Phishing: How to Recognize the Threat

Phishing is a problem wherever people work. According to Proofpoint, three-quarters of all businesses experience a phishing attack of one kind or another. And they're becoming more sophisticated as well, with infected pages looking more like the real deal every day. In this article, we'll let you know how you can identify phishing attempts and protect your data.

Phishing refers to the sending of professional, genuine-looking emails which request sensitive data from their recipients, either directly, or upon visiting an infected site. Most of the time, phishers are after online banking PINs or passwords, so that they can drain accounts. Phishing emails can forward their victims to infected websites or even be used to launch ransomware attacks that install malware and render your computer useless.

Phishers often try to pass themselves off as employees of reputable businesses or organizations, despite not having any affiliation with them whatsoever. Most commonly, they'll send emails that look like they came from the bank, business, or social network and threaten users with suspending their account unless they login within 24 hours.

Phishing is a kind of social engineering since cybercriminals don't have to take advantage of technical weaknesses (code errors or exploits), but rather, human emotions and fears. After gaining their victims' trust, they can easily con them out of their data.

The URLs found in phishing emails often look just like those of trusted and reputable websites. Since the page's layout doesn't have any clear differences from the real thing, no alarm bells are set off. In addition to website spoofing, there's also domain spoofing, whereby a reputable email address is displayed in the message's header. It's not uncommon for both types of spoofing to be used side-by-side.

All phishing attacks pursue the same goals: Gain their victims' trust and steal their sensitive data. With that said, the type of attacks varies depending on the target group:

• Classic phishing – Basic phishing emails are bulk sent to random addresses. The senders impersonate workers at popular platforms or businesses like PayPal, Amazon, or Facebook. This makes it more likely that targets will volunteer information without the sender needing to invest any time or effort in scouting them. Recipients are often asked to change or confirm their password owing to an alleged security breach.
• Spear phishing – As its name suggests, unlike classic phishing, spear phishing targets a specific person. This is usually, an executive, IT administrator, or IT manager within an organization. Phishers who do this often attempt to pass themselves off as working for IT companies that market products used by the victim's organization.
• Whaling – This type of phishing goes after the big fish, that is to say, CEOs, managers, or departmental heads. These leaders receive emails that look to be from within the company or from trusted business partners. To appear as legitimate as possible, hackers will research their targets online, checking their social network profiles, copying older pictures, and even reading through comments.

Around 94% of all phishing attacks occur via email, however, there are two other varieties of phishing attacks:

• Smishing (SMS-Phishing) – Attackers send their victim an SMS. Like classic phishing, a link redirects the victim to an infected website or starts a malware download.
• Vishing (Voice Phishing) – This type of fraud impersonates police officers, bank employees, or IT staffers, who proceed to request sensitive data from their victims.

Unfortunately, it isn't possible to always discern a phishing email from a legitimate one at first glance. This is because most phishers create authentic-looking logos, layouts, and even signatures. In the event that you receive an email that you think is fraudulent, do not click on any of its hyperlinks or supply any data. Pay attention to the following signs:

Phishing attacks are nearly as old as the Internet itself. Over the past few years, however, hackers have conned quite a few highly lucrative victims. Some of the most infamous of these include:

• The Loveletter computer worm has caused around $10 billion worth of damages since May 2000. A Filipino IT student forwarded an email that had a subject line reading "ILOVEYOU". Anyone who clicked on the attachment which the email contained unknowingly installed malware on their computer which would delete large numbers of files. Loveletter was the first case of phishing that generated global attention.
• Between 2013 and 2015, a Lithuanian scammer sent fake invoices in the name of Quanta to workers at Facebook and Google. Prior to being caught, he earned around $100 million.
• Crelan, a Belgian bank, lost more than €70 million in a spear-phishing attack in 2016. Hackers impersonated CEOs and managed to convince the bank's finance department to transfer funds to a variety of accounts.
• In 2015, a spear-phishing attack managed to knock out the three largest Ukrainian power suppliers after compromising their IT infrastructure and SCADA systems. In the aftermath, more than 200,000 people lost electricity for more than six hours.

Should you have become the latest victim of a phishing email, your focus should be on minimizing damage:

• Immediately change all passwords for any impacted accounts (i.e. Amazon). If you do this fast enough, there's a good chance that you won't suffer any consequences. Over the following days, keep an eye on any suspicious account activity or failed logins.
• Should you no longer be able to log in, this means that hackers have already changed your password. Contact the company (ideally, by telephone), lock your account, and cancel any pending orders.
• In the event that you've downloaded or opened a suspicious attachment, refrain from using your browser. Bring your computer to an IT specialist who will be able to tell you whether or not your system is infected with malware or a Trojan.
• If your bank account has been compromised, immediately lock your online banking and inform the bank's staff. Report the matter to the police as well.
• Should you have incurred any financial damages, get in touch with a lawyer specialized in cyber criminality.

• Never click on suspicious or dubious links. If you do click on a link, make sure that it's to a secure website (in most browsers, a green lock icon will be visible to the left of the URL).
• Serious applications, like those for online banking, don't open in pop-up windows. For that reason, never input sensitive data into a pop-up window, and make sure you're using a pop-up blocker.
• Check your email provider's spam filter. Keep in mind that even the best filters won't block all phishing emails.
• Password managers only input a password when the URL you open matches what's on record. As such, these provide considerable protection against website spoofing.
• Configure emails to display in text rather than HTML. This reduces the likelihood of inadvertently clicking on a malicious link. It will prevent images in legitimate emails from displaying correctly, which could be inconvenient.
• Regularly update your antivirus software.
• Create frequent backups of your data. In this way, you'll limit any potential damage caused in the aftermath of an attack.

Phishing attacks happen very often. Digital conmen try to convince victims that they are reputable to access their sensitive data. Be alert whenever you get an email asking for your password. You can reduce your exposure by only clicking on trusted links, regularly updating your antivirus software, and only opening email attachments after you've checked with the sender. If you've fallen prey to a phishing attack, IT specialists and legal experts can help.