Phishing 101: What You Need to Know
At this point, most of us have heard of the “Nigerian Prince” scam, where the sender, who claims to be a member of a royal family, requests assistance in transferring millions of dollars of excess money out of Nigeria and promises to pay the person for his or her help.
Many consumers today laugh at the insanity of falling for such a fraud, but refined variations of this scam are consistently attracting the attention of new victims. So, let’s dive into what phishing is and what you need to know about it.
What is phishing?
At a high level, phishing is trying to trick people into doing something via an email that enables the attacker to hack a target. Typically, when we’re talking about phishing, the emails that consumers receive are from someone impersonating a brand or an individual.
For example, if the adversary’s goal is to get the consumer to click a link that then leads to a malicious site asking for personal information to help them login to the target’s bank account, the link could be anything from “click to reset your password,” to an email impersonating your mortgage loan officer asking you to “click to pay your overdue fees.”
Another version of phishing is an email that includes malicious attachments. A common example is an email allegedly from a mobile carrier telling consumers they have a bill past due and to open the attachment to view it. Once you open that infected document, a few things can happen. There might be a link to an infected site which may install malware on your computer or ask for your credentials. An automated message from the hacker disguised as a standard prompt may ask you to enable macros in the document, which then installs the threat on your machine. Or, the document itself could contain an exploit – simply opening it could cause you to be infected.
Phishing attack tactics
We see a lot of impersonated financial institutions and cloud provider phishing emails that are specifically trying to steal user credentials. On the deployed malware side of things, you’ll get notifications including bills from your bank or mobile carrier. We’ve also seen phishing attacks impersonating law enforcement and in the form of a court summons or an outstanding fine that needs to be paid. In general, the tactics tend to revolve around a call to action with some kind of urgency to get consumers to click.
We saw a unique tactic a few years back, where cybercriminals took advantage of a massive breach to launch targeted phishing attacks. They used consumers’ leaked personal information to send phishing emails loaded with personal details that make the message seem real. If you get an email that contains information like your full postal address and your phone number, for example, that email will seem trustworthy enough that you might be enticed to click.
Whenever these big breaches occur, I suspect and expect that people’s information is later being leveraged in these more targeted attacks. Let’s say I’m a cybercriminal – any breach with leaked emails and names presents the perfect phishing opportunity, since I now have allegedly real email addresses to reach out to. And, even if I’ve sent them an email before, why not try again now that I have more of their personal details to make it sound legitimate? That’s the opportunistic nature of these cybercriminals.
What should consumers do to stay protected?
Consumers need to think of security as a 24/7 lifestyle. You need as much cybersecurity for your home computers and devices as you do at work. Cybercriminals are largely using the same tactics on everyday consumers as they are on corporations, so you can’t let your guard down when you leave the office. You’re a target no matter where you are and remembering that will help you make better security decisions.
In general, if you receive any email that seems too good to be true, it probably is. Here are some more actionable tips to keep in mind:
- Trust, but verify. If you get an email from an institution you do business with, call them up instead of clicking on any links. That way, you can verify whether the email is real without any potential harm. And if you’re one of the first people targeted in the phishing campaign, you could be helping the brand by alerting them that their name is being used maliciously.
- Always create unique passwords for each personal account, especially each bank account, you need to log into and change them regularly
- Enable 2-factor authentication when it’s available
- Avoid opening attachments in emails from recipients you don’t know
- Don’t enable macros in document attachments received via email
- If in doubt, don’t give out your personal data
- Back up regularly and keep a recent backup copy off-site
- Secure your computer with advanced real-time security protection
To protect your friends and family against phishing, try Sophos Home Premium for Windows and Mac.