
- Smishing and Vishing: Use SMS and voice calls to trick victims into revealing personal information.
Phishing Emails Explained
Identifying Phishing Emails: Recognizing these emails can be challenging as they often appear legitimate. However, certain features can give them away:
- Suspicious Sender Addresses: Check the email address carefully. Phishing emails often mimic legitimate addresses with small alterations. For example, ‘email@fIrstbasesolutIons.co.uk’ instead of ‘email@example.com’. for example, i’s can be easily swapped out with L’s to appear legitimate, and its hard to see without analysing the email properly.
- Generic Greetings: Phishing emails often use generic greetings like “Dear Customer” instead of your name. This is because they are sent in bulk to many people and they don’t know you!
- Urgent or Threatening Language: These emails create a sense of urgency or fear. You might see warnings that your account will be closed or that you need to verify your information immediately.
- Unexpected Attachments or Links: Be wary of emails that prompt you to download attachments or click on links, especially if they are unsolicited. These could be malware or lead you to fraudulent websites.
- Spelling and Grammar Mistakes: Professional companies typically send well-written emails. Poor grammar and spelling can be an indicator of a phishing attempt.
- Mannerisms: if you are familiar with communicating with a customer in a certain way, and their tone/behaviour seems different, it should alert you to the fact it may not be the sender you are used to communicating with!
Examples and Analysis: For instance, consider an email purportedly from your bank, asking you to click a link to reset your password. The email has a sense of urgency, warning that your account will be frozen if you don’t act quickly. The sender’s address is slightly off, and the email uses a generic greeting. The link leads to a website that looks like your bank’s but with a slightly different URL. These are all serious red flags indicating a phishing attempt.
The second you start to question it or feel that something is slightly off, it’s crucial to then take a step back and assess the email critically:
- Verify sender details.
- Hover over links to see the actual URL.
- Question the urgency and the nature of the request.
- Look for tell-tale signs like poor language or impersonal greetings.
Phishing extends beyond the traditional email-based scams, evolving with technology to exploit various communication channels. It’s crucial to recognize these diverse tactics to safeguard against them effectively.
- SMS Phishing (Smishing): Smishing scams use text messages to lure victims into revealing sensitive information. These messages might prompt you to click a link, which could lead to a fraudulent website or download malware onto your phone. They often appear to be from reputable sources, like banks or government agencies, and create a sense of urgency to respond.
- Voice Phishing (Vishing): Vishing scams involve phone calls where scammers, posing as legitimate entities, attempt to extract personal details or financial information. They might use caller ID spoofing to appear as a known contact or organization. These calls often involve fabricated scenarios designed to elicit an immediate response, such as claiming there’s a problem with your bank account.
- Social Media Phishing: With the rise of social media, cybercriminals exploit these platforms to access personal data. They might send messages impersonating friends or familiar contacts, share malicious links, or create fake profiles to gather sensitive information.
An example of a Smishing attack could involve a text message alerting you of suspicious activity on your bank account with a link to ‘verify’ your details. Similarly, a Vishing attempt might involve a call from someone claiming to be from tech support, requesting remote access to your computer to ‘fix’ a non-existent problem.
Recognizing and Avoiding Phishing Websites
Phishing websites are fraudulent sites designed to mimic legitimate ones, with the goal of deceiving users into entering sensitive information. Recognizing these sites is crucial for online safety.
- Spotting Fake Websites: Look out for incorrect URLs, especially those with subtle misspellings or wrong domain names (e.g., ‘.com’ replaced with ‘.net’). Secure websites should start with ‘https://’ and display a padlock icon, indicating encryption.
- SSL Certificates: Secure websites have SSL (Secure Sockets Layer) certificates, which authenticate the site’s identity and encrypt internet traffic. Always check for SSL certification before entering any personal information.
- Tips for Safe Browsing:
- Updated Browsers: Use the latest version of web browsers, as they have better security features to detect and warn about suspicious websites.
- Avoid Public Wi-Fi for Sensitive Transactions: Public Wi-Fi networks are less secure, making it easier for hackers to intercept data.
- Double-Check URLs: Before entering information, verify that you are on the correct website. Be wary of clicking on links from emails or text messages; instead, enter the URL directly into the browser or use bookmarks.
Recognizing Signs of Compromise: Signs like pop-ups asking for personal information, unsolicited downloads, or redirecting to different websites are indicators of a phishing site. Always be vigilant and err on the side of caution when browsing online.
Protective Measures and Best Practices
Adopting proactive measures and best practices is essential in safeguarding against online cyber attacks. Here’s how individuals and organizations can protect themselves:
- Implement Multi-Factor Authentication (MFA):
- MFA adds an additional layer of security beyond just passwords. Even if a password is compromised, MFA can prevent unauthorized access.
- Regular Software Updates:
- Keep all software, especially browsers and security programs, updated. These updates often include patches for security vulnerabilities that phishing attacks exploit.
- Use Reputable Antivirus Programs:
- Install and maintain reputable antivirus software. These programs can detect and block malware and phishing attempts.
- Educate and Train:
- Regular training for individuals and employees on recognizing these attempts is crucial. This should include identifying suspicious emails, links, and requests.
- Be Cautious with Personal Information:
- Avoid sharing sensitive personal information online, especially in response to unsolicited requests. Always verify the legitimacy of a request before responding.
- Backup Data Regularly:
- Regular backups can mitigate the damage in case of data loss due to phishing attacks that result in malware infections or ransomware.
- Phishing Simulation Exercises:
- For organizations, conducting regular phishing simulation exercises can be an effective tool in educating employees about real-world phishing tactics.
What To Do If You Suspect a Phishing Attack
If you encounter a potential phishing attempt, taking immediate action can prevent or minimize damage:
- Do Not Respond or Click Any Links:
- Avoid interacting with the suspicious email, message, or call. Do not click on any links or download attachments from unknown or suspicious sources.
- Verify Independently:
- Contact the supposed source directly using a phone number or website you know is legitimate, not the contact information provided in the suspicious message.
- Report the Attempt:
- Report phishing emails to your IT department. If it’s a Smishing or Vishing attempt, report it to your local authorities.
- Change Your Passwords:
- If you suspect your information might have been compromised, change your passwords immediately, especially for sensitive accounts like banking or email.
- Monitor Your Accounts:
- Keep an eye on your bank statements and credit reports following a suspected phishing attempt to quickly spot any unauthorized activity.
- Educate Others:
- Share your experience with peers and colleagues to raise awareness and prevent them from falling victim to similar scams.
Taking these steps can significantly reduce the risk and impact of phishing attacks, ensuring your personal and organizational data remains secure.