How to Detect and Avoid Phishing Attacks
Cyber Self-Defence — Part 2
This is the second part of my Cyber Self-Defense series. In the first part, I stated there are 3 easy and free steps anyone can take to be well-secured from most hackers:
- Use a password manager
- Be aware of phishing
- Update your programs and applications
In this part we’ll discuss phishing attacks, how are they so effective, and how we can avoid them.
What Is Phishing Anyway?
Phishing is the common term for an attacker trying to trick us into giving away secret information. When most people hear of phishing they think only fools will fall for such trickery, but the truth is this is one of the most effective attack methods, even against experienced technical people.
My friend Ben, a developer with a master's degree in computer science, experienced a classic phishing attack two years ago. Ben received an email from Paypal, telling him he was charged with a high sum of money. The mail said that if he wants to review the transaction he has to click the link below. Ben clicked the link and was directed to a website that looked just like Paypal, where he was asked to enter his username and password. As he submitted his password Ben understood what he did, but it was too already too late. At that moment, the attacker used the stolen credentials and transferred $500 from his account.
How Does Phishing Work?
From Ben’s story, we can learn how phishing attacks work.
Contact
The attacker will contact you, usually by email or SMS, but might also use Whatsapp, Facebook messenger, or even a phone call.
Emotional Activation
The goal here is to activate you emotionally, to prevent you from thinking clearly. In Ben’s case, the emotional activation was done with the alert on a potential loss of money, in order to trigger him into a rush action. Other examples of emotional activation can be:
- Your account has been hacked! Press the link to save it.
- You violated the company’s policy and got blocked, enter for more details.
- You won $1000! Enter to collect your earnings.
All of these examples have one thing in common — they are designed to trigger strong emotions and push you to immediate action — usually pressing a link.
Transfer to Imposter Website
If the emotional activation worked as expected, you’ll press the link and be transferred to a dedicated website the attacker has set up in advance. The attacker’s website will be designed to look exactly the same as a website you know and trust. In Ben’s example, the imposter website imitated Paypal. For an attacker, creating a website that will look the same as Facebook, Paypal, or even your bank, is a fairly easy task. There are some signs that can help us detect an imposter site, but for those who are unfamiliar with them, the imposter site will look the same as the original.
Credentials Theft
Now that you’re on the imposter website, suspecting nothing, you’ll encounter a form, usually asking for your website’s password. Once you fill in the information it will be sent to the attacker — at this point the attack is complete. After that, the attacker will probably redirect you to the real website, so you won’t even know you were hacked.
How Can I Defend Myself?
Well, when it comes to phishing, the best way is to be aware. I will give you four simple signs that will help you detect and avoid phishing attacks. Once you identified the attack, you won — just ignore it and no harm can be done to you.
Emotional Activation
If you received an email or a text message with unusually good or bad news — take a moment before you act. The message might be real, of course, but many times you’ll find that after you waited for 5 minutes something feels off. After you’ve waited for 5 minutes, even if you click the link, you’ll be more relaxed and better able to spot the fraud.
Check the Address Bar
Creating an imposter website is very easy, but faking a site’s address (URL) is quite difficult. An attacker can easily build a website that looks like Facebook’s login page, but the address at the top won’t say “facebook.com”.
Sometimes, attackers will use a completely different address, assuming most users will just neglect to look at the address bar (which is what happened to poor Ben). More sophisticated attackers might try an address that looks similar, like “fäcebok.com”. For most people, this will look right, but note that the letter “a” was replaced with the similar letter “ä”, and the letter “o” appears only once. An address like that is almost surely a sign of fraud.
Look for the Lock
Most sites today use a technology called HTTPS. This technology allows your browser to make sure that the site your browsing is who it claims to be, and will safely encrypt all communication with the website. When using HTTPS properly, a lock icon would appear next to the site’s address in the address bar.
If you don’t see any lock do not enter your password on this site. All major websites should have the lock, so if you’re on your bank’s website and you don’t see the lock, be very suspicious.
Asking for Password in a Message
In some cases, attackers won’t even bother with an imposter website, but ask you to directly respond to their email or message with your password or some other private information. After a decade in this industry, I know of no legitimate company that would ever ask its client of such a thing. If someone asked you to send your password in a text message or email, this is probably a phishing attempt.
Note that sometimes the request for a password or code will come from someone you know — a friend or family member. Be very cautious, they’re account might be used by an attacker to fool you, verify with a phone call before you send anything.
Get Some Hands-On Experience
Google’s security team published a shot quiz that lets you try to detect if some email is legitimate or a phishing attempt. I highly recommend playing with it — it’s trickier than you might think.
I Got Hacked! What To Do?
As we discussed earlier, phishing attacks are very effective, and even the best of us might fall. But even if you sent your password to an attacker, it’s not game over yet. The large internet services are well aware of phishing, and allow users to regain their accounts even if they got hacked.
If your account got compromised, the first step is to change the password in order to lock the attacker outside the account. If the attacker changed your password and you find yourself locked out, choose the “forgot password” option, so you can reset your password.
If money got stolen, say from your Paypal or bank account, contact the customer service and tell them what happened. In most cases, they’ll be able to give you your money back.
This is how Ben’s story ended. After finding out the $1000 got stolen from his account, he contacted Paypal customer service and got back the whole sum.
Now you know how phishing attacks work, and how they manipulate even technical people. You also know what are the tells of a phishing attack so you can avoid it.
If this was valuable to you, feel free to clap for it so other people will also see it. Next week I will publish the third part of this series, in which I’ll discuss the importance of software updates, stay tuned!
