What is Phishing?
Phishing is a type of social engineering attack where an attacker sends an email pretending to be a legitimate sender in an attempt to manipulate their victim into disclosing sensitive information, accessing a malicious website, or downloading malware. It is pronounced “fishing” and is based on the concept of an angler baiting their hook, casting a line, and waiting for something, or in this case someone, to bite so they can reap the rewards. Phishing attacks can affect anyone - both businesses or organisations and individuals.
Social engineering attacks can happen in person, over the phone, through social media, messaging services, text messages (SMS), and most commonly through email. Attackers use deception and manipulation to trick individuals into surrendering confidential information, sending money, or downloading malware. Attackers prey on weaknesses by exploiting trust, emotion, urgency, and desires.
Some phishing emails can be very sophisticated and look like real deal making them difficult to identify, where others are easy to tell that it is suspicious. Attackers use these emails to try and obtain usernames, passwords, credit card numbers and other sensitive information. They also use it as a way to get you to install malware so they can hunt down and steal as much information as possible from your device.
Types of Phishing Attacks
There are many types of phishing attacks. The most common is known as a “spray” attack where the same email is sent out to thousands of people in the hopes that a percentage of them will take the bait and fall victim to the attack.
“Spear Phishing” is a highly targeted attack conducted against an individual or specific group of people. Groups could be people who work at a certain company or in a specific industry, different demographics and age groups, or people with shared interests or who subscribe to similar services. These attacks are often more sophisticated and harder to spot as the attacker has usually done their research and put in more effort to increase their success rate.
Whaling is a phishing attack that targets high level executives in businesses and their close contacts such as assistants or secretary. An attacker is going after “the big fish” as these people often have high levels of authority or access to sensitive business information and funds.
Angler Phishing is when an attacker uses social media to perpetrate their attacks by using advertising, posts or the chat or direct message service provided by the platform. They may use tags, clickable links, images, or videos as bait. The aim of this attack is to steal information and take over your account to spread to your contacts and friends. You can read more about how to stary safe on social media in our article here.
Smishing is a phishing attack that is conducted using text messages on mobile phones and gets its name from the technical term Short Message Services or SMS. Vishing is using a voice call or requesting a call back from the victim to extract information or to charge excessive rates on your phone bill. People often don’t think about text messages or voice calls being a risk to their cyber security and are less guarded when using their mobile phones, so it pays to be wary as this type of attack rises in popularity. If you would like more information about Smishing attacks you can read the article posted on the Unisphere Solutions website here.
Once the attacker has the information they are seeking, they can use it in many ways. This could be to gain trust and access to other individuals such as friends, family, and colleagues, discover more sensitive information, steal money, commit identity theft or fraud, or make the information they have discovered public.
How Can You Stay Safe?
Hacking a human is much easier than hacking a computer as the attacker only needs a small moment of lapse in your judgement to be successful. Some key ways to identify a phishing email may be:
- They contain links or attachments
- They have poor spelling or grammar
- They seem urgent
- They are asking to discuss confidential or sensitive subjects
- They request personal information
- They offer an incentive through a threat or a reward
- They are impersonal or sound generic
- The sender email looks suspicious
- When you hover over a link it shows a strange or suspicious URL Sometimes a URL can be overwritten to appear legitimate so don’t rely on this technique alone. If you want to visit the website for a known agency such as your bank, type the URL into your browser’s address bar – don’t access it through the email.
Be wary – if it seems suspicious or the offer seems too good to be true, it probably is. Don’t open it, delete it straight away
Report it to someone you think can help. This may include the organisation that is being impersonated so they can warn other people about the attack. You can report phishing attacks to organisations such as CERT NZ and Netsafe who also offer advice and can help you if you think you have been the victim of a phishing attack.
Don’t reply – some attackers wait for victims to reply to make sure their account is active
Don’t click – never click on links provided in an email, instead type the right address into your browsers search bar.
Always verify – if you’re not sure about something you’ve received over email, it never hurts to check with the sender by a secondary means such as a phone call or enquire through their website. It is not recommended to verify using email.
Use MFA – Multi-factor Authentication, 2FA and One Time Passwords (OTPs) are a good way to add a second layer of protection to an online account. If an attacker does manage to acquire your password, they may not be able to access the account if it requires a secondary token to be entered.
Keep passwords private - Never provide passwords, PINs, MFA tokens or other sensitive information over the phone, through emails or text messages. Legitimate organisations that hold your sensitive information such as your bank or your IT company will have their own secondary verification or reset mechanisms in place. They should never require this information to be provided to them.
Deny access - Never provide or accept a request to access your device, whether it’s your computer, mobile phone, tablet or even your TV to anyone over the phone or through an email or text message.
If you would like some more information on anything you’ve seen in this article today, feel free to send us an email at info@cybertribe.co.nz or give us a call on (09) 242 1418. You can also complete our web form and we’ll respond to you through email.