The ABCs of Detecting and Preventing Phishing
Stay out of cyber criminals’ phishing net with these actionable tips
Have you ever considered that you could be a target for phishing attacks?
It’s not a new issue, but it’s a rising threat. Phishing attackers have been constantly growing and improving their techniques. Their strategies became so convincing that you can barely distinguish them from harmless communications. And all it takes to fall into their trap is a fraction of a second.
Perhaps the most dangerous approach I’ve seen regarding this concern was: “Ehhh, so what? It don’t think it can happen to me. And I don’t have important stuff anywayz”.
Actually, they can harm you a lot if you’re not paying attention.
They can: withdraw money, make purchases, steal your identity and open credit card accounts in your name, or further trade those information about you and much more.
The latest Verizon Data Breach Investigation Report shows that 23% of email recipients open phishing messages, and 11% click on attachments. That means they are three times more effective than email campaigns conducted nowadays.
Kaspersky reports show that, in Q3 of 2015, their anti-phishing system was triggered 36 million times – that is 6 million times more than in the previous quarter.
A recent report from the City of London’s Police National Fraud Intelligence Bureau reveals that phishing scams in 2015 accounted for a quarter of online crime, with victims losing up to £38,000 each.
And the context is ripe for phishing attacks to happen. According to McAfee:
– 15-20% of a workers’ web sessions (opening a browser) are initiated by clicking a link in an email;
– 92% of employees trust the security of the company’s email system and feel that their email is safe.
Keep reading if you want to avoid getting caught in their net, as we’ll cover the ABCs of phishing: what it is, what you can do to detect and prevent any attacks and what measures to take if you think you got caught in the phishing net.
- What is phishing?
- How does phishing work?
- Why does it work?
- What damages can phishing cause
- First phishing reports
- Types of phishing (spear, whaling, clone)
- Hottest phishing trends (cloud, financial, social media)
- What to pay attention to in order to stay safe (from email header to content, form, attachments and external links)
- Helpful anti-phishing tools
- Basic online & PC security tips
- Why passwords matter
- How to improve your financial security
- If still unsure whether it’s phishing or not, read this
- What to do if you think you were trapped in the phish net
- Where you can report phishing attempts
WHAT IS PHISHING?
Phishing is the name given to cybercriminals’ attempts to lure you into giving them sensitive information or money.
The word “phishing” is similar to “fishing” because of the analogy of using bait to attempt to trap victims.
By sensitive information we mean anything that ranges from your social security number to passwords, bank account number, credit card details, PIN number, home address, social media account, birthday, mother’s maiden name and so on.
This information can be used for financial damages, identity theft, to gain unlawful access to different accounts, for blackmail etc.
HOW DOES PHISHING WORK?
Attackers use different methods of deception as phishing strategies.
They will create fake messages and websites, that imitate the original ones. With their help, they will try to lure you into handing over your personal information. They will either ask you to reply to them, follow a link included in the message or download an attachment.
The communication appears to be initiated by a legitimate person or company. Famous phishing attacks imitate messages from financial institutions, government agencies (ex: IRS), online retailers and services (ex: Amazon, eBay, PayPal), social networks (ex: Facebook), or even from a friend or colleague.
In order to make phishing look genuine, attackers include photos and information from the original website.
They may even redirect you to the company’s website and collect the data through a false pop-up window. Or it can happen the other way around: they first request your personal data, then redirect you to the real website.
Other times, they tell you that you have been targeted by a scam and that you urgently need to update your information in order to keep your account safe. That’s how millions of Walmart consumers were tricked in 2013.
All these gimmicks will minimize the chances for you to realise what happened.
Here’s an example of Standard Bank phishing from 2010, via McAfee:
Phishing has become a way to spread malware. The attackers will deliver malicious content through the attachments or links they trick you into clicking on. The malicious code will take over a person’s computer in order to spread the infection.
Although phishing is mostly transmitted via email, it can also work through other mediums. In the past years, cyber attackers moved their focus on phishing attacks done through instant messaging services, SMS, social media networks, direct messages in games and many others.
WHY DOES IT WORK?
Phishing is popular among cyber attackers because it is easier to trick someone into clicking on links or downloading attachments than trying to break into their system defenses.
It works because they appeal to emotions. It promises great deals or alerts you that there may be a problem with an account.
It’s also so effective because more than 50% of users use the same passwords for different accounts. This makes it easy for the cyber criminals to gain access to them.
Phishing damages can range from loss of access to different accounts – banking, email, social media profiles, online retailers, to identity theft, blackmail and many more.
Just to name a few of them:
- financial loss
- data loss
- accounts loss
- ransom asked in exchange for regaining access to your data
- blacklisting from institutions
- malware or viruses infections into a PC or network
- illegal use of personal data
- illegal use of social security number
- creation of fake accounts in your name
- ruining your credit score
- losing your job, if you happen to be phished via your work email address and give out essential company details as a consequence
A LITTLE BIT OF HISTORY
The first phishing records date back to the beginning of 1996, when cyber scammers were trying to lure AOL (America Online) customers into a trap and get access to their accounts and billing information.
Cyber scammers would contact users through the AOL instant messaging and email system and pose as AOL employees. Needless to say that it was pretty effective, especially since phishing was virtually unknown at the time.
TYPES OF PHISHING
1. SPEAR PHISHING
Spear phishing is an email directed at specific individuals or companies. It is highly effective and very well planned.
The attackers will take their time and gather all the available information about their target before the attack: personal history, interests, activities, details about colleagues and any other details they can find. These are used in order to create a highly personalized and believable email.
It’s a technique that works because the phishing email appears to be from someone you know and requires urgent action. Maybe it will even make reference to a mutual friend or a recent purchase you’ve made. The attacker takes advantage of the fact that people are inclined to act before they double-check it. They also leverage your trust in companies, organizations and people.
Spear phishing requires higher efforts, but its success rates are also higher. It’s currently the most successful phishing technique, accounting for 95% of attacks.
And all this just by gathering publicly available information that we freely share on our social media accounts and blogs. It’s one of the main reasons why we should think twice before divulging any more personal information online. Even if all your privacy measures are in check, you can never know whose friend account may have been compromised.
Whaling phishing is the term used for attacks directed at high profile targets within companies, such as upper management or senior executives.
These are tailored to appear as critical business email, sent from a legitimate business authority, that concern the whole company.
Here are a few examples: legal subpoenas, managerial issues, consumer complaints.
Needless to say that return on investment for attackers is very high in this case. And, contrary to what you’d think, these types of targets are not always as security savvy or protected as they should be.
3. CLONE PHISHING
Clone phishing uses legitimate, previously delivered emails.
The cyber attackers will use original emails to create a cloned or almost identical version. Clone phishing emails may claim to be a resend of the original or an updated version of it. Only this time, the attachment or link is replaced with a malicious version. It appears to come from the original sender and uses a fake reply-to address.
This phishing strategy works because it exploits the trust created from the original mail.
HOTTEST PHISHING TRENDS:
1. CLOUD PHISHING
Cloud phishing attacks also had a boost in the past year, because of the increasing usage of cloud storage technology.
This is usually distributed via email or social media, as a message sent by compromised friends accounts or on behalf of a cloud service provider. It will invite users to download a document uploaded to a popular cloud service. When the victim clicks on the link, malicious software will be downloaded.
The stolen information can be used for extortion, sold to third parties or used in targeted attacks.
Here’s an example of cloud phishing using Dropbox brand, via Kaspersky:
2. GOVERNMENT PHISHING
Be vigilant when it comes to communications that claim to be from law enforcement agencies, such as the IRS, FBI or any other entity.
The most fraudulent attempts in the past years were created to mimic IRS communication, in an attempt to steal your financial information.
You should know that government agencies don’t initiate contact with taxpayers via email, especially to request personal or financial information.
You should read these actionable advices provided by the IRS.
Also keep an eye out for insurance offers, as this was one of the hottest topics for spamming and phishing in 2015.
3. SOCIAL MEDIA PHISHING
Phishing on social media networks isn’t novelty, but it will probably never get old. Phishers create websites that look identical to Facebook or LinkedIn or any other social media websites, using similar URLs and emails, in an attempt to steal login information.
Phishers will ask you to reset your password. If you click on the link, you’ll be redirected to a page that looks identical to Facebook and asks you to enter your login information.
The attackers can then use this to access your account and send messages to friends, to further spread the illegitimate sites.
Other times, they can make money by exploiting the personal information they’ve obtained, either by selling them to third parties or by blackmailing.
Read this warning note from Facebook to see how this phishing category may look like.
HOW TO AVOID GETTING CAUGHT IN THE PHISH NET
1. SENDER DETAILS
First thing to check: the sender’s email address.
Look at the email header. Does the sender’s email address match the name and the domain?
Spoofing the display name of an email, in order to appear to be from a brand, is one of the most basics phishing tactics.
Here’s an example: an email from Amazon that comes from “firstname.lastname@example.org” is legitimate. But an email that appears to be from someone at Amazon but was sent from a different domain, like the email in the picture below, is most certainly not from Amazon.
Compare the headers from a known valid message from a given source with those on a suspect message.
If they don’t match, don’t click on anything, don’t download any attachment.
For experts: You can also analyze the email header and track IP using this tool.
If you are using Gmail, you can turn on the authentication icon for verified senders. This way, you will see a key icon next to authenticated messages from trusted senders, such as Google Wallet, eBay or PayPal. Unfortunately, only few domains are currently supported by this program, but hopefully it will extend in the future.
Another verification method available for Gmail users:
Check whether the email was authenticated by the sending domain. Open the message and click on the drop-down arrow below the sender’s name. Make sure the domain you see next to the ‘mailed-by’ or ‘signed-by’ lines matches the sender’s email address.
Find out more about it here. It will look like this:
The second thing to check: the address the email was sent to.
Look at TO and CC fields. If the email was sent to old or wrong addresses, it may indicate it was sent to old lists or randomly generated emails.
2. MESSAGE CONTENT
Clue number one: They ask you to send them or verify personal information via email.
Or they are asking for information which the supposed sender should already have.
Here is a recent example of phishing using the brand DHL (screenshot via Comodo):
Clue number two: They are likely to play on your emotions or urgency.
As a general rule, be suspicious of any mail that has urgent requests (e.g. “respond in two days otherwise you will lose this deal”), exciting or upsetting news, offers, gift deals or coupons (especially around major holidays or events, such as Black Friday or Christmas).
Clue number three: They claim there was some sort of problem with your recent purchase or delivery and ask you to resend personal information or just click on a link to resolve it.
Banks or legitimate e-Commerce representatives will never ask you to do that, as it’s not a secure method to transmit such information.
Here’s an example of PayPal phishing:
Clue number four: They claim to be from a law enforcement agency.
They never use email as a form of contact.
Clue number five: They ask you to call a number and give your personal details over the phone.
If this is the case, search for the official correspondence from the company and use the phone number provided them to verify if this is true.
3. MESSAGE FORM
First rule: Beware of bogus or misleading links.
Hover your mouse over the links in the email message in order to check them BEFORE clicking on them.
The URLs may look valid at a first glance, but use a variation in spelling or a different domain ( .net instead of .com, for example). Thanks to the new generic topic-level domains that were introduced in 2014, spammers and phishers gained new tools for their campaigns.
Second rule: Look out for IP addresses links or URL shorteners.
They can take a long URL, shorten it using services such as bit.ly, and redirect it to the intended destination. It’s hard to find out what’s on the other end of that link, so you might be falling into a trap. Better be safe than sorry.
It’s not unusual for the domain to be deliberately distorted in the email, by adding extra spaces or characters, together with instructions on how to use it (“Remove all the extra characters / spaces and copy to the address bar”).
Check a redirect with this Redirect Checker from Internet Officer, to see where it’s leading to.
Or screenshot the page remotely using Browser Shots.
Third rule: Beware of typos or spelling mistakes.
This used to be the norm, but it’s no longer an imperative.
Fourth rule: Beware of amateurish looking designs.
This means: images that don’t match the background or look formatted to fit the style of the email. Stock photos. Photos or logos uploaded at low resolution or bad quality.
Fifth rule: Beware of missing signatures.
Lack of details about the sender or how to contact the company points into phishing direction. A legitimate company will always provide such information.
Look out for attachments.
They can attach other types of files, such as PDF or DOC, that contain links. Or they can hide malware. Other times, they can cause your browser to crash while installing malware.
The latest Kaspersky Labs reports show that in Q3 of 2015 there’s been an increase in phishing using attachments:
“A particular feature was a new trick used in phishing emails – in order to bypass spam filters they placed the text of the email and fraudulent link in an attached PDF document rather than in the message body.
5. EXTERNAL LINKS / WEBSITES
Let’s assume that you already clicked on a link from a suspicious email.
Is the domain correct? Don’t forget that the link may look identical, but use a variation in spelling or domain.
Before submitting any information on that website, make sure that you are on a secure website connection. You can easily check that by looking at the link: does it start with “https” or “http”? The extra “s” will mean that the website has SSL. SSL is short for Secure Sockets Layer and is a method to ensure that the data sent and received is encrypted. More legit and safe websites will have a valid SSL certificate installed.
Another way to check that is to look on the left of the web address: is there an icon of a closed padlock? Or is the address highlighted in green? This will indicate that you are visiting an encrypted site and the transferred data is safe.
Use browsers that offer built-in phishing protection.
In general, there are two ways to detect phishing websites: heuristics and blacklists.
A heuristic method analyzes patterns in URL, words in web pages and servers in order to classify the site and warn the user.
Google and Microsoft operate blacklists. Google integrated them with Firefox and Chrome, so a warning message will appear before entering a phishing website. Microsoft is integrated with Internet Explorer and Edge.
You can also install browser add-ons and extensions designed to block phishing attempts. Read more tips on this subject on Tech Support Alert.
Other useful tools:
Browser & Plugin-Check by Check & Secure. This scans your browser and all the installed plugins, to see if they are up to date.
“83% of all malware infections could have been avoided, if the browser plugins had been updated in the first place.”
BASIC ONLINE SECURITY
IN ORDER TO KEEP YOUR PC SAFE:
Be aware that cyber attackers are one step ahead of the defenders. That means that you cannot always be 100% protected against them, not even with all the email filtering systems or anti-virus software.
Of course, this doesn’t mean that you want to make their jobs easier, so make sure you keep your computer updated at all times.
Keep your software updated as well. If you use a free tool that offers automatic and silent software updates, you can eliminate up to 85% of security holes in your system.
Install a reliable antivirus. It should include real-time scanning and automatic update of virus database.
Choose an antivirus that scores high on phishing protection tests. More tips on this you can read in our guide.
You should also create a separate email account that you only use to subscribe to newsletters, forums, online retailers, social media accounts or other public Internet services. Keep your personal email account as private as possible. This will help reduce the amount of spam and phishing attempts you receive.
Also, beware not to click on the Unsubscribe button or follow instructions for unsubscribing. Many spammers and phishers use these in order to find out if your email is valid.
BASIC SAFE PASSWORDS MANAGEMENT RULES
Phishing is very effective because more than 50% of users use the same passwords for different credentials. This makes it easy for the cyber criminals to gain access to other accounts.
It’s important to use different passwords for your accounts. The same way you don’t use only one key for your house and your car, you shouldn’t use the same password more than once. This way, cyber attackers won’t be able to get into any other accounts of yours.
If available, activate two-factor authentication. This way, you’ll receive a unique one time code on your phone every time you want to log in from a different device. It will add a second layer of protection, that’s much more difficult to breach by cyber attackers.
For more actionable tips on this subject, check out our password security guide.
FINANCIAL SECURITY STEPS
Periodically review your bank account activity (daily, if possible), to check all the transactions.
If you don’t recognize any of the transactions, regardless the amount, contact your bank straight away.
Turn on text messages notifications for all card transactions.
It will alert you in real time if an online transaction exceeds the limit that you set (make sure you set it to the minimum available).
Also enable two-steps approval for transactions, so that you will have to use your mobile phone number.
Put a security freeze on your credit report.
In case of identity theft, it will prevent any openings of new accounts in your name. However, you will have to lift it every time you want to apply for a loan or rent a new place.
And lastly but not least important: try to use a separate card, dedicated only to digital transactions.
Transfer money on it every time you plan to buy something. In the rest of the time, leave only a small amount of money on it.
IF STILL UNSURE WHETHER IT’S PHISHING OR NOT
What steps to take:
Try to always directly type the web address of the site you want to access in your browser, instead of clicking on links from emails or social media networks.
Directly contact the company or organization from which the message appears to be sent. Grab the phone or forward them the phishy email. Search for prior communications with them, such as post mail, and use the contact information provided there. Don’t use the contact information provided in the email.
You can also improve your phishing detection skills by taking these quizzes gathered by Capterra on their blog. They also have plenty of phishing emails examples.
WHAT TO DO IF YOU THINK YOU WERE PHISHED
If you have a hunch that something is wrong, immediately contact your bank or credit card institution and close the accounts you believe they may have been compromised.
Change the passwords used for those accounts and then also change the passwords used for the emails linked to them.
WHERE TO REPORT PHISHING ATTACKS
Forward the message to the last known good address of the sender.
There are several places where you can submit phishing attacks or websites:
If it appears to be from IRS, you can forward it to email@example.com
Or to the Federal Trade Commission at firstname.lastname@example.org
At US Cert: email@example.com
At The Anti-Phishing Working Group: firstname.lastname@example.org
If you are using Gmail, in the drop down menu at every email there is a Report Phishing button.
If you aren’t using Gmail, you can complete this form.
One last advice: always trust your gut. It may not be the most scientific approach, but, ultimately, you should just listen to what your intuition tells you. If something feels wrong, even if you cannot specifically explain why, or if it’s too good to be true, it’s better to stay away from it.