This article first appeared on Contextual Security's website, and is reprinted here in partnership with them.
A phishing attack is among the most common data security challenges businesses and individuals face today. Data suggests that up to 4 percent of all email correspondences are malicious phishing attempts. These kinds of attacks aim to access credit card information, steal passwords, and any other sensitive information.
Everyone is susceptible to an email phishing attack, and businesses are more vulnerable. Phishing is beyond email: cyber criminals today are using online messaging systems and phone calls to carry out these attacks. There are some tips below to prevent your email or your business from being compromised.
WHAT IS A PHISHING ATTACK?
Phishing is an online con where cyber criminals send an email or a message that appears to be from a legitimate source. The message may trick you into clicking a link then ask you to give sensitive personal or business information in order to log into a legitimate-looking website. It may look like it came from someone you know or have been doing business with.
Phishing emails usually include a link that may take you to a website that seems genuine and ask you to fill out personal information to sign in. Most people don’t know that this information is sent directly to hackers who initiated the cyber crime. These criminals often send thousands of emails trying to attract someone who will fall for the trap.
INCREASED PHISHING SCAMS DUE TO THE COVID-19 PANDEMIC
Hackers are always evolving and using everything, including pandemics, to prey on other people. In recent events, especially during the COVID-19 epidemic, cyber-attacks have increased and are now preying on human emotion. Criminals are now targeting trusting consumers by using known brands to collect personal information through the use of videoconferencing platforms.
Since the pandemic started, there has been an increase in phishing attacks. The FBI has warned that some hackers are even pretending to be health organizations, hospitals, and new sites delivering fake news and sending out fake corona-virus related alert emails.
Hackers create fake online meeting domains and fabricate online meeting platforms such as Google Meet, Zoom, and Skype to phish for individuals who will respond. Clicking these alerts may download malware or spyware into your computer, compromising your data and internet security.
According to a research done by Confese, hackers are taking advantage of the current confusion, isolation and remote working conditions to trick people into their traps. A recent COVID-19 related scam was sending around fake job termination news by creating an alert and an invite to join an online meeting on Zoom. This alert’s main aim was to cause panic and ensure whoever saw it clicked on it, thus downloading malicious malware into their computers.
HOW TO IDENTIFY A PHISHING ATTEMPT
Scammers have evolved and are now using text messages and emails to trick you into giving them personal or company information. They try to steal your social security number, bank information, or even email passwords. According to a report by the FBI’s Department of Internet Crime Complaint Center over 57 million dollars is lost to phishing schemes every year. Hackers are continually updating their methods to adapt to new security measures placed by businesses and individuals. So how do you identify a phishing attempt? Read on below:
1. Requests for sensitive information
A phishing email or text will ask you for sensitive information either through an attachment in the email or a web link. Most legit businesses will not send you an email asking for personal and confidential business information through email. They may not also send you a link to collect this information.
2. The email is not addressed by name
Phishing messages and emails often use generic salutations or avoid using any altogether. A company that wants you to send them your personal information such as your bank will address you by name instead of calling you “Dear account holder.” The company may also make a phone call instead of sending you an email.
3. Check the domain email
Always make a point to check the domain email of the person sending the email. Take your mouse and hover the pointer on the “from” address to verify the email address. Most hackers make simple alterations to emails to make you fall for their traps- for example, firstname.lastname@example.org and email@example.com. Make sure you check the difference, and don’t be in a hurry to respond.
4. Grammatical errors
The easiest way to spot an email from a scammer is grammatical errors. Legit organizations send out well-written emails with no grammatical errors. Hackers generally prey on illiterate and uneducated people, and they consider them less observant and easier targets.
5. Fake links that don’t match their URLs
Phishing emails are sometimes coded as a hyperlink to get you to click either deliberately or accidentally. The links open fake websites or download a virus into your computer. Check the URL and the link sent to ensure they are identical. If the hyperlink URL doesn’t match the context of the email, do not trust it.
6. Unsolicited attachments
Emails that don’t need attachments and have them reek of hackers. Legit companies will not send you random attachments in emails. Be careful of any high-risk attachments. When in doubt, directly contact the institution that sent the email using information from their actual site.
WHAT TO DO IF YOU SUSPECT A PHISHING ATTEMPT
Suppose you are suspicious of an email or a message sent to you. University at Buffalo Information Technology advises that you take the following steps to ensure your information is safe:
- Do not open the message, giving an audience to a scammer provides them the opportunity to exploit you. Opening an email from a scammer is the first step to compromising your personal or company information security.
- Delete the email immediately to avoid accidentally opening it in the future.
- Avoid downloading any attachments that came with the email; they may contain viruses, malware, and spyware to collect your information and send it to the scammers.
- Avoid clicking on links and hyperlinks embedded into the email, as they often take you to fraudulent sites.
- Don’t respond or engage the sender in any way. Avoid any requests solicited in the message and don’t call any numbers provided.
- Report the message and the sender to help others avoid being scammed by the same person.
- If the scammer calls you, hang up and block them, don’t give in to their requests.
ANTI-PHISHING TOOLS AND APPS
Anti-phishing apps and tools are cybersecurity software designed to identify phishing content in online messages and email. These tools filter emails from malicious sources through verifying the email origin with a vast database of phishing sites. The software also uses addresses that hackers spoof to improve your data security.
HOW ANTI-PHISHING TOOLS WORK
Anti-phishing tools help IT personnel reduce the time they spend trying to prevent phishing attacks. According to Phish Protection, below are techniques used by these tools to minimize cyber-crimes.
- Detection of malicious content in online messages and emails.
- The tools check and prevent spoofs sent by hackers.
- They offer reliable security against entrenched malware and Trojans in emails.
- They alert an email receiver of a phishing attempt by confirming fake emails in phishing attacks even when the email addresses look legit.
- Anti-phishing tools block phishing sites and malware.
- The tools also give users information about blocked threats.
These are small tools that can be downloaded or plugged in within your browser to protect you from phishing attacks and hackers. Some of this software is free, while others require you to pay a small fee before downloading. Anti-phishing toolbars will help you detect and identify phishing sites that may be running unnoticed in your computer background.
They are always checking any websites or links you click in real-time while blocking anything they perceive as malicious. These tools are suitable for everyone, including people who are not technology savvy.
THE SOPHISTICATION OF PHISHING ATTACKS
Traditionally, phishing attacks were meant to target those without a level of technological sophistication, such as the elderly and children. But with time, phishing attempts have evolved and become more complex. Hackers are always digging and looking into new ways to stay ahead of any cybersecurity measures put in place by companies.
By the beginning of 2020, hackers were known to use hijacked search results to send users to their malicious sites. They made use of traffic generators to push malicious websites to the top of Google results; thus, redirecting users to download malware or phishing sites. This action gives hackers access to information on the computer, helping them bypass email privacy and security features.
Microsoft warns that hackers also started using custom 404 web pages to launch their phishing campaigns. They adopted a new technique to move their websites to a different URL to prevent security technologies from taking down and flagging their malicious URLs. By using an unlimited number of URLs, the attackers customize their pages just like regular web pages and ask you to sign in. However, today hackers are customizing their web pages to look like 404 error pages to protect themselves. They use these websites to access a shell of websites and execute certain commands on the server.
Attackers have also grown smart. They are also using new techniques to send out mass emails warning users of an imminent attack, asking them to go to a particular page such as a Microsoft secure page to help them secure their data. They will share an email with specific information based on your email address, explain who is targeting you, and redirect you to a legitimately-looking website. They then ask you to sign in with your email log-in information to protect yourself. Through this method, hackers will now have access to your information, email addresses, and passwords.
HOW TO SECURE YOUR EMAIL FROM CYBER CRIMINALS
Your email can be a gateway to your online footprint, online banking, and also your identity. When someone gains access to your email address, they can steal your identity, access personal information, and gain access to all your saved passwords. Every time you need to sign into a website, you are required to put your email information. So how can you ensure that your email is safe with today’s increased cyber-attacks? Below are tips to increase your email privacy:
1. Create a secure password
A secure password is what’s standing between your PPI and identity theft. The key to a secure password is mixing up uppercase and lowercase letters, numbers, and special characters that you can remember. Don’t use obvious information such as the name of your dog or the month you were born in your password.
2. Be careful when using public Wi-Fi
In recent years hackers have been using fake Wi-Fi hotspots to intercept and steal people’s data. When people are using the same Wi-Fi, it is easier for one of them to access the other person’s information such as passwords, bank details, credit card information, and usernames. To be safe, stay away from open public Wi-Fi, especially when accessing e-banking apps or doing something that may reveal sensitive information.
3. Use two-factor authentication
This acts as an extra security layer. Anytime someone is trying to log into your email, they have to prove they are you by entering a particular verification code that emails sent to your phone. This feature also notifies you when there has been an attempt to access your email.
4. Encrypt the internet
To protect your personal information from being acquired by identity thieves, you should encrypt the connection between your email server and the computer. This move will prevent email addresses and usernames from being intercepted by internet spies and hackers. Some services, such as Outlook and Gmail, will automatically encrypt your connection. Others require you to do it manually. You can use a VPN to ensure internet security.
5. Always sign out
Whenever you aren’t using your email, sign out every time. Do not leave your email address logged into a public computer, such as in a library. Always sign out if someone has access to your computer or when using someone else’s computer.
Phishing is a dire threat to business and individual email privacy. During this pandemic period, where most of us work from home, hackers will always try to exploit our vulnerability. Think twice before opening a suspicious email or clicking on that link. We have to be vigilant and stay ahead of these cyber criminals at all times.