Phishing Attacks: How to Recognize and Stop Them
Phishing is a type of cyberattack that is designed to steal money, personal account information, business information, and anything else that could be sold on the dark web. These attacks can happen through email, infected websites, phone calls, and even face-to-face interactions! The authors of these attacks use trickery, lies, forgery, and other manipulations to get the user to surrender access to this information!
Phishing attacks continue to be one of the largest threats to privacy and cybersecurity efforts. Cyberentities employ human behavior specialists to invent clever and devious ways to exploit human nature. Using known behaviors, cybercriminals steal your personal information allowing access to computers and networks.
Phishing is sometimes called social engineering because it relies on human fallibility rather than software flaws or known hardware weaknesses!
What is spear phishing?
Phishing attacks are typically created to hit as many people or organizations as possible, but a “spear phishing” happens on a more personal level when a specific user or business is specifically targeted. Spear phishing attacks often appear to come from a trusted source like the CEO or CFO from a business.
Before the attack message is crafted, the attacker will research the victim, possibly using their social media profiles from Facebook or Twitter. The attacker will often try to build a profile of the victim’s life or personal lifestyle, and use this information to create a very personalized attack. For instance, a cyberattacker might learn from a social media post that a CEO was travelling in Europe. The cyberattacker could then pose as the CEO and request from the CFO a transfer of funds to a European bank for an “unseen emergency”. Cybercriminals are ingenious and clever and can make these fake requests appear to be genuine.
Sources estimate that Phishing and spear phishing attacks alone cost companies around the world over $5 billion every year.
Here are some interesting notes about the state of “phishing”:
- Email is the #1 delivery system for phishing-type attacks
- 78% of companies and organizations report being victims of phishing attacks
- Spam frequency has increased by 5 times since 2016
- 2 out of 3 people have experienced a “tech support scam” in the past 2 years where the attacker poses as a technician from a technology provider
- Cybercriminals are creating an estimated 1.4 million phishing websites every month!
What a phishing email might look like and how to identify them
Here is an example of what a phishing scam in an email message might look like
Spelling and bad grammar can be a tell-tale sign that the email is from a cyberattacker and not a professional company. Usually, large corporations will have professional copywriters handling their content and major spelling and grammar errors are not common!
Links in the email: Obviously, you never click on a link in a suspicious email. Hover your mouse on the link, but do not click on it. Make sure the address that pops up matches the link. Typically, cyberattacks will include cryptic sections within the URL that have no connection to the company!
These kinds of links often have “.exe files, known to spread malicious software!
Threats that your account will be closed if you don’t respond or other alerts. Cyberattacks come from criminals who use threats that your account is in jeopardy or your security has been compromised, asking you click on a link to start repairing the problem.
Spoofing logos, popular websites, or companies you know. Cyberattackers use graphics, corporate logos, and email signatures to help make the email look legitimate. When users are tricked to click on the logo or links within the email, they are taken to a phony site to steal your information.
Urgent or threatening language in the subject line
Including language that gives you a sense of urgency or fear is a very common phishing tactic. Look for subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt” or “I’m travelling and need your help”.
Review the signature
Emails that lack details regarding the sender or little or no contact information for the company suggests a phish. Real businesses typically provide contact details.
Phishing phone calls
The FTC reported that 77% of fraud complaints involved contact by telephone
Vishing calls are usually made over (VoIP) Voice Over Internet Protocol and thousands of automated VoIP calls can be made around the world in short periods of time. Unfortunately, these vishing calls are virtually untraceable because they are done over the internet. Vishing cybercriminals use recordings or caller ID spoofing to make detection of these attacks almost impossible. Additionally, making these calls is relatively inexpensive for the cybercriminal, so the possible NET profits from these scams can be very large!
Why can’t email providers stop phishing attacks?
Even though email providers offer all types of filters, blocks, and other junk mail management techniques, they are not equipped to stop everything. Cybercriminals and cyberattackers have become very sophisticated, and are constantly inventing new methods of exploit including:
- Sending emails from legitimate addresses
- Modifying messages enough so that a filter doesn’t recognize them as spam
- Actually using spam filter solutions to test their messages
- Using the recipients’ names or the names of their friends
- Sending messages from IP addresses that are trusted by most spam filters
What should I do if I receive a phishing/scam email?
If you suspect that an email or text message you received is a phishing attempt, there are many things you can do to protect yourself.
If you are suspicious:
- Don’t open it - Just the act of opening may cause you to compromise your info.
- Delete it immediately - If you don’t know what it is, don’t accidentally compromise yourself. Use Shift-Delete to delete the items permanently.
- Do not download any attachments - If they came with a questionable message, they may contain malware.
- Don’t trust the display name - It may be spoofing a known brand or company./li>
- Look but don’t click - Hover your mouse over any links embedded in the body of the email. If the link address looks weird, don’t click on it.
- Never click links - If they appear in the message of a questionable email.
- Look for spelling and grammar mistakes - Legitimate companies have few common spelling or grammar errors.
- Don’t give up personal information - Legitimate banks and most other companies will never ask for personal credentials via email. Don’t give them up!
- Never reply to the sender - Ignore reply requests or actually call the sender to verify that they sent the email.
- Be skeptical, don’t believe everything you see - Cybercriminals are great spoofers. They are highly motivated and extremely clever.
What should you do if you think you responded to a phishing scam?
Getting caught by an email scam is something that can happen to anyone, but it is especially stressful if it happens at work. So, what should you do if you feel you might have fallen victim to a phishing email?
- Disconnect yourself from the internet - Immediately disconnect your device from the internet. Unplug the ethernet cable if you are using a wired connection. If you are on Wi-fi, locate your Wi-Fi setting and disconnect your current network. If you have trouble finding it, go to the Wi-Fi router and turn it off for a few minutes. Disconnecting from the internet and the network will reduce the risk of malware spreading to other devices on your network, and prevent the malware from sending out sensitive information from your device.
- Contact your IT support, your manager, or person in charge - If you don’t have one, contact the company who has been managing your network and report the issue. Or call Imagine IT, we can help!
- Change your passwords - If you clicked the wrong link, there is a decent chance cybercriminals have your information. So, change all passwords, including all work passwords, personal passwords, bank passwords, and PIN numbers. Be proactive and use this opportunity to upgrade passwords to 14-character passphrases, making it much tougher for cybercriminals to hack!
- Contact credit card companies - Explain the situation to your credit card companies, and even though your credit card numbers may be weren’t specifically stolen, it is better to have them on the watch for any fraudulent activity.
- Update your software - Make sure you have the newest version of all your software and run a full virus scan if there is a possibility you were hit by a virus or malware. If possible use encryption and make sure you are behind a personal or corporate firewall.
- Backup your system - Once you are disconnected from the internet, find the backup for all your files or system. Data can be destroyed or erased in the process of recovering from a phishing attack, so having access to your backup is critical.
- Scan your system for malware – Following a possible breach, turn your system back on and perform a full malware scan on your system to check for any viruses or malware that might still exist on your system!
Using the above information will help you more quickly spot and understand if you have been hit by a phishing attack. But keep in mind, no one will not be able to spot every phish that may come their way. Phishing and cybercriminals are continually creating and evolving their attacks as new cybersecurity is created. Continued Security Training is the best antidote for these types of cyberattacks!