What is phishing?
A phishing attack is a sort of fraud that can come in various structures. These scams not just utilize different online methods, for example, fake emails and pop- up advertisements but can incorporate phone calls too. The individuals behind these tricks frequently use fear strategies to get their victims to take the trap.
Phishing is a con game designed to fool anyone into giving away personal information. They are merely online con artists and identity thieves. They prey on anyone using texts, emails, malicious websites, and spams. The cyber terrorists seek to exploit information such as usernames, accounts, passwords, credit card accounts, and banking information.
Over the years, phishing has evolved from the lame approach of sending millions of inadequately created spam messages to targeting corporate and individual. Although, now they prefer large scale organizations since it’s more profitable.
These criminal operations range from the distribution of malware and ransomware to digital-jacking computers to install cryptocurrency mining software. Identifying these phishing scams has turned out to be harder due to the increased utilization of “Botnets” and “Nuisanceware” that have no user interaction.
According to Verizon, the growth of phishing attacks in both complexity and frequency poses a significant threat to all organizations. Thus it’s crucial for executives, enterprises, and private ventures to learn how to detect resolve and how to protect against phishing.
Common types of phishing scams
Spear phishing is a personalized attack. For instance, in spear-phishing scams, perpetrators customize their scam emails with the target’s name, position, employer, and work telephone number. They do that in an attempt to trick the recipient into believing that they have a connection with the sender.
The purpose is the same as deceptive phishing: to trap the victim into clicking on a malicious URL or email attachment, to share their records.
Spear-phishing is particularly common on social media sites like LinkedIn, in which attackers can use a couple of assets of information to craft a targeted attack email.
To protect against phishing, companies have to conduct ongoing employee security awareness that, discourages users from publishing sensitive personal or company information on social media. Organizations must also invest in solutions which might be able to analyze inbound emails for recognized malicious links/electronic mail attachments.
Deceptive phishing refers to any attack through which the fraudsters impersonate a valid organization and attempt to steal people’s logins and credentials. It is one of the most common types of a phishing scam. Those emails always use threats to and sense of urgency to scare the victims into doing the fraudsters bidding.
For example, PayPal scammers might send out an attack email that instructs them to click on a link to rectify a discrepancy with their account. In actuality, the link leads to a fake PayPal login page that collects a user’s login credentials and delivers them to the attackers.
The success of a deceptive phish depends on how closely the attack email resembles a legitimate company’s official correspondence. As a result, users should scrutinize all URLs to see if they redirect to an unknown website. They should also look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email.
Since users are now more aware of the phishing scams, some fraudsters are resorting to pharming. It’s a method of attack which comes from the domain name system (DNS) cache poisoning.
The Internet’s naming system uses DNS servers to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses used for locating computer services and devices.
Under a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice even if the victims entered the correct website name.
To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement antivirus software on all corporate devices and perform virus database updates, along with security upgrades issued by a trusted Internet Service Provider (ISP), regularly.
Top executive/whaling attacks
Whaling refers to phishing targeting organizations, senior officials. They look to steal their credentials, logins, and any other relevant personal information. Fraudsters can target either the CEO or impersonate and abuse the individual’s emails to authorize fraudulent wire transfers to financial institutions of their choice.
Whaling attacks are more common than they should. This is because most executives assume they are safe and don’t participate in security training awareness training with their employees. As a result, it would cost them dearly.
To prevent that, all the company’s personnel should undergo training. They should learn how to protect themselves against phishing. On the other hand, organizations should consider reviewing and amending their financial policies. That way, no one has the power to authorize a financial transaction, especially through the email.
While some phishers no longer bait their victims, others have specialized their attack emails according to an individual company or service.
Take Dropbox, for example. Millions of people use Dropbox every day to back up, access, and share their files. It’s no wonder, therefore, that attackers would try to capitalize on the platform’s popularity by targeting users with phishing emails.
One attack campaign, for example, tried to lure users into entering their login credentials on a fake Dropbox sign-in page hosted on Dropbox itself. To protect against Dropbox phishing attacks, users should consider implementing two-step verification (2SV) on their accounts.
Google Docs Phishing
Fraudsters could choose to target Google Drive, similar to the way they might prey upon Dropbox users. Specifically, as Google Drive supports documents, spreadsheets, presentations, photos, and even entire websites, phishers can abuse the service to create a web page that mimics the Google account login screen and harvests user credentials.
How to prevent against phishing
Use Antivirus Software
There are plenty of reasons to use antivirus software. Such distinctive signatures are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date.
New definitions are added all the time because new scams are also being dreamed up all the time. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly.
Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to avoid damage to your system.
Stay Informed About new Phishing scams
New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams.
By finding out about them as early as possible, you will be at much lower risk of getting snared by one. For IT administrators, ongoing security awareness training and simulated phishing for all users are highly recommended in keeping security top of mind throughout the organization.
Install an Anti-Phishing Toolbar
Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious website, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is entirely free.
Verify a Site’s Security
It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Note that when you learn how to protect against phishing, you will learn the basics of verifying a site’s security.
Before submitting any information, make sure the site’s URL begins with “https,” and there should be a closed lock icon near the address bar.
Check for the site’s security certificate as well. If you get a message stating a specific website may contain malicious files, do not open the website. Never download files from suspicious emails or websites.
Even search engines may show certain links which may lead users to a phishing webpage which offers low-cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals.
Use your common sense
How do you use common sense to protect against phishing? By clicking on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them.
Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company, and when you click the link to the website, it may look exactly like the real website.
The email may ask you to fill in the information, but the email may not contain your name. Most phishing emails will start with “Dear Customer,” so you should be alert when you come across these emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link.
Check your online presence regularly
If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check-in with each of your online accounts regularly.
Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly.
Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.
Keep Your Browser Up to Date
Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.
High-quality firewalls act as buffers between you, your computer, and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware.
When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.
Be Wary of Pop-Ups
Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts.
Many popular browsers allow you to block pop-ups; you can enable them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.
Never share sensitive information
As a general rule, you should never share personal or financially confidential information over the Internet. This rule spans back to the days of America Online when users had to be warned consistently due to the success of early phishing scams.
When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required.
An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https.”
Cybercriminals are looking for brighter ways to scam people. They are coming up with new social engineering techniques always to bypass security controls and fool you as the user. It is possible to mount an effective defense system for yourself or the organization you are working for.
However, defenses need to be updated and maintained over time. You have to be vigilant since the attackers are out to get you. Be proactive and take the necessary steps to mitigate any potential threats.
Continue with your security awareness training and phishing simulation program. Stay updated and invest in firewalls and security software to help protect you with such a layered defense system. You need to be keen while learning how to protect against phishing. That way you will reduce the probability of a successful attack.
Verizon Data Breach Investigations Report