The better you are informed, the more difficult it is to deceive you. Together with Microsoft, we’ll tell you everything you need to know about phishing.
What is phishing and how dangerous is it
Phishing is a common type of cyber fraud, the purpose of which is to compromise accounts and seize control over them, steal credit card information or any other confidential information.
Most often, attackers use e-mail: for example, they send letters on behalf of a well-known company, luring users to its fake website under the pretext of a profitable campaign. The victim does not recognize the fake, enters the username and password from his account, and thus the user himself transfers the data to the scammers.
Everyone can suffer. Automated phishing mailings are most often targeted at a wide audience (hundreds of thousands or even millions of addresses), but there are also attacks aimed at a specific target. Most often, such goals are top managers or other employees who have privileged access to corporate data. This personalized phishing strategy is called whaling, which translates to “whale fishing.”
The consequences of phishing attacks are devastating. Fraudsters can read your personal correspondence, send phishing messages to your circle of contacts, withdraw money from bank accounts and generally act on your behalf in a broad sense. If you run a business, you risk even more. Phishers are able to steal corporate secrets, destroy important files or merge the data of your customers, which will damage the company’s reputation.
According to the report in the last quarter of 2019, cybersecurity experts discovered more than 162 thousand fraudulent sites and 132 thousand email newsletters. During this time, about a thousand companies from around the world became victims of phishing. One can only guess how many attacks were not detected.
Evolution and Phishing Types
The term “phishing” comes from the English word fishing (“fishing”). This type of fraud really resembles fishing: an attacker casts a bait in the form of a fake message or link and waits for users to peck.
But in English “phishing” is written a little differently: phishing. Instead of the letter f, the digraph ph is used. According to one version, this is a reference to the word phony (“deceiver”, “rogue”). In another, to a subculture of early hackers called phreakers (“phreakers”).
It is believed that the term phishing was first used publicly in the mid-1990s at Usenet conferences. At that time, scammers launched their first phishing attacks, targeting customers of the American Internet service provider AOL. Attackers sent out messages with a request to confirm credentials, posing as employees of the company.
With the development of the Internet, new types of phishing attacks have appeared. Fraudsters began to fake entire sites and mastered various communication channels and services. Today we can distinguish such varieties of phishing.
Email Phishing Fraudsters register a mailing address similar to the address of a well-known company or friend of the chosen victim, and send letters from him. In this case, by name of sender, design and content, a fake letter can be almost identical to the original. Only inside there is a link to a fake site, infected attachments or a direct request to send confidential data.
SMS phishing (smashing). This scheme is similar to the previous one, but SMS is used instead of email. The subscriber receives a message from an unknown (usually short) number requesting confidential data or with a link to a fake website. For example, an attacker might pretend to be a bank and request a verification code that you received earlier. In fact, fraudsters need a code to crack your bank account.
Social Media Phishing. With the spread of instant messengers and social networks, phishing attacks have flooded these channels. Attackers can contact you through fake or hacked accounts of well-known organizations or your friends. Otherwise, the principle of attack is not different from the previous ones.
Phone phishing (vishing). Fraudsters are not limited to text messages and can call you. Most often, Internet telephony (VoIP) is used for this purpose. The caller can impersonate, for example, an employee of the support service of your payment system and request data to access the wallet – supposedly for verification.
Search phishing. You can deal with phishing right in the search results. It is enough to click on the link that leads to a fake site and leave personal data on it.
Pop ‑ up phishing. Attackers often use pop-ups. Having visited a dubious resource, you can see a banner that promises some benefits – for example, discounts or free products – on behalf of a well-known company. By clicking on this link, you will be taken to a site that is controlled by cybercriminals.
Pharming. Not directly related to phishing, but also a very common attack is pharming. In this case, the attacker spoofs the DNS data, automatically redirecting the user instead of the original sites to fake ones. The victim does not see any suspicious messages and banners, which increases the effectiveness of the attack.
Phishing continues to evolve. Microsoft talked about new techniques that its Office 365 Advanced Threat Protection antiphishing service discovered in 2019. For example, scammers have learned to better mask malicious materials in search results: legitimate links that lead users to phishing sites using a variety of redirects are displayed in the top.
In addition, attackers began to automatically generate phishing links and exact copies of emails at a qualitatively new level, which allows users to more effectively fool users and bypass security tools.
How to protect yourself from phishing
Improve your technical literacy. As they say, whoever is warned is armed. Explore information security on your own or consult experts for advice. Even just knowing the basics of digital hygiene can save you from a lot of trouble.
Use caution. Do not follow the links or open attachments in letters from unknown interlocutors. Carefully check the contact information of senders and the addresses of visited sites. Do not respond to requests for personal information even when the message appears believable. If a company representative requests information from you, it is better to call its call center and report the situation. Do not click on pop-ups.
Use passwords wisely. Use a unique and strong password for each account. Subscribe to services that warn users if passwords from their accounts appear on the Web, and immediately change the access code if it is compromised.
Set up multi-factor authentication. This feature protects your account additionally, for example, with one-time passwords. In this case, each time you log into the account from a new device, in addition to the password, you will have to enter a four- or six-character code sent to you via SMS or generated in a special application. This may not seem very convenient, but this approach will protect you from 99% of common attacks. After all, if fraudsters steal a password, they still will not be able to log in without a verification code.
Use passwordless login tools. In those services, where possible, you should completely abandon the use of passwords, replacing them with hardware security keys or authentication through the application on your smartphone.
Use antivirus software. Timely updated antivirus will partly help protect your computer from malicious programs that redirect to phishing sites or steal usernames and passwords. But remember that your main defense is still following the rules of digital hygiene and following the recommendations on cybersecurity.
If you run a business
For business owners and company executives, the following tips will also be helpful.
Train employees. Explain to subordinates what messages should be avoided and what information cannot be sent by email and other communication channels. Do not allow employees to use corporate mail for personal purposes. Train them about working with passwords. It is also worth considering a policy for storing letters: for example, for security reasons, you can delete messages older than a certain period.
Conduct training phishing attacks. If you want to test the reaction of employees to phishing, try to simulate an attack. For example, register a mailing address similar to yours, and send letters from it to subordinates with a request to inform you of confidential data.
Choose a reliable email service. Free email providers are too vulnerable for business correspondence. Companies should choose only secure corporate services. For example, users of the Microsoft Exchange mail service included in the Office 365 package have comprehensive protection against phishing and other threats. To counter scammers, Microsoft analyzes hundreds of billions of emails every month.
Hire a cybersecurity expert. If the budget allows, find a qualified specialist who will provide ongoing protection against phishing and other cyber threats.
What to do if you are a victim of phishing
If there is reason to believe that your data fell into the wrong hands, act immediately. Check your devices for viruses and change account passwords. Let the bank know that your payment details may have been stolen. If necessary, inform customers of a possible leak.
To prevent such situations from happening again, choose reliable and modern services for organizing collaboration. Products with built-in protection mechanisms are best suited: they will work as conveniently as possible and do not have to risk digital security.
- 18 Principles of Japanese Philosophy of Happiness Will Teach You to Appreciate Every Moment
- 14 Tricks Education From Swedish Will Help Grow Personality Traits
- 16 Evidence That Teaching Children is Still Hard Work
- 10 Easy Steps to Help You Become a Good Parent
- 9 Reasons Why Grandmothers Should Not Raise Your Children