What is Phishing?
How Can You Prevent It?
Whilst internet threats such as viruses, Trojan worms, spyware and spam can all be irritating and sometimes cost a little money to remove the virus or repair an affected PC, there are little threats out there which pose the same disastrous financial risk as phishing scams. Unlike any other malevolent threat out there on the internet today, a typical phishing attack will be analogous to the real word, have a bait and a hook, and a spoofed, realistic-looking web page waiting for the user to submit sensitive information that is then used for the gain of a cybercriminal.
Photo by Stuart Miles at freedigitalphotos.net
The ‘bait’ in phishing scams is usually a fraudulent, but very realistic looking email which claims to be from a trusted entity such as the user’s bank, or a site where the user has an account and frequently shops, for example. However, don’t think that it’s only email where you can fall foul to these scams – bait can also come in the form of bogus web advertisements, instant messages, and other forms of online communication. A number of both technical and psychological techniques are often used in order to convince the user that the email, message or ad is genuine, which will trick them into doing what the sender wants – usually clicking on a link in the email or message. Because phishing emails are usually designed by experienced cybercriminals, there is often no reason for the recipient to believe that they are anything other than genuine.
Bait and Hook
Once the user has taken the bait – i.e. the link in the phishing email, this is where the hook comes into play. The link in a phishing email, message or ad will usually lead to a fraudulent website that is often a nearly exact copy of the website of the trusted entity which the hacker is impersonating, often with a few crucial elements, such as login forms, manipulated. To a non-technical user who doesn’t have the know-how or expertise to examine the source code, there is no reason as to why they should not believe that it is genuine. Certain advanced spoofs can even manipulate the URL in the user’s browser address bar, making the fake site look even more genuine and further deceiving the recipient. At this point, if the user is taken in by the scam and enters their details believing that they are safe, the requested information on the form is then passed on to the hacker and the phishing attack is a success.
Educating Employees on Preventing Phishing
Educating employees on the risks and typical traits of phishing is essential for overall protection. Remote employees are becoming increasingly more common as are employees who bring their personal devices to work, creating bigger phishing risks for companies. One of the best ways to educate employees about phishing and how to recognise it is to show them a set of known phishing attempts along with genuine websites, and ask them to point out those which are authentic.
There are a number of safeguards which you should also teach your employees in order to minimise the risk of phishing attacks. One of these would be to never give out passwords or sensitive information to anyone who requests it, and ensure that they can identify a secure website whenever they need to submit sensitive information. It’s also important to be wary of emails which request sensitive information, due to the fact that the majority of trusted companies stopped sending them a while back in order to make it easier to identify phishing scams. If in doubt, calling the company to confirm that they sent the email is the best tactic.
How to Prevent Falling Foul
If you have received an email that you are not sure of, there are a few things that you can do to ensure that you don’t fall foul to any scam. Firstly, if you are redirected to a site which prompts you to enter login credentials from an email, enter a fake password first to test the site – a legitimate site won’t accept it, but a phishing site will. Rather than clicking on links in emails which look like they are from a trusted entity, type them into the URL bar in a new tab. Since email is not a secure medium, never submit any sensitive information which is requested via email. Lastly, always using the latest versions of updated antivirus and firewall software can help to greatly reduce your risk of a phishing attack.
Phishing attacks can be sly and have awful consequences. Understanding how they work can help you to better prevent them.