Phishing is a real problem. One that can wreak havoc on your digital and financial life. Here, we’ll look at different ways we can identify a phishing scam and stop it in its tracks.
Phishing is the practice of sending emails (or other messages) with the intent to make the recipient believe it’s from a certain company or individual. Phishing induces recipients to divulge important information like passwords and user data, or even credit card numbers which the hacker or cybercriminal can use to steal money or blackmail vulnerable victims.
Phishing is also sometimes called whaling when it uses social engineering. The emails resemble as if coming from the government, the bank or legal teams. These emails often force individuals to click on dubious links. More and more software today is hijacked to add malicious code to emails in an effort to install unwarranted software on a victim’s computer.
Companies often fall victim to these attacks and businesses can lose tons of time and money all because employees resort to careless browsing patterns. Visiting certain disreputable sites can greatly increase the chances of compromising security. Employees must understand the risk of opening attachments or clicking on random links.
The 3 most common types of phishing attacks are:
Spear fishing revolves around using a fake company name and other details. Spear attacks are targeted at specific entities. This type of attack includes spending time to find out and consequently add some actual details about the target in the phishing attempt.
A bad guy finds the name, the position, and other details of an important person in a company and includes them in a pitch email. The recipient thinks the email is from a real person in the company and is tricked into giving away important information. Attackers often then use the gathered information to attract more victims and double down on the phishing attack.
Email account takeover
All members of an organization (including the executive team) are vulnerable to email account takeover attacks. If a hacker acquires the email login details of a high-profile person in a company, they can target almost everyone with the company email address. Think colleagues, different team members, and even some customers. Everyone is a target once a phisher gains control of an account.
Email blast phishing
A report by clario.co states that 1 in 99 emails sent is, in fact, a phishing email and roughly 3.4 billion fraudulent emails are sent each day. Phishing emails require the scammer to use an email address that’s close to a real email address of a reputable person or company.
This email will likely include a request to change a password of some kind and ask you to enter the original password or ask you to open a file attachment possibly loaded with malware.
How to Identify a Phishing Email
Let's look at how to identify a phishing email:
Know the key identifiers of a phishing scam
Hackers are always developing newer ways to target people through phishing attacks, even right now as you read this. But all of them share a few common threads that make them somewhat easy to identify if you know what to look out for.
Plus, dozens of privacy and online security organizations publish information on the latest phishing attacks, the details surrounding the attacks, and key markers. The sooner you discover these attack methods and share them with users, the more likely your chances of stopping an attack are before it starts.
Don’t immediately click on links
It’s not the best thing to start clicking on links you randomly get on Facebook messenger, via SMS, or through email. At the very least, you should hover over the link to see if the destination seems genuine.
Phishing attacks can be cunning and complex, mimicking the destination URL to look exactly like the original site. Rather than clicking the link provided, navigate to the site by typing it into your address bar or find it in a search engine.
Get free anti-phishing add-ons
Browsers like Chrome and Firefox have add-ons that let you know when you’re visiting a malicious website designed to steal information. These are usually free to install. It’s a great way to prevent the most common attacks.
Don’t give your information to an unsecure site
Despite most phishing websites now using secure protocol, it’s still better to not enter any sensitive information on unsecured websites. If the site’s URL starts with https and has a closed padlock icon next to the URL, it's considered safe. These indicators signal that the site is on a secure https protocol.
This goes for credit card information too. Unless you trust the site fully, don’t enter your credit card information. A hacker can easily mimic a business site and ask for your credit card information. Before you enter any sensitive information like a card number or its security code, ensure the site is secure and verify the company is legitimate.
Rotate passwords regularly
If you have an online account (and who doesn’t?), regularly change your password to prevent people from gaining unauthorized access. Your accounts can be easily compromised, even without you knowing it, and changing passwords is one of the most effective steps you can take to help prevent attacks.
Don’t ignore updates
Update messages are frustrating and it’s easy to ignore them. Many people often relegate them to some far-off point in the future that never arrives. Updates often contain critical security patches and these help prevent phishing attacks that make use of already known vulnerabilities.
Firewalls are a great way to prevent most attacks. They keep networks and desktops secure and reduce the odds of someone cracking through.
Don’t be tempted by pop-ups
Pop-ups are annoying but even more distressing is the fact that they’re often linked to sophisticated malware programs. Please, don’t click them!
Most browsers have free ad-block extensions that are equipped to block pop-ups on their own. Even if some pop-ups manage to break loose, don’t start clicking on the links inside. They try to fool you by presenting a false “close” or “x button”. The actual button is elsewhere. Any attempt at clicking the “x button” only results in more popups.
Use a data security platform to alert you to attacks
If you’ve been attacked, it’s important to react quickly before additional damage is done.
A data security platform alerts you of attacks, suspicious behavior, and unwanted changes to files or logs. If an attacker puts their hands on sensitive information, a data security platform can identify the account and prevent further unscrupulous attempts from the attacker.
A good data security platform identifies areas where security threats exist, tells you if someone has clicked on a phishing link, or if any accounts have started showing unusual behavior. Most data security systems can respond in real-time.
Best Practices For Preventing Phishing Attacks
What are some practical ways to prevent direct attacks? Here’s our list of best practices for avoiding phishing scams:
-Make sure your employees know what a phishing attempt looks like by conducting training sessions
-Use a SPAM filter to detect viruses and spammy senders
-Update your system(s) with current security patches
-Use an antivirus software and monitor the status of all computers
-Frame and enact a security policy that asks users to reset passwords regularly
-Create strong passwords that are fairly secure, something with letters, numbers and special characters
-Block malicious websites with a filter like Designhill which has an in-house filter that blocks sites that sell social media accounts, offer gambling or gaming services, or host malicious content
-Convert HTML emails to text-only messages
-For people who work-from-home, start encrypting files and messages
Watch Out For Phishing!
Above are just a few of the steps you should take to protect yourself from phishing online. Keep an eye on the safe online strategies you choose to employ and confirm if the steps and policies you stick to are evolving with new phishing trends.
It’s important to understand the attacks you may face and learn how to address these attacks, after all, informed individuals are the key to preventing attacks and eliminating vulnerability.
George is a blogger and writer at Kamayobloggers, a site he started to share cutting-edge marketing insights.