Internet Phishing: There’s always something phishy going on
You must have heard about the term “phishing” – an attempt by a malicious person or a group of individuals to deceive users to give out sensitive information such as passwords, usernames, credit card details, etc. You may have heard many examples of such fraud that you thought you would never fall for one of those scams, but think again. The truth is that phishing attacks are becoming a bigger threat than ever.
These attacks come in a variety of forms. Very well known is email phishing which includes fake links and malicious files hidden in the attached documents. Now we have “smishing”, which is phishing through the SMS text messages on your smartphone. And also “vishing”, voice phishing over the phone conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. The victim is told to call a specific telephone number and give private information to verify identity and ensure that fraud does not occur.
Regardless of, that we have come far ahead with technology, today, we need to be a lot more cautious about online browsing than we needed to a few years ago.
The fusion of technology and social engineering have trigger phishing attacks that are more sophisticated and scarier than ever. Social engineering uses deception or manipulation to trick people so they give up confidential information and infect their computers. Criminals are seeking a piece of various information like your passwords, social security number, bank information, or access your computer to secretly install malicious software, that will give them access to your personal data and control over your computer. Combining phishing with malware can be the most powerful approach, usually in the form of an email with an urgent document attached. When you click on that attachment, your computer is infected and all your sensitive information is in the hands of criminals.
The real problem today is spear-phishing. There’s a huge amount of information available on the internet that someone can use to manipulate you. Social media especially makes it easier than ever for criminals to find out personal details about you. Fraudsters set up fake web sites that mimic the sign-in pages of trusted companies. The fake site includes a company’s logo and looks like the real page. Logos and the appearance of legitimate web sites are easy to copy. Criminals are enticing you to click on a phishing link for a variety of technical and social reasons. The phishing site is set up to trick you into disclosing your user name and password, bank account numbers, and the other functional secrets of modern life. Spear-phishing is still very successful on enterprise networks. Because it’s low volume, it’s much harder to detect.
Another kind of social engineering fraud to watch out for is CEO/Manager fraud. Criminals know that they can exploit employees’ natural desire to help a customer or please their superior. They find out details about the CEO or managers of a company using information publicly available online and they use that information to make targeted phishing messages to trick employees into compromising company data or making financial transfers.
Most of the time, a proper fake website gets an attacker whatever they need without expensive and detectable malware and that is a scary fact.
The attackers specialize in the exploitation of our biggest defect – being human. We are the weakest link. People are mostly confident by nature and none of us want to live in constant fear of phishing attacks and pay attention to every detail. It’s exhausting. We want to be careful, not paranoid.
Tech companies can’t prevent user behavior, all they can do is try to detect malware and phishing sites and encourage you to use two-factor authentication.
Turn on two-factor authentication where you can so that if your information is stolen or leaked, attackers still can’t take over your accounts. Use automatic updates and set up regular backups. It is a small effort and you don’t have to worry as much about theft if you know you can always get your stuff back. Use long and complex passwords, but write them down or use a password manager. Password managers are easy and will auto-fill your password on sites you’ve used before. You can use an online password-management system that syncs between devices. Don’t reuse passwords, and change your password on the sites where you know you’ve reused passwords. You can also sign up at Have I Been Pwned to find out which of your passwords have already leaked onto the internet.
If you not sure if a site is authentic, give a fake password to sign in. If you appear to be signed in, you’re likely on a phishing site. If you get an email from your bank, look for spelling errors, poor grammar, or inferior graphics, log in on your web browser and follow your own link. Let it become a habit for you not to open email attachments on your computer. In this way, you will be protected from malware. Put your files in a file-locker site, and open documents in a remote service.
If you receive a message, whether by email, phone, or otherwise and feel uncertain about it – always double check it before giving out any information. Legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
Update yourself not just your software because there is always something phishy going on.