Updated: Jan 16
We're going to talk about something that has plagued the internet for the longest time.
The screenshot seems familiar to you? You would find a number of similar emails in your spam folder. That's one way that email service providers protect us from getting scammed and/or phished. However, some of these emails do make it to our inbox, and we're going to talk about those and answer many questions like: What are these phishing attacks? How do victims fall for these? Why do attackers make spelling mistakes in their emails? How can I safeguard myself? So sit back and read on while we explain these and many other shocking facts!
What are phishing attacks?
Phishing is a social engineering attack in which the attacker deceives people to obtain sensitive information and/or installs malware on your device.
Now that we have a formal definition, let's break it down. A social engineering attack describes malicious activity that can be accomplished through human interactions. We'll get into the details of the different ways this can be done in the next section. Another key element in the definition is malware.
Malware is software that is designed to infect your device.
Once infected, the results can range from mirroring your screen onto the attacker's device to completely wiping all of your data. A common type of malware is ransomware, which involves locking your device and holding your data hostage in exchange for money.
Phishing attacks can be used for several purposes, including:
Getting access to company networks
Capturing sensitive information such as personal or credit card details
Stealing money from unsuspecting users
Impersonating users to access confidential information
Keeping data ransom or wiping it off
Now that we know what we're dealing with, how are these attacks carried out?
How are phishing attacks executed? There are several ways - malicious websites, telephone, or SMS.
However, there is one channel that tops them all. 96% of phishing attacks arrive by email. (SOURCE)
Well, there are around 4.2 billion email users in the world, which as of now, is a little over half the world's population. (SOURCE) The larger the reach, the more potential victims.
Moreover, people are likely to check their email more often when compared to other communication methods, whether they are private or business emails. Emails are not only used for phishing attacks, though. As per a study conducted by Deloitte, emails are responsible for a whopping 91% of all cyberattacks!
So, we know the delivery method. There is more than one technique used to phish victims.
What are the types of phishing attacks? There are a few methods that are commonly used to conduct attacks. We're going to cover the most notable and notorious ones below -
Deceptive Phishing This is the most common and basic type of phishing scam. They try to impersonate an organization to steal data. Using a sense of urgency, the hope is that the user does not notice the discrepancies and performs the action. This can be avoided by being vigilant and checking the legitimacy of the email ID and link, among other red flags.
Spear Phishing This is a personalized approach to a phishing attack. The fraudsters use the personal information of the sender and/or receiver to gain and establish trust. Further, they would either send a malicious email attachment or ask for personal login credentials. This is extremely common on business networking sites like LinkedIn, where such data is available. Cybersecurity and phishing awareness, along with the right products can prevent spear phishing attacks.
Whaling A whaling attack is also known commonly as CEO fraud. It's spear phishing meant to target and gain access to email accounts of high-ranking executives and can be the most damaging. For example, attackers could re-route payments and take actions that could cause irreversible financial damage and/or hurt a company's reputation. To avoid this, payments should go through multi-factor authentication, and even upper management should participate in cybersecurity training.
Vishing Instead of going ahead with emails, the attackers contact you on call. They start the Vishing attack by setting up a Voice over Internet Protocol (VoIP) server. Through this, they try to mimic different entities and look to extract information and/or funds from people. This can be avoided by not giving out any sensitive information over a call, no matter how convincing it seems.
Smishing This is similar to Vishing but uses text messages instead of calls. They could either send messages with malicious links to steal your information or tell you to contact a representative. The best way to avoid this is to ignore suspicious messages and not click on unsolicited links. If you're still in doubt, you can always contact the company directly through an official medium for clarity.
Pharming This is a technologically advanced tactic that relies less on human error and more on system exploits. (READ MORE) In this case, attackers directly or indirectly attack a DNS server. The DNS server is responsible for directing internet traffic to the correct server's IP address. Eg: www.google.com domain name should take you to Google's IP address. In pharming, they redirect users to a malicious website even when the victim enters the correct address in their browser. This can be avoided by staying on top of security updates and patches and entering data only on HTTPS-protected sites.
Now that we've learned the different phishing methods. Let's figure out why and how people fall for it.
How do people become victims of phishing?
Attackers take advantage of the one thing that systems don't have - emotions. Phishing attacks use human psychology and emotions, especially a sense of urgency.
They incorporate that emotion in the subject line to prevent them from cross-checking other details.
The most commonly used keywords in subject lines are -
But it's not only about the subject line; even the content of the email is very inciting.
Here is an example of what it might look like:
Many phishing emails follow this pattern.
However, there are many more dangerous phishing attacks that might not seem as obvious.
Imagine you'd get this email from your colleague, from their own company email address. It would be safe to assume everything is fine, right? Except their account has been compromised, and they are asking for credentials to get into the system. Michael has no clue that the email was sent from his system. The victims are usually companies/businesses that have been taken advantage of by the weakest link in most cybersecurity systems - humans. The above example is a business email compromise (BEC), and you can read more about it HERE.
In the iPhone phishing screenshot, there were a lot of formatting and spelling errors. But it's not by mistake; it's by design.
Why don't they perfect their phish? You may have noticed that many blogs and other cybersecurity experts tell you to keep checking for spelling mistakes, incorrect formatting and naming to identify a phishing attack. But most of them still have plenty of mistakes, not only in their emails but also in their subject lines. Moreover, their formatting is usually terrible as well. So, why don't they take a little more effort and use a spellchecker? Well, the answer is rather underwhelming, but to sum it up in one line:
If you're smart and patient enough to decipher what a phishing email is, you're not their target.
They know that Will from the cybersecurity department of a big tech company is not going to enter their credit card details on their fake website link. Tom from the IT department is not going to download a random attachment from their email. They prey on the gullible and less informed, who would enter details without giving it a second thought.
Moreover, in the case of scammers, the last thing they want is for their operators to be held up on calls with well-informed people. In the time lost, they can probably successfully scam a couple of more people for thousands of dollars.
How can I save myself from getting phished? There is one important question to ask yourself - When was the last time I cross-checked an email address before opening an attachment/clicking on a link?
The answer should always be, "The last time I checked my email." But of course, that's just one aspect.
These pointers are also critical to follow:
Don't click on random links or download attachments sent over via email. If there is a link sent to you by an unknown email ID, just ignore it. However, if it's a known email ID, it's best to confirm with the sender before clicking on it. Use a similar process for files sent via email.
Don't send sensitive information via email Unless you confirm their identity in person, avoid sending any sensitive information via email. And even when you do confirm it, avoid (if possible) using any digital means to share sensitive data.
Change your passwords and turn on two-factor authentication Frequently updating passwords avoids your passwords being compromised in a data leak. (Password Guidelines) Similarly, 2FA will prevent an attacker from using the stolen credentials as they will not have access to the second factor authentication device.
DON'T skip software upgrades Software upgrades can be annoying, but they are absolutely necessary. The latest patch might save your system from a malware attack.
Download licensed antivirus software Reputable software will fend off most attacks and also make browsing the internet safer. A major advantage is that it also scans the documents that you're downloading from emails, which provides an additional layer of security. It also scans websites, providing further protection. WARNING: Don't use the free version, as it might do more harm than good. And in the worst-case scenario, the free software could itself be malware.
Don't give out your information on unsecured websites If it doesn’t start with “https” or you cannot see a closed padlock icon next to the URL in your browser, don't use that website. Some malicious websites are designed to closely resemble major brands by sending the wrong links in emails. And the data you enter on that website could be stolen.
Technological solutions Spam Filters: They scan through the data in existing phishing emails and use machine learning algorithms to recognize patterns. They will identify most phishing emails and send it to a separate spam folder. Web Filters: This saves users by prompting them if a site appears malicious and/or fake. These and other systems are usually already incorporated into your email providers and antivirus solutions.
Phishing attacks are notorious because they are designed to not rouse any suspicion.
However, if not identified, they can wreak total havoc.
------------------------------------------------------ In this digital era, you need to be well-informed and vigilant to protect yourself and others.
The internet is not going anywhere, and with more advancements, there are going to be more sophisticated ways to get hooked. The best we can do is stay aware, and if something feels fishy, stay away from it.
Learning and implementing the best cybersecurity practices will go a long way toward securing the internet for you and all of us.