When an angler selects the right bait, puts it on his hook and casts his line in the water, he just has to wait for a fish to come along and take that bait.
In the digital world, a cybercriminal throws his bait into familiar emails or a busy website and waits for his prey to arrive. By clicking on links, opening attachments, or taking the other types of bait that these hackers use, you can find yourself in the same situation as that poor unsuspecting fish: on the hook.
Recognizing phishing attempts and knowing how to defend against them can protect your personal information, the data you use to carry out your daily activities, your money and even your identity.
People who use phishing attacks attempt to obtain a user’s personal or sensitive information, including usernames, passwords, banking and credit card information, social security numbers, and as intellectual property, research data and institutional information. Phishing can be initiated through email, phone calls, text messages, instant messaging and social media.
Phishing topped the FBI’s list as the most common cybercrime in 2020. There were 114,702 incidents reported in 2019. In 2020, that number had risen to 241,324 incidents.
Three out of four organizations worldwide experienced a phishing attack in 2020, and 96% of phishing attacks were carried out via email.
These attacks are a constant threat.
Spot the bait
The most common phishing attempts are emails that appear to come from a seemingly trustworthy company or contact. These emails often contain links or attachments that could compromise a user’s device. The email may also request personal data or information.
Where typical phishing attacks send mass emails to a large list of people, hoping someone will take the bait, a type of phishing called “spear phishing” is more suited to specific users. Attackers can have information about their target that helps them tailor the bait they use and appear less sinister in their approach.
Through link manipulation, a phishing attack can direct users to a fraudulent website. The fake link may redirect the user’s browser to the phisher’s website. This may link directly to a spoofed website which may look almost exactly like the website the user thinks they are visiting. Any information entered by the user on the website can be used by the phisher to steal information or data, or to tailor future attacks to the phishing victim.
Some phishing scams come in the form of sites offering low-cost items and services. When the user tries to purchase the product, their credit card is compromised.
Through content injection, a phisher can modify only part of the content of a trusted website, which can lead the user to an untrusted web location and extract their information.
Phishers can attempt to trick users into running malware on their device. The malware is usually attached to the email sent to the user by the phishers. By clicking on a link in the email or downloading the attached files, the user activates the malware.
Some phishing emails can install malware on a user’s devices that monitor the device’s keyboard, known as keyloggers. This can be used to steal information entered through this keyboard, such as passwords and credit card numbers.
One type of malware is a Trojan, which tricks users into presenting a seemingly routine function as its bait. The malware then gains access to the user’s device and steals their account information.
Through Malvertising, phishers can present an advertisement that can download malware or push content to a user’s device. Malicious advertising is most commonly done via Adobe PDF and Flash.
Ransomware is a type of malware that shuts down access to a user’s own device unless the user pays a ransom to unlock it.
A victim may be tricked into entering their data or information by smishing, i.e. phishing via a text messaging service that directs them to a phishing site.
A phisher can also make a call to a user’s phone via vishing or voice phishing, tricking the user into calling another number. Performed primarily using fake caller ID, vishing is used to steal a victim’s banking information.
Hackers can also open a Wi-Fi network using the names of established telecommunications companies or other familiar terms. If a user connects to this network, any information entered throughout the connected session is compromised.
Defend and Respond
The best way to avoid phishing attacks is to not provide any personal information over email. No credible organization uses email to collect this information.
Despite the tricks used by hackers to make these legitimate emails appear, such as the sophisticated copying of logos, familiar texts or links that look legitimate, any attempt to collect personal information via email should not be considered. as reliable.
If you have reason to believe an account may be compromised, call the organization responsible for it.
Verify email addresses. Check security certificates when entering personal or sensitive data on a website to ensure that the certificate is issued for the website being viewed. Check the URL at the top of a website to make sure it looks legitimate or has been marked as safe by your browser, often by displaying a padlock icon.
It is important to maintain current software and apply updates in a timely manner.
If a personal email account, bank account, or other account is suspected of being compromised, change passwords immediately. Contact any banks or other organizations with access to your financial data to inform them of the situation. See if these potentially compromised accounts can be protected with fraud alerts.
Reviewing bank and financial statements regularly can often alert you to potentially fraudulent activity.
If your accounts allow it, enable two-factor authentication, which can prevent the use of stolen passwords to grant access.