Phishing: Recognizing the Threat

Phishing is a problem wherever people work. According to Proofpoint ⇱, in 2020, three-quarters of all businesses experienced a phishing attack of one kind or another. And they're becoming more sophisticated as well, with infected pages looking more and more professional as time goes by. In this article, we'll let you know how you can identify phishing attempts and protect your data.

Phishing refers to the sending of professional, authentic-looking emails which request sensitive data from their recipients, either directly, or upon visiting an infected site. The most commonly sought-after information includes online banking PINs or passwords, which will then be used to drain accounts. Phishing emails can forward their victims to infected websites or even be used as a springboard for launching ransomware attacks that install malware capable of rendering your computer useless.

Phishers often try to pass themselves off as employees at reputable businesses or organizations, despite not having any affiliation with them whatsoever. Most commonly, they'll send emails in the name of banks or social networks and engage in fearmongering, threatening, for example, to suspend a PayPal account unless the user logs in within 24 hours.

This makes phishing a type of social engineering since cybercriminals don't have to take advantage of technical weaknesses (code errors or exploits), but rather, human emotions and fears. After gaining their victims' trust, it becomes possible to easily (and voluntarily) con them out of their data.

The URLs contained in phishing emails often look just like those of trusted and reputable websites. Since the page's layout doesn't have any readily discernible differences at first glance, no alarm bells are set off. In addition to website spoofing, there's also domain spoofing, whereby a reputable email address displays in the message's header. It's not uncommon for both types of spoofing to be used side-by-side.

The goal of all phishing attacks is the same: Gain their victims' trust and glean sensitive data from them. With that said, the types of attacks vary depending on the target group:

• Classic Phishing – Basic phishing emails are sent by the thousands to random addresses in a scattershot fashion. The senders attempt to pass themselves off as working for platforms used by millions of people, such as PayPal or Amazon. This raises the likelihood that targets will volunteer information without the sender needing to invest any time or effort in scouting their victims. Recipients are often requested to change or confirm their password owing to an alleged security breach of some sort or another.
• Spear Phishing – As its name suggests, in contrast to classic phishing, spear phishing targets a specific person, usually, an executive, IT administrator, or IT manager within an organization. Hackers using this method will often attempt to pass themselves off as working for IT companies that market products used by the target's organization.
• Whaling – This type of phishing goes after the big fish, that is to say, CEOs, managers, or departmental heads. These will receive emails that look to be from within the company or from trusted business partners. To appear as legitimate as possible, hackers will research their targets online, checking their social network profiles, copying older pictures, and even reading through comments.

Around 94% of all phishing attacks occur via email, however, there are two other varieties of phishing attacks:

• Smishing (SMS-Phishing) – Attackers contact their victims via SMS. Like classic phishing, a link redirects the victim to an infected website or commences the download of malware.
• Vishing (Voice Phishing) – This type of fraud involves the impersonation of police officers, bank employees, or IT staffers, who proceed to request sensitive data from their victims.

Unfortunately, it isn't always possible to discern a phishing email from a legitimate one at first glance since most phishers create authentic-looking logos, layouts, and even signatures. In the event that you receive an email that you believe could be fraudulent, do not click on any of its hyperlinks or supply any data. Pay attention to the following signs:

Phishing attacks are nearly as old as the Internet itself. Over the past few years, however, hackers have managed to con quite a few highly lucrative victims. Some of the most infamous of these include:

• The Loveletter ⇱ computer worm has caused around $10 billion worth of damages since May 2000. A Filipino IT student forwarded an email that had a subject line reading "ILOVEYOU". Anyone who clicked on the attachment which the email contained unknowingly installed malware on their computer which would delete large numbers of files. Loveletter was the first case of phishing that generated worldwide attention.
• Between 2013 and 2015, a Lithuanian scammer sent fake invoices in the name of Quanta to workers at Facebook and Google. Prior to being caught, he earned around $100 million ⇱.
• Owing to a spear-phishing attack, Crelan, a Belgian bank, lost more than €70 million ⇱ in 2016. Hackers impersonated CEOs and managed to convince the bank's finance department to transfer the funds to a variety of accounts.
• In 2015, a spear-phishing attack managed to knock out ⇱ the three largest Ukrainian power suppliers after compromising their IT infrastructure and SCADA systems. In the aftermath, more than 200,000 people had to make do without electricity for longer than six hours.

Should you have become the latest victim of a phishing email, your biggest concern should be minimizing damage:

• Immediately change all passwords for any impacted accounts (i.e. Amazon). Should you do this relatively quickly after opening the email or attachment, there's a good chance that you won't suffer any consequences. Keep an eye on any suspicious account activity or failed logins over the following days.
• Should you no longer be able to log in, this means that hackers have already changed your password. Your next steps should be to contact the company (ideally, by telephone), lock your account, and cancel any pending orders.
• In the event that you've downloaded or opened a suspicious attachment, refrain from using your browser. Bring your computer to an IT specialist who will be able to tell you whether or not your system is infected with malware or a Trojan.
• If your bank account has been impacted, immediately lock your online banking and inform the bank's staff. Report the matter to the police as well.
• Should you have incurred any financial damages, get in touch with a lawyer specialized in cyber criminality.

• Never click on suspicious or dubious links. If you do click on a link, make sure that it's to a secure website (in most browsers, a green link appears to the left of the URL).
• Serious applications, such as those for net banking, don't open in pop-up windows. For that reason, never input sensitive data into a pop-up window and make sure you're using a pop-up blocker.
• Make sure that your email service has a solid spam filter. Keep in mind that even the best filters won't block all phishing emails.
• Password managers only input a password when the URL you open matches the one it has on record. As such, these provide considerable protection against website spoofing.
• Configure emails to display in text rather than HTML. This reduces the likelihood of inadvertently clicking on a malicious link. As a drawback, it also prevents images in legitimate emails from displaying correctly.
• Regularly update your anti-virus software.
• Create frequent backups of your data. In this way, you'll limit any potential damage caused in the aftermath of an attack.

Phishing attacks are some of the most common on the Internet. Those who employ them rely on convincing their victims that they are legitimate and reputable so that they can acquire access to their sensitive data, the same as conmen. Whenever you receive an email asking for your password, all sorts of red flags should go up. On the other hand, those who only click on trusted links, regularly update their anti-virus software, and open email attachments only after verifying their content with the sender reduce their exposure. If you've fallen prey to a phishing attack, IT specialists and legal experts can help to reduce the damage.