You check your e-mail, as usual, and this time there’s an urgent message from your bank threatening to close your account if you ‘do not reply immediately.’ This message and others like it are examples of a form of Social Engineering called Phishing. Phishing is a method of identity theft; however, in addition to stealing sensitive data, phishers can do much more including infecting your computer with viruses, keyloggers, trojans, and spyware. Once infected, your computer can work against you by reporting information directly to the phisher with every click of your keyboard; Track and record your online behaviors’. Turning your computer into a bot who will maintain fictitious conversations with other unknowing victims in chat rooms; and/or coordinate zombie networks that distribute new phishing e-mails or host phishing Web pages. All this just from clicking on a simple looking attachment within an email or another electronic form of communication. Phishing attacks is a numbers game they generate billions of dollars even when only a small percentage of the targets fall for the bait.
E-mail is the most common way to phish, but be aware, these criminals will stop at nothing to Phish you. Often using:
- Instant Messaging (IM)
- Short Message Service (SMS), i.e., Text messaging
- Malicious Websites
- Phishers develop e-commerce websites with ‘too good to be true’ offers. Often the bogus sites are indexed legitimately with different search engines. They often include banking sites.
- Pharming attacks are DNS based (Domain Name System). The requests for URLs return a bogus address, and subsequent communications are directed to a ‘spoofed’ of fake site. Users remain oblivious of the fraudulent website controlled by phishers.
Once the phisher has assumed your identity, from your stolen data, they can do any or all the following:
- Impersonate the victim, transfer funds.
- Convince your friends to do something and your friends’ friends.
- Commit crimes in your name.
- Open credit card and bank accounts in your name.
- Purchase merchandise (Think Big).
- Hijack usernames and passwords.
- Use and abuse your Social Security number.
The worst yet, is that phishers are never satisfied, when they get board they will simply sell your information on the Darknet where the process will begin all over again. Many (not all) phishers leave telltale signs in their notifications and Web pages. Be on the lookout for them and delete immediately:
- Request for personal information.
- Generic greetings, like ‘Dear Customer’ or ‘Hello User.’
- Threats and requests for immediate action, such as ‘Please reply immediately’ or ‘we will cancel your account.’
- Requests to re-enter or update personal information under the pretext that ‘account is about to expire’ or ‘multiple log-ins have been detected.’
- Links that are misspelled, poor grammar, longer than normal URL’s especially those containing numbers and symbols, all are clear signs of phishing.
- On occasion, the communications used by phishers can include unusually personal content, assured to appeal to the victim. Keep your guard up; there is a specialized type of phishing called Spear Phishing which targets individuals and includes personalized information gathered from OSINT. OSINT is intelligence collected from publicly available sources such as social networking sites.
When you get that e-mail or other activity that looks like a phishing attempt, never click on the links, or provide your personal information.
The most significant thing you can do is to remain aware and vigilant of what you download.
- Hastily downloading e-mail attachments is dangerous. It only takes one click of a phisher’s malicious attachment to circumvent even the strongest anti-virus software.
- Organizations including banks, social media platforms, and PayPal will never send you emails requesting your personal information.
- This can not be stressed enough, never open an attachment from someone you do not know even if they have authentic looking logos.
- If it is unusual for friends, your employer or groups you are involved with to send attachments, call them before opening the attachment.
- Find a security website and frequent it often. Become aware of the latest scams and threats.
- Finally, get into the habit of changing your passwords often and follow a strong password rule of at least eight characters, with a mixture of upper/lower case, numbers, and symbols-!@#$%^&*().
A few rules to follow in order to protect your computer from intrusion:
- Turn your Firewall on and keep it on.
- Update your Antivirus Software.
- Update Your Antispyware Technology.
- Update your Operating System (OS)
To sum up, phishing attacks can come in several different forms. Perhaps what is often overlooked are hidden threats related to phishing. Moreover, the mere numbers and level of sophistication of phishing attacks are increasingly making them one of the most structured and immensely profitable cybercrimes.
Cybersecurity is a shared responsibility. Stop. Think. Connect.