Imagine you received an email from your bank claiming your online account has been locked, and you need to urgently supply your username and password through a link to reset it. Panicking, you immediately clicked the link and supply your login information. Next thing you know, your bank account has been compromised and you lost all your funds. You’ve been victimized by a phishing attack.
Phishing attacks have thrived since the pandemic began last year. It is one of the easiest forms of cyber attack to carry out and one of the easiest to fall for. It’s also one that can provide everything hackers need to takeover their target’s personal and work accounts. According to a report, phishing attacks account for more than 80 percent of reported cyber security incidents.
Usually carried out over email, although the scam has now spread beyond suspicious emails to phone calls, social media messaging surfaces, and apps, a basic phishing attack attempts to trick the target into doing what the scammer wants.
Phishing and its most common types
The term phishing is a spin on the word fishing because criminals are dangling a fake lure – a legitimate-looking email website or ad – hoping users will bite by providing the information the criminals have requested such as credit card numbers, account numbers, passwords, usernames, and other valuable information.
Phishing is usually done by including a link on “phishing messages” that appear to take you to a company’s website to fill in your information. But the website is fake, and the information you provide goes straight to the hackers behind it.
Phishing goes all the way back to the last century, yet as digital technologies progress, this technique continues to find new ways to exploit vulnerabilities.
Here are some of the most common phishing techniques:
1. Standard email phishing. Arguably the most widely known form of phishing, this attack is an attempt to steal sensitive information via an email that appears to be from a legitimate organization. It’s not a targeted attack and can be conducted in mass.
2. Malware phishing. This uses the same techniques as email fishing but this attack encourages targets to click a link or download an attachment so some kind of virus can be installed on the device. It’s currently the most pervasive form of a phishing attack, as it can not only compromise some of your information but your whole computer.
3. Spear phishing. While most phishing attacks cast a wide net, spear phishing is a highly targeted, well-researched attack generally focused on public personas, business executives, and other lucrative targets.
4. Smishing. SMS-enabled phishing delivers malicious short links to smartphone users often disguised as account notices, prize notifications, and political messages.
5. Vishing. A vishing or voice phishing involves a malicious caller purporting to be from tech support, a government agency, or another organization and tries to extract personal information such as banking or credit card information.
6. Malvertising. This type of fishing utilizes digital ad software to publish otherwise normal-looking ads with malicious code implanted within.
How to avoid phishing
Even though there are numerous forms of phishing, the one that most people fall for is email scanning. Here are some things you need to do to avoid falling for these scams:
1. Don’t click on that link. It’s not advisable to click on a link in an email or instant message. Even if you know the sender, the bare minimum you should be doing is hovering over the link to see if the destination is the correct one. Some phishing attacks are fairly sophisticated and the destination URL can look like a carbon copy of the genuine site. That’s set up to record keystrokes or steal login or credit card information. If it’s possible for you to go straight to the site, through your search engine, rather than click on the link, then you should do so to get free.
2. Anti-phishing add-ons. Most browsers nowadays will enable you to download add-ons that spot the signs of a malicious website or alert you about known phishing sites. They’re usually completely free. So there’s no reason not to have this installed on every device in your organization.
3. Be careful with an unsecured site. If the URL of the website doesn’t start with HTTPS, or you can’t see a closed padlock icon next to the URL don’t enter any sensitive information or download files from that site sites without security certificates may not be intended for phishing scams, but it’s better to be safe than sorry.
4. Change your passwords regularly. Password rotation or the changing/resetting of a password reduces the risk from and effectiveness of password-based attacks and exploits. It also prevents an attacker from gaining unlimited access if your accounts have been compromised without you knowing it.
5. Update software and browsers regularly. Security patches and updates are released to keep you up to date with modern cyberattack methods, by patching holes and security. If you don’t update your browser, you could be at risk of phishing attacks through known vulnerabilities that could have easily been avoided.
6. Don’t give out important information unless you must. You must not willingly give out your credit card information unless you 100% trust the site you’re on. Make sure if you have to provide your information that you verified the website as genuine, that the company is real and that the site itself is secure.
Phishing is just one of the many cyber attacks that you should be aware of. The digital shift in workplaces, daily routines, and proliferation of online-based services brought about by the pandemic have made Filipinos more prone to these online threats and other information technology attacks.
Be equipped with cybersecurity know-how to rise above a crisis, make informed decisions, and win the war against cyber threats. DECODE 2021 will be on November 10-11.
DECODE is the premier cybersecurity conference in the Philippines hosted by Trend Micro, a global leader in cybersecurity. To know more about this event and to secure your slot for free, visit https://decodeph.com. (Photos via pexels.com)