What is Phishing?
Phishing is a technique cybercriminals, also known as hackers, use to gain unauthorized access to personal accounts and sensitive data. The likelihood of encountering a phishing attempt is significant. Phishing is the most common method of cybercrime, with 3.4 billion spam emails sent every day as of July 2024 (AAG IT Services, 2024).
Put simply, phishing is when someone impersonates a trusted entity. For example, you may receive an email claiming to be from your bank. The email may consist of a warning or issue while providing a link or number to resolve it. Links of this nature often lead to fake websites designed to steal your login information.
Common Phishing Attacks
There are many types of phishing attacks, each has its own category of how they are used.
Email Phishing: Fake emails claiming to be from "trusted" sources such as banks or service providers.
Spear Phishing: Targeted phishing attempts that are more personalized. These often are targeting members of an organization. For example, contacting an employee claiming to be their friend from IT that needs to do something with their account.
SMS Phishing, or Smishing: Fake text that attempt to gain information.
Voice Phishing, or Vishing: Fake calls impersonating legitimate organizations attempting to gather sensitive information.
How to Spot Phishing Attempts
Suspicious email addresses or domain names. let's say your bank has an email such as yourbank@address.xx, but you receive an email from urbankk@adresss.xy. These look slightly similar but it has strange spelling or different domain.
Spelling: Next would be to look at spelling, it is common for phishing attempts to use strange language and grammar, or even make spelling mistakes.
Urgency: Phishing attempts try to make you worry, "IMMEDATE ACTION". This is a scare tactic to get their victims to act fast with less time to think on it.
Too Good to be True: Receiving an email or message with great news, "You won a $500 gift card!!". The saying goes, if it is too good to be true, it probably is. So make sure its something that relates to you.
Attachments or Links: If you were not expecting any links or attachments, its safest to not click on them as they may lead to malicious websites or malware.
Make sure you are careful where you submit information, buy only from reputable websites, submit sensitive information only if you are absolutely sure it is necessary and is safe. Do proper research on new websites you do not know.
There should never be a reason an external website would request your login information or sensitive information, always think twice, sometimes three times. Understand that phishing can come from anywhere at any time.
Real Life Example
The image above is a real phishing attempt from Discord. The message was sent spontaneously after a year of no conversations.
After looking at the suggested tips for spotting phishing, one of the most prevalent comes to mind is too good to be true. This was not an expected gift, and there would be no reason for it.
Next is a link, looking at the link, this is an official steam link, Steam is a very popular gaming platform used by millions worldwide. However this is actually just normal text with a hyperlink within it. Basically its a hidden link, it sends the user to a different website, not steam.
Take a look at the Image to the left here.
This here is where the link leads to. At first glance the website looks real, someone not paying attention could likely fall for this.
If you have not yet, try looking for what gives the webpage away.
The top of the webpage is the domain. It no longer matches the link seen in discord, it now has an oddly spelt name resembling that of the official steam website.
Next, there is a small typo where the added two periods under "Choose an option to get started".
How it Works
Looking at the page, you can see it is offering $50. The catch is that it requires a login. This is where the trap comes in. Users that believe this is the real website will try to log in. This results in them putting their account information, including the password, into the fake website.
The attacker in this situation (Also known as a hacker) will use that data to then log into the victims account, change their password and sell the account to someone else to make a profit. This is a very common action take when attackers gain access to accounts, any account that may hold value, will be a target of phishing.
Best Practices to Make You Safer from Phishing Attacks
There are ways to secure your account to prevent access even if one of these phishing attacks work on you.
First, always be skeptical. Accept that at anytime anyone or anything could be trying to get sensitive information. Verify information sent to you, ensure the safety of links and messages.
Second, enable Multi-Factor Authentication (MFA) also known as Two Factor Authentication (2FA). These allow you to secure your account by adding a backup verification method, the most popular of which being SMS. SMS verification is simply just a one time use password sent to your phone number.
With MFA, even if someone gets your password, they can not get into your account without the backup one time use code that is either generated or sent to you.
Third, there are some security tools that can be used to help protect you. For example some browser extensions can detect if a website is malicious. These can see if a connection is secure or if it is marked as trustworthy.
Finally, I suggest using a password manager. It makes it easier to create unique passwords and they will only suggest password inputs on websites that you created the passwords on. This way if the password manager seems to not want to detect the input field, something may be off.
What to do if You Fall Victim to Phishing
If you believe you fell victim to a potential phishing attempt, you will want to act fast.
For login credentials, lets say you logged into a website like the one shown previously. You will want to quickly change your password as soon as possible. Change any passwords to any other website that uses the same email and password. Never use the same password for different websites. Attackers can use this information on any website with your same email to gain access. This is called Credential Stuffing.
Critical info such as banking information or Social Security. Contact your banking institution immediately. Let them know of the issue, they may change debit card numbers or even closely monitor your account for suspicious activity. Use credit monitoring tools, keep an eye out for identity theft if your personal info was leaked such as a Social Security Number.
With this information in mind, always make account security a top priority. Never reuse the same password—using a password manager can help with this. Think twice before acting, and remember that being skeptical is a good practice when it comes to security. Use strong, unique passwords to protect yourself from phishing and other attempts to access your accounts.
References
AAG IT Services. (2024, June). The latest phishing statistics. AAG IT Services.
Comentarios