There has been a notable rise of phishing attacks – a widespread problem, posing a huge risk to individuals and organisations. It is something we all need to be aware of, as these types of attacks are not going to go away anytime soon, says Steve Flynn, director of marketing and sales at ESET South Africa.
In South Africa, phishing attacks are the most popular form of cybercrime – where the cybercriminals use a blanket approach sending malicious emails or files as to many people as possible. The second method is spear-phishing, which is much more targeted to an individual.
In short, phishing attacks are a vector for identity theft where cybercriminals try to get users to hand over personal and sensitive information (without them knowing it). Interesting, phishing has – in one form or another – been around for years via phone calls and physical letter scams.
Some information experts now believe that cybercriminals view phishing attacks as a successful and easy way of getting into an enterprise to launch more sophisticated attacks. Humans are, after all, increasingly seen as the weakest link (insider threats are a big problem) and thus the most effective target for criminals looking to infiltrate an enterprise or SME.
Follow the tips below and stay better protected against phishing attacks.
Be sensible when it comes to phishing attacks
You can significantly reduce the chance of falling victim to phishing attacks by being sensible and smart while browsing online and checking your emails.
For example, never click on links, download files or open attachments in email (or on social media), even if it appears to be from a known, trusted source.
You should never click on links in an email to a website unless you are absolutely sure that it is authentic. If you have any doubt, you should open a new browser window and type the URL into the address bar.
Be wary of emails asking for confidential information – especially if it asks for personal details or banking information. Legitimate organisations, including and especially your bank, will never request sensitive information via email.
Watch out or shortened links
You should pay particularly close attention to shortened links, especially on social media. Cybercriminals often use these – from Bitly and other shortening services – to trick you into thinking you are clicking a legitimate link when in fact, you are being inadvertently directed to a fake site.
You should always place your mouse over a web link in an email to see if you’re actually being sent to the right website – that is, “the one that appears in the email text” is the same as “the one you see when you mouse-over”.
Cybercriminals may use these ‘fake’ sites to steal your entered personal details or to carry out a drive-by-download attacks, thus infecting your device with malware.
Does that email look suspicious? Read it again.
Plenty of phishing emails are fairly obvious. They will be punctuated with plenty of typos, words in capitals and exclamation marks. They may also be in impersonal greeting – think of those ‘Dear Customer’ or ‘Dear Sir/Madam’ salutations – or feature implausible and generally surprising content.
Cybercriminals will often make mistakes in their emails…sometimes even intentionally to get past spam filters, improve responses and weed out the ‘smart’ recipients who won’t fall for the con.
Indeed, it has been rumoured that China’s infamous PLA Unit 61398 spends time seeing just how many people would open and interact with their worst phishing emails.
Be wary of threats and urgent deadlines
Sometimes a reputable company does need you to do something urgently. For example, in 2014, eBay asked its customers to change their passwords quickly after its data breach.
However, this is an exception to the rule; usually threats and urgency – especially if coming from what claims to be a legitimate company – are a sign of phishing.
Some of these threats may include notices about a fine, or advising you to do something to stop your account from being closed. Ignore the scare tactics and contact the company, separately via a known and trusted channel.
Browse securely with HTTPs
You should always, where possible, use a secure website (indicated by https:// and a security “lock” icon in the browser’s address bar) to browse, and especially when submitting sensitive information online, such as credit card details.
You should never use public, unsecured Wi-Fi for banking, shopping or entering personal information online (convenience should not trump safety). When in doubt, use your mobile’s 3/4G or LTE connection.
As a slight aside, it should be easier to spot dodgy, unsecured websites – Google, for example, is looking to crack down on this soon by labeling sites that do not offer appropriate protection.