Phishing is probably the most common form of cyber attack and certainly one of the most successful. It’s been the starting point for a number of high-profile data breaches involving political parties, celebrities and multinational corporations but what is phishing? How are phishing attacks conducted? Why do we keep falling victim to this type of attack? And most importantly, what can we do to protect ourselves against such attacks?

Hackers use fake websites to try to steal their victim’s passwords for almost every type of online account. According to Phish Tank (an anti-phishing alerting service) there can be as many as 1500 new phishing sites appearing on the internet every day. This includes sites pretending to be online banking, email accounts, social media sites and government portals.

 

What is phishing?

Phishing is the use of fake email or social media accounts to trick victims into accessing a malicious website, which could grant the phishers access to target victim’s private information stored in their online accounts.

 

How does phishing work?

A hacker will gather information about their victim(s) by using a range of tools available to them. With this information, they will forge a reputable entity, which appears to be trustworthy to their target. They will then send their victims a manipulative message typically via email indicating some sort of problem or opportunity and a link to their fake site. Here’s an example from April 2018 that we have seen:

 

Note: postmaster-OOreport-microsoft.com is not a legitimate Microsoft domain.

 

How do you protect yourself?

While there are a range of professional security teams trying to prevent phishing emails reaching your inbox, the reality is that sometimes they will get through. In addition to making sure you have up to date anti-virus on your computer (ideally paid but here’s a great free option Sophos home edition), there are several steps you can take to spot most phishing attacks. Here are some tips:

 

Check the email and web-page before you enter any sensitive information. Here’s how:

 

Check the link in the email. Make sure that the link you’re clicking on looks like its taking you to your intended destination. On a computer you can often hover over a link and it usually shows you the target destination. If it doesn’t look right, don’t click on it and report it as spam or phishing. See below:

 

 

Check the sender in the email. Often the name of the sender will look like a trusted contact but don’t be fooled by this. It doesn’t mean the email address is correct, e.g. an email from Donald Trump might come through with  donald34trump@aol.com (which probably isn’t the person you think it is). Often mobile mail apps don’t make it immediately obvious which mailbox sent the message. On an iPhone tap on the name of the sender to view the full mailbox.

 

Check the address bar in your browser. If you have already clicked on a link and you are about to enter your details into a web page, look at the top of your browser before you enter your email or password. Can you see a green bar/padlock? Does the domain look like the right domain? If not, don’t proceed. A real Dropbox message would always end in dropbox.com – never something else.  The same goes for other file sharing sites.

 

Be sceptical

When you receive an email or social media message asking you to click on a link. Even if the message appears to be from someone you know or trust. If it looks too good to be true. It probably is and try not to be stirred into a panic is you receive an unexpected bill or fine.

Review your publicly available information

One of the primary causes of targeted phishing attacks (also known as spear phishing) is the lack of knowledge of how much of your private information is already available to people with malicious intent. This is a particularly hot topic at the moment and one that we report on more in the future. The more information out there, the easier it is for phishers to forge a believable identity, which they can use to manipulate their victims. This also goes beyond phishing, but it is really important that you are aware of the public information available to take advantage of reducing the risk of attack.

 

 

Although phishers are becoming increasingly skilled in their craft, most of the phishing emails are poorly written and easily identifiable. Thus it is down to the individual to learn right from wrong.

As is human nature, victims of phishing attacks are typically too trusting of what they are sent online. This is the leading cause of the many successful phishing attacks; therefore, it is essential that you never access a link without being certain of the individual sending the message.

With this information, you should be well-armed to spot phishing attacks stop yourself from becoming the next victim.

If you need any more advice, feel free to reach out to us for a discussion on our consultancy services which includes training and awareness on all aspects of cyber security.  You can reach us on +44 2030 393 394 or on info@marclay.co.uk