Social Engineering: What is Phishing?
WHAT IS PHISHING?
Phishing (pronounced “fishing”) is a kind of identity theft which is growing in popularity amongst hackers. By using fraudulent websites and false emails, fake phone calls and whatnot — perpetrators attempt to steal your personal data — most commonly passwords and credit card information.
Criminals gain this information by sending you links to sites that look like sites you trust, such as your online banking provider or social networks, and are able to steal your data as you enter it. Some of the sites spoofed most regularly include PayPal, eBay, Yahoo! and MSN, as well as financial institutions — so don’t think that an email is guaranteed to be safe when it’s not from a bank.
HOW TO RECOGNIZE A PHISHING MESSAGE
Phishing scams are among the most prevalent forms of cybercrime. Although phishing is widespread, it is beatable. Apart from ensuring you install security software, the best way to combat scams is to learn what phishing looks like.
Here are a few examples of what a phishing email message look like:
- Spelling and bad grammar — Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam.
- Beware of links in email — If you see a link in a suspicious email message, don’t click on it. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company’s web address.
Also do check mismatched URL’s (or misleading domain names) — they can also lead you to .exe files. These kinds of files are known to spread malicious software.
- Threats — Have you ever received a threat that your account would be closed if you didn’t respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised. For more information, see Watch out for fake alerts.
- Spoofing popular websites or companies — Scam artists often use pop-up windows. For more information, see Social Engineering attacks.
- Other important indications — Asking for personal information — The offer seems too good to be true — You have to receive/send money — You didn’t initiate the action — Or anything which just doesn’t look right !!!
How to protect yourself against phishing
- Be wary of emails asking for confidential information — especially information of a financial nature. Legitimate organizations will never request sensitive information via email, phone calls or by any other means — they have dedicated separate procedures for that.
- Don’t get pressured into providing sensitive information. Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information. Be sure to contact the merchant directly to confirm the authenticity of their request.
- Watch out for generic-looking requests for information. Fraudulent emails are often not personalized, while authentic emails from your bank often reference an account you have with them. Many phishing emails begin with “Dear Sir/Madam”, and some come from a bank with which you don’t even have an account.
- Never submit confidential information via forms embedded within email messages — a very common phishing practice and widely pushed onto your junks/spams folders on daily basis.
- Never use links in an email to connect to a website unless you are absolutely sure they are authentic. Instead, open a new browser window and type the URL directly into the address bar. Often a phishing website will look identical to the original — look at the address bar to make sure that this is the case (and the connection is secure — such as https://).
- Make sure you maintain effective software to combat phishing (via any third-party anti-viruses) and use encrypted channels and encrypted mailservices such as Mailfence to communicate and further safeguard your privacy.
- Always be suspicious — Phishing emails try to freak you out with warnings of stolen information (or worse), and then offer an easy fix if you just “click here.” (The flipside: “You’ve won a prize! Click here to claim it!”) When in doubt, don’t click. Instead, open your browser, go to the company’s website, and then sign in normally to see if there are any signs of strange activity. If you’re concerned, change your password.
Most of all, rely on common sense. You can’t win a contest you didn’t enter. Your bank won’t contact you using an email address you never registered. Know the warning signs, think before you click, and never, ever give out your password or financial info unless you’re properly signed into your account.
Check blog.mailfence.com for having the most recent version of this blogpost.
Follow us on twitter/reddit and keep yourself posted at all times.
- Mailfence Team