Ever seen an email from a Nigerian prince in need of help? Or an email from a “friend” who needs help transferring money? Chances are you have, and you already know that they’re classic examples of phishing scams. But phishing scams are becoming trickier to detect. They’re getting more common too. Here’s all you need to know about avoiding phishing attacks.
What Is Phishing?
Phishing is a kind of social engineering attack. This means that the scammer tries to fool you into thinking that he or she is a legitimate entity. In other words, it targets human weakness rather than weaknesses in programs. In this case, the goal is to trick the victim into transferring money or forking over sensitive info like login credentials or credit card numbers.
Because it’s easy to scale up, scammers can send phishing attacks to millions of people in the hopes that some people aren’t tech-savvy enough to know that they’re being tricked. It’s surprisingly effective. Even tech companies like Google and Facebook have been victims of phishing. It’s not something to take lightly.
Spear phishing is a more focused kind of phishing. Normal phishing attacks usually lack any specific personal info (they’re sent out in bulk). In spear phishing, the scammer includes personal info that they obtained elsewhere to make the message more believable. Whaling is spear phishing specifically aimed at high-profile targets like company executives.
Types of Phishing
Over the years, con artists have been refining their techniques to create ever more elaborate phishing scams. Here are the main techniques that they use:
- Malicious links: This is the most common kind of attack. Phishing emails typically contain one or more links to the scammer’s website, which will be made to look like a real website. The links are disguised in a few ways to make them seem legitimate. The link’s address could be a visually similar (in some cases visually identical through the use of font exploits) misspelling of a real website’s address. The link could also take advantage of less tech-savvy peoples’ knowledge on how subdomains work. For example, where does http://www.realwebsiteexample.accounts.com lead? An average person might think that it leads to the accounts section of realwebsiteexample.com. But it actually leads to the realwebsiteexample section of accounts.com, where accounts.com will be the scammer’s website. The displayed text of the link may also show a seemingly legitimate address but actually link you to a fake website. This trick is often used in mobile platforms because mobile web browsers don’t have the link preview feature of PC-based web browsers (hovering your mouse over a link will tell you the address in the bottom left corner).
- Sender address spoofing: In order to make an email more believable, the scammer can spoof the sender address to make it appear as if it came from a legitimate address.
- Cloning an email: Sometimes attackers will take a legitimate email and copy it. Then they just replace any links and attachments with malicious ones and spoof the sender address.
- Use of images: This is a sneaky tactic. In many cases, attackers use images of real websites so that the fake website looks exactly like the real one (or parts of it). Con artists can also use an image with text instead of actual text to hide from anti-phishing programs that scan text for phishing language.
- Pop-up windows: Some phishing scams direct you to a real website and then open a pop-up window with login boxes that makes it seem like it came from the real website.
- Cross-site scripting: This kind of attack is pretty evil. It exploits security flaws in websites so that a link in the phishing email can inject malicious code into a real webpage and gain the same permissions. That means it can access sensitive information like session cookies and any information stored in your web browser (like login info). You wouldn’t even be able to see anything weird happening because the malicious link sends you to the real website.
- Tabnabbing: This techniques involves loading a fake but realistic-looking website on an inactive tab in your web browser. An average person who doesn’t pay much attention to their tabs might not realize that one of their tabs has been hijacked and enter their login information on the fake website.
- Voice phishing (“vishing”): This is basically phishing done over the phone. Here, the scammer pretends to be from a legitimate company (like your bank) and asks you to supply some account info so that they can fix some kind of problem. Sometimes the attacker even has fake caller ID data to make the call more believable.
How to Protect Yourself Against Phishing
You don’t need to know any advanced computer programming stuff to protect yourself from phishing. Avoiding phishing attacks all boils down to remembering a few simple tactics and having common sense.
- Never ever click a link in an email that asks you to login somewhere or do something. If you can remember to do this, you’ve defeated nearly every kind of phishing attack. Instead, go to all the websites you use and bookmark them. That way, when you see an email that has a link, you can just use your bookmark instead (guaranteed to have the real address) and check if there really is a problem. If you don’t like using bookmarks, use Google or another search engine to find the real website. The real website will most likely have a message center where you can check if the email you received is real or not. If it doesn’t, you can try contacting the company directly using the contact info on its website.
- The same goes for phone calls. If someone calls you and asks for account info, hang up. It’s a scam. If you want to check, you can call the real company using the contact info on its website.
- Look for spelling/grammar mistakes. Bad grammar and misspelled words are dead giveaways for phishing emails.
- Look for generic phrases/info. Things like “Dear Mr./Mrs./Miss” and “Dear (your bank) Customer” are also suspicious. That’s because phishing emails are sent out to a huge number of people. Real emails usually have some kind of account info. But just because it has it doesn’t mean it’s safe either. It could have been stolen from somewhere else.
- Don’t panic. Some phishing emails contain scary language like “Your account has been suspended” or “Fraud has been detected on your account”. Ignore it and don’t click on anything in the email. If you start panicking, you won’t be able to think clearly.
- Try to minimize your online presence. It might be hard for you to do this given the popularity of social media, but try anyway. The more personal info you put on the web, the easier it is for someone to find enough to spear phish you with.
- Report the attack. If you’ve found a phishing email or some other kind of phishing attempt, report it. It will help the authorities crack down on the scammer who sent it.
- If you think you might have given sensitive info away, alert the proper authorities immediately and change all passwords affected by the attack. For some things like bank accounts, you’ll need to alert your bank and have them close your account and open a new one. You might also want to run an antivirus/antimalware scan because some phishing attacks also infect your computer.
Sources
https://en.wikipedia.org/wiki/Phishing
https://en.wikipedia.org/wiki/Cross-site_scripting
https://en.wikipedia.org/wiki/Tabnabbing
https://www.consumer.ftc.gov/articles/0003-phishing
https://www.malwarebytes.com/phishing/
https://us.norton.com/internetsecurity-online-scams-how-to-protect-against-phishing-scams.html