Phishing doesn’t just target the big fish
Phishing is a computer scam technique that has been around since the 1990s, but with the increase in personal data stored online and the prevalence of social networking sites, it is more important than ever to understand how phishing scams work.
This article will familiarise you with some basic concepts so you can better protect yourself from potentially dangerous situations.
How does it work?
Phishing is not a computer attack per se, but rather a scam technique that hackers use to illegally obtain sensitive and personal information from users.
Phishing attacks can be carried out through email or text messages, with the aim of obtaining a person’s user name and password for their bank account or credit card number and other personal data.
What happens when you are phished and how do you avoid it?
If you are a victim of online phishing, the consequences can be serious. Your personal information can fall into the wrong hands and lead to identity theft and crimes committed in your name. In Luxembourg, 66% of computer attacks involve phishing.
On a personal level, the risks are:
- Money stolen from your bank account
- Purchases made with your credit cards
- Loss of access to your photos, videos and files
- Fake posts on your social media profiles
- Cybercriminals can also endanger your friends and family by impersonating you.
On a professional level, the risks are even greater and can have serious impacts:
- Business interruption and lost revenue
- Dissemination of personal information pertaining to your clients and colleagues
- Locking of your files (reactivated in exchange for a ransom)
- Damage to your company’s reputation
You will understand that for your business to run smoothly, you should do your utmost to prevent such attacks. There are insurance policies such as cyberpro from Foyer. From prevention to damage repair, Foyer cyberpro assists businesses when cyber-security protection is no longer sufficient.
How do I recognise a phishing email?
Don’t be fooled by appearances. It’s almost as easy to spoof an email address as it is to change a recipient’s address on a paper envelope.
- It’s too good to be true
- Lucrative offers, easy gains, and promises of gifts are designed to get the recipient’s attention immediately. Some emails will claim that you won an iPhone, a lottery, or some other cool prize. If it sounds too good to be true, it probably is!
- Sense of urgency
- One of the favourite tactics of cybercriminals is to ask you to act quickly, as the great deals offered are available for a limited time. Sometimes they will tell you that your account will be suspended unless you update your personal information immediately. Most reputable organisations give ample time before terminating an account and never ask customers to update their personal information on the internet. If in doubt, visit the source directly rather than clicking a link in an email.
Do not click on the links right away. If you hover over them, you will see the real URL to which you would be directed by clicking on it. If it is not the advertised site or the URL contains a spelling error, for example https://www.foyerasssurances.lu (there is one “s” many), avoid clicking and delete the email.
Also note that “https” does not guarantee the identity of the site owner.
- If the email has an attachment that you weren’t expecting or that doesn’t make sense, don’t open it! These can contain intrusion paths such as ransomware or other viruses. The only type of file that is always safe to click is a .txt file.
It’s not just email that can fool you
As digital technologies advance, phishing is finding new ways to exploit vulnerabilities. Here are 10 examples.
Standard email phishing
Arguably the most well-known form of phishing, this attack is an attempt to steal sensitive information through an email that appears to come from an official or familiar organisation. It is not a targeted attack and can be carried out en masse.
This kind of attack uses the same techniques as email phishing to encourage targets to click a link or download an attachment so that malware can be installed on their device. It is currently the most common form of phishing attack.
While most phishing attacks take aim at a large network, spear phishing is a highly focused and well-researched attack that typically targets business executives, public figures, and other lucrative targets.
SMS-enabled phishing provides malicious short links to smartphone users, often disguised as account notices, prize notifications, and political messages.
Search engine phishing
In this type of attack, cybercriminals set up fraudulent websites designed to collect personal information and direct payments. These sites can appear in organic search results or as paid ads for popular search terms.
Vishing, or voice phishing, involves a malicious caller pretending to be from technical support, a government agency or other organisation and trying to extract personal information, such as bank or credit card details.
Also known as DNS poisoning, pharming is a technically sophisticated form of phishing involving the Internet’s Domain Name System (DNS). Pharming redirects legitimate web traffic to a spoofed page without the user’s knowledge, often to steal valuable information.
A man-in-the-middle attack involves someone monitoring correspondence between two unsuspecting parties. These attacks are often carried out by creating fake public WiFi networks in cafés, shopping malls and other public places. Once logged in, the man in the middle can phish for information or install malware on the devices of his victims.
BEC (Business Email Compromise)
Business email compromise occurs when a fraudulent email appears to be from or related to someone in the target’s organisation, and requires immediate action, such as a money transfer or the acquisition of gift cards. This technique is believed to have caused more than half of all cybercrime-related business losses in 2019.
This type of phishing uses digital adware to deliver normal-looking ads with malicious code embedded inside.