Phishing is a type of internet scam that tries to steal your credentials by deception. These cybercriminals are most often after your bank account information, credit card numbers or other privileged credentials such as social media logins. Phishing is a less sophisticated version of spearphishing, click here for our previous article.
How does this all work?
Phishing usually takes form of a email notification from your bank, credit card company or another organization. The notification will try to encourage you do update your information or verify your credentials on a fake website. The notification you receive will have a sense of urgency. The urgency may be related to a system failure or your password expiring. Because of that, it is extra important to read these notifications carefully.
Phishing attacks are becoming more organized and well crafted. The sender will often try to scare you, and issue a call to action. Ironically, they may also mention to you that this is a measure to prevent phishing attacks! You may see a call to action if you do not update your credentials your account will be blocked in a few days. The call to action will be in the form of a link to a website. This website will look very close to your banking or credit card company.
Because of the nature of these attacks, they are short lived. The average life of a phishing site is about five days. It is not uncommon for you to receive an email on Friday and the link is dead Monday when you return to the office.
How do the Phishing sites work?
These sites will prompt for your credentials. Once entered, you are then added to a database controlled by the attackers. Your credentials are then used to try and access your other accounts. Maybe you use your GMail account to also login to other services. Your compromised GMail account may give them access to many other services. Is your GMail account linked to your FaceBook or Instagram account?
Why is access to my mailbox so important?
The trick here is your email account can be easily used to access many other services. The key is to just reset your password as the attacker has access to your mailbox. If your bank account information is stolen, money can be wired outside the country. If your credit card number is stolen, it can be used for online transaction. Because of the nature of this attack, all of this information may be simply sold to someone else. Credit card numbers are often sold for a few dollars.
How do I protect myself and my business (or employer)?
The nature of this attack is modern technology wont help you in this case. There is no piece of software or service you can buy to totally prevent this attack. Educating yourself and training of staff is your best offense. Because of that, below is a list of some helpful tips and tricks to protect yourself:
- Does the email address match the institution it is supposed to be coming from?
- How is the language in the email? Does it make sense to you? Do you see spelling mistakes. Scammers are not the most sophisticated!
- Does the email address you directly or a more general greeting? Phishing attempts are sent to millions of people. You will see it address to “User” or “Member” not directly to you.
- Hover over the link with your mouse and double check the link. Does it seem legitimate?
If you are still unsure, call the institution directly with a known valid phone number. Because of that, call your credit card company using the phone on the back of your card. Be cautious of using Google to locate their number if you believe your computer to be compromised. If you work in a business or office, check with your IT crew or reach out to us for help. Finally, pick up the phone and call them!