Don’t take the bait
Phishing is a dirty trick used by scammers, spammers, and hackers since the earliest days of the internet. Phishing is the act of tricking someone into giving up sensitive information or data. You may have received spam emails claiming how you won an expensive prize but you just need to send your bank account information to claim it. Such a ploy is very easy for most people to spot, however the real danger comes from those using not so obvious tactics. Email isn’t the only tool these phishermen use to lure in unsuspecting prey. Educate yourself to make sure you won’t be next victim to be caught by the phisherman.
Types of phishing
Phishing comes in many different forms and new techniques are always being invented.
The most common form that people tend to be familiar with is the classical “advance-fee scam”, or the Nigerian Prince scam as some people call it. The ploy is simple: You get an email from someone claiming they have something valuable, like a kingdom, an inheritance, or a ton of money. However, they claim they either need your banking information in order to share it with you, or they need you to send them a loan so they can get their fortune back, promising to reward you for your kindness. Such scams are easy to spot and are widely recognized, yet millions of people still fall for them every year.
However, such scams are just barely considered to be a form of phishing and are so simple that anyone that knows how to send an email can do it. The real danger lies in more sophisticated forms of phishing that most people don’t even know exist.
Email spoofing and now SMS spoofing are widely used phishing attacks. Spoofing attacks are can be very successful, even on the most “tech smart” users. People don’t always verify the sender of the message is legitimate, and all it takes is one slip-up to fall victim to one.
Spoofing attacks are messages designed to look authentic, mimicking the layout of companies or valuable web services such as online banking or social media. The message claims that the recipient needs to urgently login to their account, saying they need to confirm information or that they have been hacked. The recipient, fearing their account may be in danger, clicks on the link provided. The catch? The link leads to a fake webpage created by the phisherman. Any information the user enters, such as their account username, password or other sensitive information, is unknowingly sent over to the phisherman.
Spoofing is a highly effective form of phishing, and most phishing attacks tend to rely on some form of spoofing. Think of it like digital counterfeiting, but instead of ending up with a crappy shirt you end up with a stolen identity.
When phishing attacks are designated for a specific individual they are called “spear phishing” attacks. Spear phishing is single-handedly the most effective form of phishing. These attacks are highly personal – the attacker uses known information to trick the victim into believing it’s legitimacy. Because of how much information we share on social media, attackers don’t even need to know the victim in the physical world in order to exploit them. A common spear phishing attack is a spoofed email appearing to come from the victims bank or employer and containing the victims real name, birthday, etc.
When spear phishing is targeted at wealthy or powerful individuals such as company executives or celebrities, the term “whaling” is used, and yes, whaling is still often effective.
When black hat hackers are the phishermen, the methods used can be even more obscure and extraordinarily difficult for most people to discover.
Man-in-the-middle, or MITM, attacks often use phishing in order to steal peoples information. MITM attacks are very difficult to spot. They rely on being able to hijack or otherwise manipulate the users current connection to the internet. An example of a MITM attack is a rogue access point, in which the phisherman sets up an open WiFi access point for people to use, or disguises the access point to be something it’s not (like a WiFi hotspot provided by the coffee shop or company its located in). Once a user is connected to their access point, the phisherman can manipulate the connection in order to send them a spoofed webpage. For example, when the user goes to check their online bank account, they are automatically redirected to the spoofed login page instead. The URL never changes so the user trusts that it is safe, even though it was actually set up by the phisherman and will send them any information that you enter.
The dark art of social engineering
If you ever recieve a call from a unknown number claiming to be a coworker you haven’t met asking for an account password or an email claiming to be from upper management asking about employee information, its very possible this is an act of social engineering. Sure, there is also a chance it could be legit, which is why it is very important to confirm the senders identity first.
Social engineer is the official term for a phisherman. Social engineers tend to have good people skills. They understand how people think and react to different situations, and they use this knowledge to manipulate others into releasing sensitive information.
In addition to the techniques listed above, social engineers commonly use a trick called “pretexting”. Pretexting is creating an imaginary scenario in order to gain the victims trust. The social engineer may claim a tragic event or emergency is taking place in order to make their request seem urgent, and forcing the victim to make a quick decision.
Good pretexting uses lots of real information to gain the victims trust. They may accurately reference real names, locations, events, etc. This makes it less likely the victim will question the attackers authenticity, and why it is very important to remain on alert.
How to stay safe
Education is key. It helps to keep the old saying “stranger danger” in mind. Online strangers can be dangerous since you never can be sure whose really on the other side of the screen. Never trust anyone you haven’t personally met face to face and/or whose identity has not been confirmed with any sensitive information, no matter how urgent their request may sound. Always make sure to verify people are who they claim to be. If you know the person in the physical world, ask them directly if they made the request. If its from a bank or other online service, go directly to their website, don’t click on the link provided. Always use a VPN when you use public WiFi, the encrypted connection to the VPN can prevent a MITM attack.
Always check the sender. If they claim to be a member of your organization does their email end with your organizations official domain? Or is it a personal address like Yahoo or Gmail? If they claim to be in upper management is their phone number or email address listed in any official company directories? Does their request sound more like it’s an excuse? If they claim its urgent, such as an emergency, is there anyone else that can verify its urgency? Can you really trust them to be who they say they are?