Phishing 101: How to Protect Yourself Against Online Threats
Recent studies have shown that 85% of organizations have suffered phishing attacks of varying levels of severity, despite spam filters becoming ever more sophisticated. These immensely widespread social engineering scams have also become the number-one delivery method for ransomware and other malicious software.
While we tend of think of cybercriminals as masterminds in their nefarious trade, using cutting-edge technology to hack into networks, most phishing scams are orchestrated by simple-minded scammers. These scammers rely on using a variety of social engineering tactics to dupe unwitting victims into downloading malicious software or giving away their personal or financial information.
Cybercriminals who rely on phishing scams to commit fraudulent activity are increasingly likely to be little more than mules for larger criminal organizations operating through the so-called Dark Web. The unprecedented rise of ransomware-as-a-service (RaaS) in recent years is a prime example. In this case, sophisticated hackers design malicious programs, relying on others to distribute them while taking a cut of the proceeds.
How to Identify Phishing Scams by Email
Although scammers use many different communication channels for social engineering scams, email remains the most common delivery vehicle. Almost every individual and business has received at least one phishing scam by email before, even if they don't know it themselves. Fortunately, most of these emails simply land in the spam folder or are flagged by the email client as suspicious. Nonetheless, there are plenty of exceptions, and phishing scams are getting more sophisticated by the day.
A typical phishing email appears to be from a legitimate source, such as bank, building society or other company. More sophisticated scams use email spoofing techniques to forge a legitimate email address to make themselves appear more authentic. These scams may also use recognized branding from a real commercial or government entity, but there are certain ways you can tell them apart from legitimate emails.
Phishing scams rely purely on social engineering tactics, often by building up fear. One of the most common examples are emails threatening account closure if you don't take the action demanded. For example, you may receive an email that appears to be from a company or website that you have an account with that threatens action if you don't provide login details or financial information. Fortunately, these are relatively easy to tell apart, since absolutely no legitimate organization will ever ask you for password or financial information by email. If ever you receive such an email, you must delete immediately.
How to Spot Targeted Phishing Scams
The most sophisticated phishing scams are targeted towards specific individuals, particularly company executives, sales staff and human resources personnel. Also known as spear phishing, these targeted scams are among the most dangerous, since they often appear much more genuine than generic, wider-reaching scams. Since they address the individual by name and invariably used a spoofed email addresses, they are usually not as easy to identify. Oftentimes, a spear phishing attack comes from an otherwise genuine email address that has been compromised.
Rather than relying on inspiring fear in victims or relying on numbers alone to find an unwitting victim amongst hundreds, spear phishing thrives on familiarity. How safe you are from these targeted attacks depends largely on the degree of information about you that's available to the public. For example, a scammer might trawl through LinkedIn to find potential targets, gathering information about them to use in a scam email. If you ever receive a suspicious email from a friend or colleague, always make sure to contact them separately over another communications channel to verify that they are the sender.
How to Identify Malicious Email Attachments
More sophisticated scammers often rely purely on social engineering tactics to gather personal or financial information rather than malicious software itself. After all, the human element is always the weakest link when it comes to cybersecurity. Nonetheless, malicious email attachments remain a major problem, and they're the number-one delivery channel for ransomware scams like the infamous WannaCry attack back in May.
Fortunately, with a little bit of preparation, it's generally not particularly difficult to identify suspicious attachments. After all, only certain file formats can contain malware, whereas many formats, such as JPG image files, cannot contain malware. On the other hand, any executable file (i.e. a program that you run) can contain malware. Also, any format that supports macros, such as Microsoft Word or Excel spreadsheets, can contain macros used to execute malicious code.
Of course, any scammer can change the file extension to mask the real file type, but only files with certain extensions will run. You should also look out for compressed archives, such as ZIP or RAR, since they can contain files of any type, including executables. While you generally don't need to worry about attachments such as images and videos, always be on the lookout for unfamiliar file types. Finally, be sure to avoid opening any attachments that you weren't expecting.
Never Click on Suspicious Links
Scammers often send phishing emails for the sole purpose of trying to get recipients to click on links to malicious websites. These fraudsters may use links to send people to fake websites that look like they belong to a real company. While simply clicking on a link isn't likely to do much harm, downloading anything from the website or entering any personal information could lead to disaster.
Fortunately, fake websites are usually quite easy to identify. Before clicking on any link in an email, move your mouse pointer over it to see the full web address. If it doesn't look like the link you were expecting, then it almost certainly leads to a fraudulent website. Scammers often use URL shorteners to mask the real content of the link, so be sure to look out for short web addresses that don't make any sense.
If you do end up clicking on a link and getting redirected to a suspicious website, always make sure to verify it before entering any login or other information or downloading any file. Fraudulent websites and emails themselves often have one or more of the following characteristics:
• Suspicious domain names might be common misspellings of legitimate brands or may contain an added word or other modification.
• Fraudulent websites and emails often don't contain any contact information, though there are plenty of exceptions.
• Phishing scams often originate from countries where English isn't the first language, so poor spelling and grammar are tell-tale signs of a scam website.
• Many scam sites will not bother to use a TSL certificate for encrypting data. Never enter information on a site if there is no padlock icon by the address.
If you're still doubt, a quick search on Google for the domain or a WHOIS lookup will usually reveal all. You can also test any contact information provided to confirm that a website is either legitimate or fraudulent.
Beware of Pharming Scams
A neologism of 'farming' and 'phishing', pharming scams are mass-produced and largely automated phishing attacks that rely on malware alone to dupe victims. These scams may occur if someone manages to plant malicious software on your computer, typically by exploiting an operating system vulnerability. Oftentimes, this malware will hijack your web browser to display a fake website.
Fortunately, you can usually avoid getting malware on your computer in the first place by installing the latest antivirus software and ensuring that your operating system and other software are always kept up-to-date. If you're using Windows 10, automatic updates both to the operating system and malicious software should already be taken care of. However, business users might want to opt for a more sophisticated solution than those natively provided by Windows.
Listen Out for Voice Phishing
Another type of phishing scam that's on the rise, effecting both businesses and individuals, are those conducted over the phone. Known as voice fishing or 'vishing', these scams rely on duping victims into surrendering payment or login information through a phone call. A common example involves a phone call from someone claiming to be an employee of a bank or other financial institution who asks you to verify account information or provide things like credit card details. Sometimes, the scammer might even be bold enough to tell you that your account has been compromised and that you should transfer your money elsewhere for 'safekeeping'.
Vishing scammers tend to be among the most confident and professional of the lot. What's more is that the scams are invariably targeted, meaning that they appear much more genuine because they know your name and a bit about you. Skilled fraudsters may rely on using a serious message, a businesslike tone and the right details to fool you. To avoid these scams, never give private information over the phone unless you made the call to a number that you know.
Phishing scams have become by far the biggest cybersecurity threat of all time, and they're only getting more sophisticated overall. Learning how to identify social engineering scams and being extremely vigilant when giving personal or payment information to anyone are the only ways to protect yourself. After all, no antimalware solution can guard against the human element that's often ultimately responsible for falling victim to fraud.