Secure My Stuff Now

Simple Advice to Secure Your Life

Simple home and digital security advice to secure your life

What is Phishing and How to Avoid Phishing Scams

by

how to avoid phishing attacks

Phishing is an act of fraud. It’s where an attacker pretends to be a trustworthy entity or person via email or other communication channels. Phishers use phishing emails to send malicious attachments or links that can perform many functions. Some hackers will steal login credentials and account information from victims.

Cybercriminals love using deception, and phishing is one of their favorite forms of deception. It’s a much lazier approach than actively hacking a computer. That’s because it’s easier to convince someone to click a malicious link in an email that appears legitimate than to spend hours hacking through a computer’s security. As end users, it’s essential to understand how to spot and avoid phishing.

Just recently, my father was the victim of a very convincing phishing attack that took advantage of his age and his fear that his Microsoft operating system was at risk after an update. It came through email and even a phone call. While he was duped out of money and lost access to his computer, he was fortunate to be reimbursed by his credit card company and an IT professional got his computer restored. Unfortunately, phishing has become monstrous in scope and many victims are not so lucky.

Trending
The Best End-to-End Encrypted Cloud Storage Providers

History of Phishing

So, where did the idea of “phishing” come from? The history of phishing isn’t clear, but the name probably originates from the type of fraud being committed. When a fish is lured by a bait that conceals a hook, the fish believes the lure is a legitimate meal. Of course, they later discover it isn’t. In the same way, scammers “phish” for information that can be used for economic gain or nefarious intent by luring users into thinking that the emails, messages and URLs they are phishing with are legitimate and click-worthy.

One of the most famous early examples of a phishing attack is from the early 2000s, known as the “love bug”. Potential victims received an email containing a message titled “ILOVEYOU” and pointing to an attached letter. Back then, this may have seemed innocent, and this lure was convincing enough for recipients to click on the attachment. The attachment, however, contained a word that would overwrite the victim’s files and copy itself onto the victim’s contact list.

Also, in the 2000s, phishers began registering phishing sites. A phishing site is a domain that looks and acts the same as an official website. They are created to trick people into thinking it is legitimate.

Scope of Phishing

Today, phishing schemes are way more sophisticated and potentially more dangerous. An attacker could use one phished password to compromise multiple data files on an individual. This can lead to exposure to even more malicious attacks, like ransomware. 

Modern technologies are being used more often, and that enhances the phisher’s lures. One example is that of the CEO of a U.K. energy company. They thought they were talking on the phone with their boss. Turns out they were the victim of a phishing scam. They were actually being instructed to send money to a supplier through AI (artificial intelligence) while the victim thought it was their parent company’s CEO giving the instructions. It is possible that the attackers used AI bots in response to the victim’s queries to appear genuine. 

How Phishing Works

Phishing attacks rely on social connections by using communication channels such as email or messenger apps, even SMS text.

Phishers may use public information sources to gain background information on the victim’s past. This can include work history, hobbies, interests, and activities. Social media platforms like LinkedIn, Twitter and Facebook are a favorite among phishers. They will use these to extract information like names, job titles, and email addresses for potential victims. This kind of information can be combined together to form convincing emails that appear legitimate.

Beware of suspicious emails 

A victim will typically receive a message that looks like it was sent by a known organization or contact. An attack can then be carried out via malicious file attachments or links to malicious websites. The goal is to either install malware onto the victim’s device, or redirect them to a fake website. Fake websites can be created to trick victims into giving out personal and financial details, such as passwords or account IDs, credit card details, and other sensitive information.

While many phishing emails seem to be poorly written and obviously fake, cybercriminals are increasingly using the same methods professional marketers use for identifying the most effective messages.

How do you recognize a phishing email

It is difficult to tell the difference between phishing messages and real messages when they are successful. They are often branded as coming from a well-known company and include corporate logos and other identifying data.

There are some clues to to look for though. These can indicate that a message is a phishing attempt:

  • Suspicious subdomains and misspelt URLs (typosquatting), are used in the message.
  • Instead of a corporate email address, the recipient uses Gmail or another public email address.
  • The message is intended to incite fear or urgency.
  • The message contains a request for verification of personal information such as financial details and a password.
  • The communication contains incorrect grammar and poor spelling.

Types of Phishing Attack

Like any good fisherman, cybercriminals continue to hone their skills in their phishing craft. New scams are developed. Old scams are improved. New techniques are brainstormed. Here are some of the most common phishing attacks:

Spear Phishing Attacks

These are targeted at specific people or companies. To make the message appear authentic, these attacks often use information that is specific to the victim. Spear Phishing emails may include mentions to victims’ co-workers and executives.

Whaling Attacks 

These are a spear phishing technique that targets senior executives in an organization. The attack is often designed to steal large amounts of money. To create a more authentic message, spear-phishing campaign planners research the victims of their targets in depth. The chances of an attack succeeding are higher if the target is given relevant information.

A typical whaling attack targets employees who have the ability to authorize payments. The phishing message is often interpreted as a command from an executive authorizing large payments to vendors when in reality the attackers would receive the payment.

DNS Poisoning

This type of attack is where a DNS is altered so that users are redirected to a fake site. This is done to trick users into signing in to the fake website with their personal credentials.

Clone phishing

These attacks are carried out using legitimate, previously delivered emails that either contain a link or an attached file. The attackers create a copy (or clone) of the legitimate email and replace any links or attachments with malicious ones. Victims are often tricked into opening malicious attachments or clicking on malicious links.

Attackers who are in control of another victim’s computer system often use this technique. This is where the attackers take control of a system in an organization and email messages from a trusted sender known to the victims.

WiFi Phishing

These attacks are where an attacker sets up Wi-Fi access points and advertises them with deceptive names. It is usually something that sounds similar to an actual-sounding access point. Attackers gain access to all transmissions from and to victim devices when victims connect to the evil Twin network. This includes passwords and user IDs. This vector can be used by attackers to attack victim devices using their own fraudulent prompts.

Voice Phishing

This is a type of phishing that uses voice-based media such as voice over IP (VoIP), or plain old telephone service. This scam uses speech synthesis software for voicemails to notify victims of suspicious activity in their bank or credit accounts. The victim will be asked to confirm their identity and then compromised by the call.

SMS Phishing

These are mobile-oriented attacks using text messaging to persuade victims to install malware or disclose their account credentials.

Setting the Lure – Common Phishing Techniques

Phishing attacks go beyond simply sending victims an email and hoping they click on a malicious hyperlink or open a malicious file. To trap their victims, attackers use a variety of techniques:

  • JavaScript allows you to display a picture of a valid URL in a browser’s address field. JavaScript can be used to change the URL by hovering over an embedded hyperlink.
  • Link manipulation, also known as URL hiding, can be used in many types of phishing. It is possible to create a malicious URL and make it appear to be linking to a legitimate website or webpage. However, the link will actually point to a malicious web resource.
  • Link shortening services such as Bitly could be used to conceal the link destination. Victims are not able to determine if the URLs are legitimate or malicious.
  • Homograph spoofing relies on URLs that are created using different characters in order to look exactly like trusted domains. An attacker may register domains using slightly different characters that are close enough for them to be identified as trusted domains.
  • Sometimes attackers can bypass phishing defences by rendering a portion or all of a message in a graphical image. Security software can scan emails for certain phrases and terms that are common in phishing email messages. This can be bypassed by rendering the message as an image.
  • A covert redirect is another phishing tactic. This is when an open URL vulnerability failure check to verify that a redirected URL points to a trusted source. The redirected URL is a malicious, intermediate page that requests authentication information from the victim. This is done before the victim’s browser is redirected to the legitimate website.

How to Avoid the Phishing Lure

Experts recommend layering security measures to prevent phishing messages from reaching end users. The layers include simple measures such as:

Then there are some more advanced measures that can be added, especially for enterprise environments:

  • Gateway email filter
  • Web security gateway
  • A spam filter
  • Phishing filters offered by vendors like Microsoft.

Anti-Phishing Services

There are also additional, specific anti-phishing services that can be used. These are for more business/enterprise applications, but some may also be useful for families and especially for increasing awareness of phishing methods.

There are software providers like DomainKeys Identified Mail protocol (DKIM), which allow users to block any messages that are not cryptographically signed. Unsolicited email can be blocked using services like those of the Domain-based Message Authentication Reporting and Conformance (DMARC). 

There are other resources too. The Anti-Phishing Working Group Inc., and the federal government’s OnGuardOnline.gov website offer advice on how to avoid, spot and report phishing attacks. There is also online training that can help you your family, employees or colleagues identify phishing attempts, such as PhishMe from Wombat Security Technologies. FraudWatch International or MillerSmiles can also provide the most recent phishing email subject lines so you remain up-to-date with what to look for.

Phishing Examples

Phishing scams can come in many forms. It is possible to stay alert, safe and prepared by learning about the most recent methods that scammers use to phish. Here are some examples of recent phishing attacks:

Scams based on digital payment

These scams occur when major payment websites and applications are used to extort sensitive information from phishing victims. This scam involves a phisher pretending to be an online payment service such as PayPal, Venmo, or TransferWise.

These attacks generally take place via email. A fake payment service will ask a user to verify their login details and other identifying data. They claim this is required to resolve an account issue. These phishing attempts often include a link that takes you to a fake “spoof” webpage.

PayPal is aware that these threats. It has provided materials to customers to improve awareness . Anyone who gets suspicious emails from an account pretending to be PayPal should not click on any links. Instead, they recommend using the hovering technique described above to verify that the link address matches PayPal. PayPal advised that you log in separately to your account to ensure everything is working as it should.

What to watch for in Paypal phishing scams

These are some details that users should look for if they are unsure how to spot fraudulent online-payment scam email. A phishing email sent by PayPal is generally known to contain:

  • Dodgy greetings which do not include the victim’s name. PayPal will never use the victim’s name in official emails. This sector is prone to phishing attempts.
  • Some scams involving PayPal and other online payment platforms “alert” potential victims to the possibility of their accounts being suspended. Some claim that they were mistakenly “overpaid” by the users and are now required to send money to another fake account.
  • PayPal does not send downloadable attachments. A person should not download an attachment from PayPal or any other similar service.

A person should check their email to see if they have received one of these emails. It will indicate if a user is being suspended or has been paid too much. PayPal encourages all users to report suspicious activity so that they can continue to monitor such attempts and prevent users from being scammed.

Phishing attacks posing as financial institutions

These types of phishing are very common and assume victims will panic and give the scammer their personal information. These scammers usually pose as bank employees or financial institutions. The scammer will inform their victim via email or phone that their security was compromised. Scammers often use identity theft as a way to get their victims’ information.

Here are some examples of this scam:

  • Fraudulent emails about money transfers are sent to the victim to confuse them. These phishing emails contain a rejection or receipt email about an AHC transfer. The victim will often click a link in this message to assume that fraudulent charges were made to their account. Their personal information will be vulnerable to being mined.
  • Many direct deposit scams are used to scam new employees. These scams send victims notice that their login details are not working. In an attempt to avoid being paid, victims click on a “phishy” link within the email. The victim will be directed to a fake website which installs malware on their computer. Their banking information can be harvested, which could lead to fraudulent charges.

Phishing scams relating to work

These scams are particularly alarming because they can be extremely personal and difficult to spot. These cases involve an attacker pretending to be the victim’s CEO, boss, or CFO and asking for a wire transfer or fake purchase.

A ploy to steal passwords is one of the many work-related scams that have been appearing around businesses over the past few years. Executive-level employees are often targeted by this scam, as they don’t realize that an email from their boss could be fraudulent. This email is not alarmist but simply discusses regular workplace topics. It usually informs the victim that a scheduled appointment needs to be cancelled.

The employee will then be asked to complete a poll on when it would be a good idea to reschedule via a link. The victim will be taken to a spoof Microsoft Outlook or Office 365 login page. The scammers will steal your password once you have provided your login information.

The Final Score

It’s our motto to be smart and stay safe. And when it comes to identifying and preventing phishing attacks, that couldn’t be more true. Phishing attempts are prevalent, but there are a few ways you can stay alert and identify phishing scams and prevent your identity from being stolen, your passwords from being breached and your money extorted. That’s what this article intends to provide. So, when you receive any communications, whether via email, SMS, direct message, or even from seemingly real human voices, make sure you stay alert, examine the details, check if there’s anything suspicious, and ultimately don’t be stupid by responding or clicking, but be smart and stay safe.