What is a phishing attack?
Phishing is a broad term; it is a type of social engineering attack. These attacks encompass a variety of different strategies to steal personal data from victims, data like login credentials and credit card numbers. Hacking, malware, and phishing are becoming the number one cause of security breaches today.
A successful phishing attack usually happens when an attacker tricks a victim into opening an email, text message, or any kind of malicious link. When these links are clicked, it leads to the installation of malware. This typically is followed by a freezing of the system which turns into a ransomware attack, or the revealing of sensitive information.
This type of attack can have devastating results for both the individual citizen, as when as companies and businesses. From stealing funds to larger attacks suck as APT (advanced persistent attack) can leave its victims with severe financial losses. These scams can also negatively affect the stock market, as well as really do some damage to a business’ reputation and consumer trust.
These scammers can target anyone who uses the internet or owns a smart phone. A person’s phone number, email address, and social media accounts can all be used to aide these phishers in stealing personal information.
Types of phishing attacks you should know about
A popular example of a phishing scam could be a spoof email that is sent to every employee of a company claiming the user’s password is about to expire. Instructions would be to click on a link and reset the password within 24 hours. The link, however, would be a bogus page that asks for a new and existing password, and once entered the scammers would immediately have access to your personal account information.
These are a few types of phishing scams you should be aware of.
- Phishing email- Appears in your mailbox and requests you to follow a link, send a payment, reply with private info, or open an attachment.
- Domain spoofing- This is one of the popular ways to mimic a valid email. They take a real company’s domain and modify it. I.e., using “geartlearning.com” instead of “greatlearning.com”. Very easy for a victim to engage and fall into a scheme.
- Voice phishing- Attackers call you and acts like a valid person or a company to deceive you and will urge you to take action while being on the call.
- SMS phishing- Attackers will imitate a valid organization and send you a short link message to fool you.
- Clone phishing- Attackers duplicate a real message that was sent previously, but links replaced with malicious ones.
- Typo squatting- Attackers try to catch people who type an incorrect website URL
- Evil twin (internet connection attack)- Attackers set up a public Wi-Fi at locations like coffee shops, or railway stations, and once you connect they have the ability to eavesdrop on all your online activity.
How to defend yourself against vicious phishers
- Keep updated on new phishing techniques. New scams are being developed every second, not staying updated could potentially be putting yourself at risk.
- Think before you click! Avoid clicking on random and unfamiliar links and popups.
- Install an anti-phishing toolbar. They are typically free, and they provide quick checks on sites you visit, alerting you if stumble upon a malicious site.
- Verify a site’s security. Before submitting any sensitive information, look to see if the URL begins with “HTTPS” and not “HTTP”. You can also look for the closed lock icon, usually near the address bar.
- Check your online accounts regularly. Changing your password and checking statements regularly leaves little room for a hacker to slip through unnoticed.
- Keep your browser up to date. Popular browsers release security patches with updates in response to security loopholes they discover that phishers take advantage of.
- Use firewalls. The two types of firewalls that are available are a desktop and a network firewall. These firewalls act as buffers between you, your computer, and outside intruders. Try using both to protect yourself.
- Beware of pop-ups. If you either don’t have the option, or simply don’t block pop-ups, when you do have unwanted pop-ups, do not click the “cancel” button on the page. This can often lead to phishing sites, click the small “x” in the upper corner of the window instead.
- Use antivirus software. Antivirus software scans every single file that comes through the internet to your computer. Using both antivirus software and firewalls are the best ways to protect yourself from become a victim of one of these scams.
- Never give out personal information
Ways for companies to defend against being scammed
- Use as SSL Certificate to secure all traffic to and from your website.
- Keep up to date on all updates to ensure you are protected at all times.
- Provide regular security training to your staff in identifying phishing scams, malware and social engineering threats.
- Use a securely hosted payment page: use a payment gateway provider that has up-to-date PCI DSS and ISO 27001 certifications to protect your customer’s privacy.
Coronavirus phishing scams
The latest of these unsavory scams to develop have been coronavirus/ COVID-19 phishing scams. As always, these emails may seem official, but upon further investigation of the IP address you should be able to tell if it is legitimate, or if it is a misleading link.
Don’t fall for these scams. It is also important to remember, that the types of government organizations they try to emulate would NEVER ask you for your personal bank information details.
If you receive one of these emails, this is what you should do:
- Check the sender email address — WHO sender addresses use the person@who.int pattern. NOT Gmail, etc.
- Before you click on the like check for “ HTTPS” and not ‘HTTP”
- Even if you give your personal information, don’t panic. Simply reset your credentials on sites and contact your bank immediately to change the required credentials.