NetworkTigers discusses how to identify and prevent phishing attacks.
Phishing attacks continue to plague individuals and industries in all sectors, thanks to the ease with which they can be launched.
While the media often depicts cybercriminals employing a wide range of sophisticated, surgical strikes in order to extort their victims, the reality is that most hackers are opportunists who prefer to cast a wide net when it comes to finding easy prey among internet users.
Because they provide an effective way to reach a large number of potential victims, phishing attacks have not only endured but have flourished in recent months.
What is phishing?
As defined by Phishing.org, “phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”
Simply put, phishing attacks involve a hacker, or hackers, attempting to fool their victims by pretending to be someone else.
This type of deception is nothing novel and is based on the same techniques criminals have used for decades to commit extortion via mailed letters that inform recipients that they won a contest and need to provide personal data to claim their prize, or correspondences that purport to be from the IRS or other major government agency.
The first known phishing attempt was carried out in 2001, and the scams have been coming in incessantly ever since.
There are a handful of terms associated with various types of phishing attacks.
“Spearphishing,” for example, is a term used to refer to a phishing attack that is designed to target a specific person.
These attacks often involve hackers researching their intended victim in order to create a trap that appears to be as legitimate as possible. This may even involve them taking note of the language and writing habits of the person or organization they are attempting to impersonate.
A spearfishing effort that targets a high ranking official such as a CEO or manager is referred to as “whaling.”
Attacks are on the rise
Even though the majority of internet users have an awareness of the dangers of opening suspicious emails, phishing attacks have been rising astronomically over the last couple of years.
Due to the pandemic shifting so much work to the online space, the internet is simply busier with more people opening emails, communicating electronically and performing their tasks remotely via cyberspace than ever before.
Criminals have been quick to use the changes to their advantage.
Phishing attacks hit a record high in the first quarter of 2022, with more than one million scams identified, according to data collected from the Anti-Phishing Working Group (APWG).
Hackers are also getting better at what they do, with some expertly-designed scams looking nearly identical to the source material and requiring diligent inspection to identify them.
How to recognize a phishing attack
Phishing attacks tend to have a number of characteristics that can make them identifiable to the trained or experienced user. Here are some of the most common attributes that phishing scams share:
Urgency/emergency. From emails describing medical emergencies and asking for charitable donations to messages designed to look like they originated from a friend or coworker in need, hackers know how to push people’s buttons and make them feel as though time is of the essence. Applying pressure to a victim is a time tested technique that criminals use to get their victims to bend to their will.
Attachments and hyperlinks. Hackers will sometimes attach viruses or malicious code directly to the emails they send out. Even seemingly mundane files can include snooping software or links to sites that can put your system at risk by scraping your computer for data. Dangerous links and attachments may also arrive via text messages or other means.
Unknown senders. Phishing scams often arrive as emails, texts or messages from unknown sources. This could be an email address you don’t recognize or a phone number or name you have never seen before.
Contests, prizes, free money, etc. Phishing scams sometimes attempt to trick victims into believing they won a contest or will have access to a prize or cash reward if they follow some basic steps or click embedded links. These “too good to be true” scams, silly as they may seem to experienced internet users, continue to be effective when deployed against the right demographics.
Typos and bad grammar. Cybercriminals operate from all corners of the world. As a result, the language of their target may not be one that they have a fluent understanding of. Broken English and poor grammar in an email that is purported to have originated from a major company or organization is a dead giveaway that it is fraudulent.
Bizarre or incorrect email addresses. Hackers go to great lengths to make their efforts appear visually legitimate. However, many include addresses that give up the deception. An email from Paypal, for example, will originate from an address that maintains the company’s standards with regard to formatting and domain. A scam attempt may originate from a sender that slightly misspells the company’s name or from an address that is nothing more than a seemingly random series of letters and numbers.
How to prevent a phishing attack
Cybercriminals are continually developing new ways in which to socially engineer their victims. As a result, the techniques needed to properly defend against phishing attacks are constantly evolving.
Antivirus and antimalware software. In the event that a bad link is clicked, properly implemented security software designed to block viruses and malware may kick in and save the day. Be sure that all software is set up to update automatically so that your system always has the latest defenses at the ready.
Spam blockers. A blunt force tool with regard to hack prevention, spam filters and blockers can still go a long way in preventing scam emails from appearing in an inbox. While these filters are designed to separate junk mail from important messaging, they are not 100% accurate. As a result, garbage emails may still appear from time to time and occasionally a legitimate email may be incorrectly flagged as spam.
Scam reporting. Some organizations, those in the financial sector in particular, take an active role in preventing criminals from impersonating them by taking legal action when possible. While hack prevention is a bit like an endless game of whack-a-mole, there are benefits to reporting scam emails to the companies that they are attempting to impersonate.
If a scam technique becomes ineffective over time due to it having been identified, reported and exposed, it will likely be abandoned.
Keep your system and browser updated. Falling behind on security updates and patches puts your entire system at risk. Implement automatic updates on all of your software, as developers are continually pushing updates to their products in real time as new threats and vulnerabilities are discovered.
Use firewalls. Firewalls continue to be solid defense tools for those looking to keep unauthorized users off their networks. Install a software firewall on your computer and a hardware firewall to create a fortified system that can prevent most intruders from getting through.
Home office users and network administrators alike can purchase refurbished firewalls from reputable dealers, saving money and bolstering security at the same time.
Awareness and training. Ultimately, a phishing scam depends on a victim actively clicking the message, attachment or link that is harboring malicious code. Because the end user is the last barrier an attack has to cross in order to come to fruition, maintaining a properly trained and aware staff is the most critical defense an organization or business can implement.
From cybersecurity meetings to seminars, online resources and professional training, there is a wide range of techniques that businesses can use to keep phishing awareness top of mind.
Because of the nature of cybercrime, and how easy it is to click a dangerous link, staff should be regularly encouraged to keep phishing awareness top of mind.