Phishing attacks are a way for cyber criminals to acquire personal or sensitive data, usually via email, but also by instant messaging and text messaging.
Ever get those ‘Amazon’ or ‘iTunes’ invoices for items you never bought? Or an estranged relative in a foreign country who wants to send you a large sum of money? These are phishing attempts: using social engineering to deceive you into giving over details like usernames, passwords, and credit card information.
Mark James, ESET IT Security Specialist, takes us through how to spot a phishing attack and the best way to protect yourself from becoming a victim.
“The take on phishing emails is an interesting one; some have said that these type of emails specifically use bad grammar and mistakes to throw the user off the scent of a dodgy email, but generally these types of emails are incorrectly titled, ‘dear user’.
“They often contain bad grammar as they may well be run through translators for multi-national dissemination, and try to either greatly entice with deals too good to miss or seem to be very insistent the end of the world is nigh if you don’t follow their requests.
“Some things to look out for are moving and hovering the mouse pointer over any links to see if they are indeed pointing to the same text as shown in the link text.”
What is the main aim of phishing attacks?
“Most phishing emails will either:
A. Try to trick you into clicking a link to take you to a website that looks very similar to the login page of the copied website. This may include asking for full information like passwords and backup questions. A legit organisation should only ask for snippets of info from those areas, i.e. first and third character etc.
B. Or perhaps ask you to download an attachment to prove their validity, this will often include malware that may seem to do nothing but in the background compromise your computer without your knowledge.
“One of the easiest ways to spot a phishing email or scam is to ask yourself ‘is it too good to be true?’ Honestly, how often do companies bang on your front door giving away free money!?!
“Companies like Apple did not become the world’s largest information technology company by giving away their products because the cellophane was torn.
“If you still think your email is a legit one but want to make sure, contact the sender through a different method, i.e. phone or separate email and ask them if they sent it.
“Never, ever send money to anyone without checking 100% it’s legit, even seemingly distressed relatives asking for help could be a phishing attempt using your feelings against you as a perfect weapon."
Why is phishing so successful?
“Phishing attacks these days are the number one method for compromising or stealing people’s accounts.
“With most protection methods you are at the mercy of these types of attacks, because in theory they are logging in as you.
“If my details get stolen and they use those, then in essence it’s me logging in, and as far as the system is concerned it’s authenticated and good to go.
“That is of course except for Two-Factor authentication (2FA). 2FA was designed for this type of scenario; if the username and password is compromised then the only methods stopping the account being used are changing the password or using 2FA.
“Once attached to the account, a separate 3rd form of authentication (username and password are the first two) is required before access is gained.
“In this case it would have stopped these ‘attacks’ being successful. Any account that has the potential of reaching or affecting others, should be protected with 2FA.
“Even the most hardened technical specialist could momentarily be affected by a phishing attack and the bad guys only need to be successful once, for us to stay safe we need to be 100% successful, not great odds for us!”
How many phishing emails do you think you receive per day? Let us know on Twitter @ESETUK.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.