What is phishing?
Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click a link or download an attachment.
Learn about the purpose behind phishing attempts and how to identify them to avoid getting scammed.
Purpose of phishing
If there’s a common denominator among phishing attacks, it’s the disguise. The attackers spoof their email address so it looks like it’s coming from someone else, set up fake websites that look like ones the victim trusts, and use foreign character sets to disguise URLs.
Phishing attempts may be aimed at the general population or some may be trying for a bigger catch with a high profile target such as a business CEO or a government official. Generally, a phishing campaign tries to get the victim to do one of two things:
· Hand over sensitive information. These messages aim to trick the user into revealing important data — often a username and password that the attacker can use to breach a system or account. The classic version of this scam involves sending out an email tailored to look like a message from a major bank; by spamming out the message to millions of people, the attackers ensure that at least some of the recipients will be customers of that bank. The victim clicks on a link in the message and is taken to a malicious site designed to resemble the bank’s webpage, and then hopefully enters their username and password. The attacker can now access the victim’s account.
· Download malware. Like a lot of spam, these types of phishing emails aim to get the victim to infect their own computer with malware. Often the messages are “soft targeted” — they might be sent to an HR staffer with an attachment that purports to be a job seeker’s resume, for instance. These attachments are often .zip files, or Microsoft Office documents with malicious embedded code. The most common form of malicious code is ransomware. Victims can often only regain access to their encrypted files and PCs by paying a ransom to the criminals behind the ransomware.
Why phishing increases during a crisis
Criminals rely on deception and creating a sense of urgency to achieve success with their phishing campaigns. Crises such as the coronavirus pandemic give those criminals a big opportunity to lure victims into taking their phishing bait.
During a crisis, people are on edge. They want information and are looking for direction from their employers, the government, and other relevant authorities. An email that appears to be from one of these entities and promises new information or instructs recipients to complete a task quickly will likely receive less scrutiny than prior to the crisis. An impulsive click later, and the victim’s device is infected or the account is compromised.
The following screen capture is a phishing campaign discovered by Mimecast that attempts to steal login credentials of the victim’s Microsoft OneDrive account. The attacker knew that with more people working from home, sharing of documents via OneDrive would be common.
Tips to Avoid Getting Phished
There also are a number of steps you can take and mindsets you should get into that will keep you from becoming a phishing statistic, when you receive a phishing email:
· An Unusual Sender – Whether it looks like it’s from someone you don’t know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general, don’t click on any links! It’s perfectly safe to open or preview an email but never click a link in an email or open an attachment to one unless you are 100 percent confident you know and trust the sender.
· Check Sender’s Email Address – The sender’s name might appear as a legit company but look at the actual email address they are using to see if it is actually from that company. Example: sender shows up as “Apple Account Services” but when you view the email address it does not show up as “——@apple.com”
· Never reply to the sender—even to tell them not to send you any further mail. Phishers might send emails to thousands of addresses every day, and if you reply to one of their messages, it confirms your email address is live. This makes you even more of a target. Once the phisher knows you’re reading his emails, he’ll send more attempts and hope one of them works. If you know the person and suspect their email account has been hacked, call them before you click.
· Where does that link actually go? The easiest way to find out is to hover your mouse over the link and look at the bottom left corner of your browser window. There you should be able to see the exact URL that you will be directed to if you click on the link. If this link shows as an IP address (example :192.168.1.1) then most likely this is not a place that you want to go.
· Always check the spelling of the URLs (name of the website at the top of your browser) in email links before you click or enter sensitive information. For instance: www.bankofarnerica.com – the ‘m’ is actually an ‘r’ and an ‘n’, so look carefully.
· Watch out for URL redirects, where you’re subtly sent to a different website with identical design.
· The email has a generic greeting, “Hi Dear.” If you have an account with the business, it probably wouldn’t use a generic greeting like this.
· Poor grammar or misspelling is usually a giveaway.
· Don’t panic! Ignore commands and requests for action. If the email is urging you to do something, stop and think before you fall into their trap. Remember, if it is too good to be true, it probably is!
· Don’t post personal data publicly on social media, like your birthday, vacation plans, or your address or phone number.
· Google it. Copy and Paste a few lines of the email in question in your browser and see what the search brings up. There’s a good chance if it is a scam, others have gotten one too.