To be a successful fisherman, you have to con the fish into taking the bait, right? A successful fisherman will 'trick' the fish by way of deception, with an attractive 'lure' that looks like something it knows or wants.
The same goes for phishing... The cyber crime kind.
Phishing is a cyber attack that uses a disguised email (or any form of communication) as a lure. The goal is to trick the recipient into believing that the message is something they want or need - a request from their bank, for instance, or a note from someone in their company, or a great promotional deal - and to click a link, or download an attachment. Like fishing, this cyber crime comes in various forms, from 'search engine phishing' to individualised 'spear phishing', and like fishing, there are some very good 'phisher-men' (and women) out there!
Perhaps, one of the most consequential phishing attacks in history happened in 2016, when hackers managed to get Hillary Clinton’s campaign chair, John Podesta, to offer up his Gmail password. Or the 'fappening' attacks, in which intimate photos of a number of celebrities were made public. This was originally thought to be a result of insecurity on Apple’s iCloud servers, but was in fact the product of a number of successful phishing attempts.
More recently, phishing attacks have been believed to behind some of the most sophisticated attacks ever. In February 2021 SolarWinds – an IT infrastructure software provider – was the vehicle to distributing a trojanised software update to its users. The attack was described by the president of Microsoft as the ‘largest and most sophisticated attack ever’. SolarWinds self-reported that an email account was compromised. By compromising credentials of SolarWinds employees, the threat actors were able to get further access into the systems. The point is, phishing remains the number one attack vector, or route in to a business – even with the most advanced attacks.
The coronavirus outbreak of 2020 led to an explosion of phishing scams with hackers seeking to take advantage of the pandemic by sending fraudulent email and WhatsApp messages. Organisations, such as the World Health Organisation set up a ‘report a scam’ feature to help try and tackle the problem and provide some level of protection to potential victims losing money.
The sheer number of emails sent every single day means that it’s a great avenue for cyber criminals. It’s estimated that 3.7 billion people send around 269 billion emails every single day. Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day. Most people simply don’t have the time to carefully analyse every message that lands in their inbox – and it’s this exact oversight phishers look to exploit in a number of ways.
So how can you avoid the lure of being caught out with phishing?
The first step is education. Phishing has evolved over recent years, becoming more sophisticated and harder to recognise. There are a number of steps you can take, and a mindset you should get into, that will keep you from becoming a phishing statistic.
Keep informed about phishing techniques. New phishing scams are being developed daily.
Install an anti-phishing toolbar. These toolbars run quick checks on sites you're visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it.
Always check the spelling of the URLs in email links before you click or enter sensitive information.
Watch out for URL redirects, where you're subtly sent to a different website with identical design. Hover over links you're unsure of before clicking them. Look for subtle spelling errors of well known sites, such as amaz0n.com instead of amazon.com.
If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply. Social engineers and educated hackers have become increasing adept at personalising messages to individuals (spear phishing), with promotional deals for places or things you already visit or buy. Read carefully before you click.
Verify a site’s security. As long as you’re on a secure website your risk is significantly lower. Make sure the URL begins with https – the 's' stands for secure, and that there is a closed lock icon near the address bar. Check the site’s security certificate as well. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products or deals.
Don’t post personal data - like your birthday, vacation plans, or your address or phone number - publicly on social media.
Be wary of pop-ups. Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups.
Use firewalls. High quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or network.
Get in touch for more information: firstname.lastname@example.org