One of the most aggravating risks we face is phishing. Even though most of us understand what a phishing scam is and how it works, we are always caught off guard. This cyber-attack is a form of social engineering that is typically used to steal private information from users, such as their sensitive credit card details and login credentials.
Frankly speaking, we’re all aware of how to get rid of phishing scams, although we fail to realize how sophisticated targeting is growing and we still (unconsciously) end up entertaining these cyber attacks. Thus, we need to comprehend the anatomy of phishing attacks and best practices to get rid of phishing scams.
DISCLAIMER: Since hackers are resourceful, artsy, and constantly devise new ways to penetrate cybersecurity safeguards, no single strategy is likely to provide absolute safety. However, organizations can do a lot to raise awareness about phishing scams and how it operates by implementing policies, practices, and training.
The phishing attack's anatomy
As the planet earth fights the deadliest Coronavirus offline, cybercriminals are trying to profit from the case online. Due to a large number of people trapped indoors and thus digital, phishing campaigns have increased by 600% in the last year (and yes, by last year I mean 2020!).
ICYMI, scammers often use social engineering as part of their phishing schemes to trick their victims into trusting them for fraudulent purposes, often by pretending to be a legitimate individual or company. Criminals may use phishing attacks to distribute malware and other malicious material.
How do phishing scams work?
The following is the most common scenario:
- When you open your email, you are greeted by a message from your bank. When you click the link in the email, you will be taken to a page that resembles your bank in appearance.
- The catch is that this website is set up to steal your personal information. The warning will inform you that there is an issue with your account and that you must verify your username and password.
- You will normally be directed to the actual institution to enter your credentials a second time after entering your credentials on the page that appears. Since you are directed to a reputable organization, you are not immediately aware that your information has been compromised.
How does a Phishing Email appear?
One of the reasons phishing emails are so dangerous — and so often popular — is that they are designed to appear legitimate. The following characteristics are commonly found in phishing emails and can raise red flags:
- Ties or attachments
- Spelling error
- Grammatical errors
- Graphics that aren't professional
- Unnecessary stress over instantly checking your email address or other personal details
- Instead of your name, generic greetings such as "Dear Customer" are used.
- Since hackers often hurry to set up phishing sites, some of them will appear to be very different from the previous business. These characteristics can be used to identify a phishing scam that strikes your spam section.
Phase 01 - The evolution of phishing scams
What began as an attempt to steal users' credentials through email and instant messages has since evolved into new ways, such as SMiShing, or adapted its content to hook the victim with a surprising subject line.
Phase 02 - Why has this cyberattack still haunting since its very inception?
FYI, phishing scams don't necessitate extensive networking or even basic knowledge of programming. It actually relies on human error, capitalizing on their emotions, and a lack of security knowledge at all, exploiting the psychology in the same way as technical tools do.
Phase 03 - Nature plays harder
Our inherent psychology (i.e. human nature) fails to recognize cyberattack like a typical (or more advanced) phishing scam. This is one of the main reasons why phishing has become so popular among hackers. Sadly, perpetrators also use negative or upsetting news to pique the interest of their target, causing them to click on suspicious links or willingly hand over personal information.
Phase 04 - Phishing scams bait-and-switch
This pandemic-led recession has forged numerous closures amongst businesses environment or the mandatory restructuring leading to uncertainty in the job security area. In reality, phishing emails with the subject line "HR Redundancy List" have recently been discovered in some companies. Fraudsters use intimidation tactics to entice recipients to click on a link contained within emails or download harmful material via these malicious attempts.
The very nature of phishing scams not only encompasses these tricks but also has bookmarked the unimagined work-from-home scenario. The increase in the rate of global unemployment and desperation towards work-from-home practices has made these cyber-attack attempts so powerful that it has been hard to get rid of phishing scams. This has challenged the mere scope of cyber security.
Users should not, however, users should remain tacit when job searching, otherwise it would deter them from detecting phishing indications. Some phishing texts and emails, according to The Motley Fool, claim to provide work-from-home job opportunities, loans, or other types of financial relief.
Phase 05: Recognition: The very nature of human psychology
Most Americans claimed to receive hoax messages from "FCC Financial Care Center" promising $30k in relief for those who have recently been furloughed, according to the Federal Communications Commission (FCC). Since this may seem to be an achilles heel, it is actually a sneaky downfall designed to dupe victims into handing over their credentials.
Pro-tip: Disregard emails that fall in such categories
- Any email requesting personal financial details in a hurry should be avoided.
- To get people to respond quickly, phishers usually include disturbing or exciting (but false) statements in their emails.
- They usually ask for user IDs, passwords, credit card numbers, SSN, and other personal details.
- Genuine messages from your bank or e-commerce company are usually personalized, whereas phishing emails aren't. Wait, modern sophisticated are "too personalized" (check act fast).
Phase 06: Types of phishing scams
- Phishing scams appear in your inbox, typically requesting that you click on a connection, send money, respond with personal information, or open an attachment. The sender's email could be tailored to look like a legitimate one, and it could contain information that feels unique to you.
- Voice phishing (vishing) Scammers use voice phishing (vishing) scams to trick you by impersonating a legitimate individual or organization. They can disguise their phone number and redirect you from an automated message. Vishers will try to hold you on the phone as long as possible, pleading for you to take action. This could lead to sim hacking.
- Domain Spoofing an email phisher can use domain spoofing to imitate legitimate email addresses. These scams alter a legitimate company's domain (for example, @canada.com). You could become a victim of the scam if you interact with an address like "@casey.com."
- Smishing - Phishing Scams via SMS (smishing) This scheme, like vishing, would mimic a legitimate organization by using urgency in a short text message to deceive you. You'll typically find a connection or a phone number in the message that you can use. This also applies to mobile messaging systems.
- Clone phishing is when a valid attachment or connection is replaced with a malicious one in a previously sent post. This is most often seen in email, but it can also be seen in other places, such as false social media profiles and texts.
- Criminals use posts or direct messages on social media to trick you into falling for a scam. Some are overt, such as freebies or dubious "official" organization pages with a pressing order. Others can impersonate your friends or develop a long-term relationship with you before ‘attacking' to complete the transaction.
Phase 07: In other cases, legal websites can be hacked or imitated using the following methods:
- The classic "padlock next to the URL bar" indicator or infamously known as the HTTPS phishing scam gives a fraudulent website the appearance of protection. Previously, this encryption sign was only available to sites that had been verified as secure, but now it is available to any site. So, while your link and the information you send may be hidden from outsiders, you're still linked to a hacker.
- When an unattended fraudulent page reloads into a spoof of a legitimate site login, this is known as tabnabbing. When you come back to it, you may mistake it for the real thing and unwittingly give it access to your account.
- Typosquatting (URL hijacking) is a method of chasing people who type the wrong URL for a website. For instance, "MccDonald" instead of “McDonald” could lead to an unwanted nest.
- Another branch of phishing scam is "watering hole phishing" which targets famous websites that are regularly visited by a large number of people. An attack like this might try to take advantage of flaws in a website to launch a variety of other phishing scams. Malware distribution, link redirection, and other methods are often used in this form of cyber attack.
- Pharming (DNS cache poisoning) reroutes traffic from secure websites to phishing sites using malware or an onsite vulnerability. If a domain is pharmed, manually typing a URL would always take visitors to the malicious site.
Personal and public email addresses:
Create a private email address. Only personal correspondence should be sent here. Since spammers create lists of potential email addresses by combining obvious names, words, and numbers, you should make it difficult for them to guess your address. Your private address should be more than just your first and last name, and you should safeguard it by doing the following:
- Never put your private email address on a website that is open to the public.
- If you must publish your private address online, try to mask it to prevent spammers from picking up your address. Spammers can easily locate email addresses like ‘Joe.Smith@yahoo.com.' Instead of ‘Joe-dot-Smith-at-yahoo.com,' try ‘Joe-dot-Smith-at-yahoo.com'.
- If spammers discover your private address, you can update it. Changing your email address can be annoying, but it will help you prevent spam and scammers.
- Make a public email address for yourself. When you need to register on online forums and chat rooms, as well as subscribe to mailing lists and other Internet services, use this address.
- Make yourself a public email address. Using this address to sign up for online forums and chat rooms, as well as to link to mailing lists and other Internet services. Don't be afraid to switch up your public email address on a regular basis.
- Make use of a variety of public addresses. You'll have a better chance of figuring out which services are selling your address to spammers this way.
ACT FAST!! How to eventually get rid of phishing scams?
We’ve to act fast.
- Go straight to the source, first and foremost: Be wary of text messages or the emails purporting to be from firms that make unusual requests or provide information that seems to be smugly moralistic. Instead of clicking on a connection contained within the email description or link, go directly on the website of the mentioned company or contact their customer service/ live chat, whatsoever.
- Be wary of emails that invite you to take unwanted action: Do not click on something in an email or text message that asks you to take a specific action or download apps. Instead, revert to step 1, visit the organization's official website or social media. You will no longer be able to or urged to download malicious content from phishing links.
- Set up a security software or upgrade carrier plan automatically to protect your mobile device. A mandatory update policy in an organization can also pluck any incoming cyber security threat in advance and mitigate it to an acceptable level. These adjustments can provide you with essential security protection against unwanted hacking, such as a sim swap.
- Employees technical training: Although the first three are applicable for companies as well, another aspect would be to train employees to indicate different types of cyber-attacks and get rid of phishing scams.
- Multi-factor authentication is a good way to keep your accounts secure. Some accounts provide an extra layer of protection by having two or more passwords to log in. It is important for organizations and individuals to realize this and to have the resources necessary to resist it if they fall prey to it by using a password manager to prevent password reuse. However, if you have a complex or high-threat model, a hardware MFA such as a yubikey is something we strongly suggest. Anything like the Twitter hack couldn't have happened if this had been in place.
- Back up your data to keep it secure. Create a copy of your data and make sure it isn't linked to your network (on your home). Your data files can be copied to cloud storage or an external hard drive. Back up your phone's data as well.
- Without opening the email, delete it. When you open an attachment or click a connection in an email, most viruses are enabled. However, some email clients allow scripting, making it possible to get a virus simply by opening an email that appears to be suspicious. It's better if you don't open them all at once.
- Block the sender manually. You can build a block manually if your email client requires it. Make a note of the sender's email domain and link it to a blocked sender list. If you share your email box with someone in your family, this is particularly wise and useful. Someone else might come across a legitimate-looking email that isn't in your spam folder and decide to do something with it.
In the meanwhile, join @efani on Twitter, listen to our CEO's podcasts, and ‘Like' us on Facebook to stay up to date on all things Efani and mobile security threats.