Phishing scams are one of the most common types of social engineering attacks used today. Social engineering and spear phishing are often the primary means by which attackers force their way into most online accounts with the aim of accessing information. As well fraudsters try to trick you into providing your username and password so that they can gain access to an online account. In addition, they especially want your credit card number or and social security number. Therefore, phishing scams lead to identity theft once your ID has been stolen. And these have become one of the main identity theft issues on online accounts.
Phishing has become far more sophisticated than a suspicious email tempting a random individual to click on a link or provide their personal details. Usually phishing focuses on targeting an individual. However, there have been many general phishing attacks targeting individuals of particular service providers. For example, the recent chrome – firefox attack that uses domains identical to known safe site and a google phishing scam. This attack targets Gmail users into disclosing their login credentials, enticing them into availing their personal account information. This google phishing attack is one example of a proven phishing.
According to Tech Worm, the Gmail phishing scam was detected by Word Fence, the maker of a security plugin for WordPress, who said that the victims are targeted via an email to their Gmail account. Which may include an attachment or image, and might even come from a contact or company you recognize.
Tech worm goes on to explain that when clicked on, it takes users to a well-disguised website that mimics the Gmail login page. And asks the user to sign in once more. Once the user enters their password, attackers gain access to their emails and contact list. Tech worm therefore identifies the problem which is that the malicious web link is very well-disguised and even includes “accounts.google.com” in the URL.
What is a Phishing Scam?
Literally, phishing is a process through which an account owner is enticed to give out personal information by using electronic communication technique such as emails, disguised to be from a legitimate source, files for download and many others. Phishing is one of the fastest rising online crime method used for stealing user personal information.
A phishing website tries to steal your account password or other confidential information by tricking you into believing that you are on a legitimate website. Just like the Gmail phishing scam discovered by Wordfence. You could even land on a phishing site by mistyping a web address (URL).
To Read: Email Security E-book: What You Should Know About Email Security 2017
Lets Have A Look At The Anatomy Phishing Attack
Types Of Phishing
1. Ordinary Phishing
Ordinary phishing attacks are usually conducted by sending malicious emails to as many people as possible. The attackers know that the more people they reach, the more people are likely to fall victim. It is therefore not unusual for phishing attacks to target thousands, or even millions of people at once. Independent of where they live or work. To fool, trick or attack the victims, the phishing email usually appears to come from a trusted source. For example a bank, organization, company or someone the victims may know.
The phishing message will often try to lure the victims into opening or downloading an infected file attachment, or into clicking on a link that will take them to a malicious website. The attacker will then attempt to infect and take control over the victims’ computers or to get access to their usernames and passwords.
2. Spear Phishing
A spear phishing attack will also appear to come from a trusted source. However, unlike an ordinary phishing attack, a spear phishing attack will be highly targeted. The message will be sent only to one person or a few, carefully selected individuals. The overall goal of the attack, will determine who gets selected as intended victims.
Before crafting the message, the attacker will research the intended victims’ social media profiles, like Facebook, Twitter, Instagram, LinkedIn and many others. From these, the attacker will try to build a profile on the victims’ life, work and interests. This will be used to create a highly customized message that will come across as credible and relevant to the victim.
In addition, the attacker will gather information such as names and email address about the victims’ friends and colleagues in order to make the email appear like it is sent from one of them. Spear phishing scams are highly targeted and customized and are far more likely to succeed than ordinary phishing scams.
The Different Kinds Of Phishing
There are very many types of phishing and different phishing criminals use different ways to carry out phishing. However, there are common ways that most phishing criminals use in order to reach to the information that they need from their target individuals. Phishing criminals may send out a chain of messages to many people depending on who their target is or they may send to a particular individual through spear phishing.
- Emails from people that you know claiming to be stranded in a foreign country, asking you to assist them with money so that they can travel back home. When you are taken up by this scam, you are forced to send lots of money to someone who turns out to be someone you don’t know after the ‘seemed’ person contacts you and tells you that they have not requested any money from you.
- Emails claiming to be from reputable news organizations capitalizing on trending news. These emails generally ask recipients to click a link to read the full story, which in turn leads the user to a malicious website. Such emails are made in such a way that you will be made to click on their link. Such links carry malware and other threats that put the recipients’ personal information at a risk of being stolen. Through this, you are lured into clicking just to read the whole story or to find out more.
- Emails claiming to be from organizations and companies, referencing complaints filed or asking recipients to check their bank deposit insurance coverage. This is mostly used by fraudsters because they know that anything regarding your bank details definitely takes your attention and you will be forced to click on their link that will help them access your personal details on your bank account.
- Emails threatening to harm recipients unless sums in the thousands of dollars are paid. These are real phishing messages that compel you into clicking on their link. Once you click on the link then they have access. Their main aim is just for you to just click on their link. And of course clicking on their link will mean that they will get what they want.
- Emails claiming to be a confirmation of complaints filed by the recipient. Not having logged any complaints, recipients are inclined to click on these links to find out what is being referenced. The links and attachments, of course, contain malicious code. Once you click on the links and downloaded the attachments, they use the malicious code to execute their plans by getting to your personal account private information. Fraudsters use your information to steal from your bank account or any other access to your funds.
Recommended: The Top 100 Hacked Email Passwords Ever!
10 Ways To Identify A Phishing Scam
Every day countless phishing emails are sent to different people all over the world even the world’s richest man Bill Gates.
However, the nature of phishing messages can be similar to genuine messages. But when well scrutinized, a phishing message can be identified for its nature that is way different from a genuine message.
Unfortunately, there is no one single technique that works in every situation, but there are a number of things that you can look for.
1. The message asks for personal information
The number one way of identifying a phishing email is when that email requires your personal information. No matter how official an email message may look before your eyes, it is always an alarming sign if that message asks for your personal information.
For example, it is not legitimate for your bank to ask you to send your account number because your bank already has your account number. Also companies and organisations do not ask for your password and personal information like credit card number. Such messages requesting for your personal information are a sign of phishing attempts.
2. The message appears to be from a government agency
Knowing that a message from a government agency would take up your attention, phishing criminals always disguise themselves as from a government agency or department. They may claim to be from the security department and require you to fill in some files or to send in your personal information.
You ought to know that government agencies do not usually use such means to contact you and therefore you need to first confirm if indeed the message is from a government agency because such messages are likely from phishing criminals that are targeting you.
3. Generic greeting
When you open your inbox and find messages that address to you in a general way like it was a chain message sent to many, this should be an alarming bell to your personal information. Fraudsters often send thousands of phishing emails at one time. They may have your email address, but they rarely have your name.
They therefore send emails with a generic greeting such as “Dear Customer” or “Dear Member”, “Hello Bank Customer” rather than using your actual name. When you come across such a message, do not click on any link or download any file attached. However, with spear phishing, the phishing criminals may send a direct message addressed to you.
This is why you need to be sure it is from the right people by contacting the organization or bank or company that the phishing criminals are disguising themselves to be from.
4. The message contains a mismatched URL
This means that when you just click on a link without verifying its authenticity then you may land on a phishing site. It is also essential to always check for URLs beginning with HTTPS. The “S” indicates that a website uses encryption to protect users’ page requests. One of the first things I recommend checking in a suspicious email message is the integrity of any embedded URLs.
Identifying such a fake URL is one way of preventing yourself from falling a victim of phishing attack. Unless you identify such a URL you’ll assume the message is from a genuine site which may not be the case.
5. Link to a fake website
Phishing criminals always try to trick you into disclosing your user name and password, they do this by including a link to a fake website that looks exactly like the sign-in page of a legitimate web site. For example, the Gmail phishing attack includes “accounts.google.com” which looks exactly like the Gmail account log in.
Just because a site includes a company’s logo or looks like the real page doesn’t mean it is the real page. People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. Always check well the domain of the particular service provider or any other agency to be sure of whether the message is genuine or a phishing attack.
Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is likely a scam.
6. The message makes unrealistic threats and urgent action required
Although most of the phishing scams try to trick people into giving up cash or sensitive information by promising instant riches, some phishing artists use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam.
Also, phishing criminals always include an urgent “calls to action” to try to get you to react immediately. Such emails have urgent action needed and they appear like, “your account will be closed,” “your account has been compromised,” or “urgent action required.” With this, the attacker will take advantage of your concern to trick you into providing confidential information.
7. The message contains poor spelling and grammar
As part of professionalism, whenever a large company sends out a message on behalf of the company as a whole, usually the message is reviewed and proof read for spelling, grammar, and many others.
Therefore, if a message is full of poor grammar or spelling mistakes, it definitely shows that it is not from the agency or company it is claiming to be from. This is one way clear way that you can identify phishing scams, they are usually full of grammatical errors.
8. You’re asked to send money to cover expenses
One telltale sign of a phishing email is that you will eventually be asked for money. You might not get hit up for cash in the initial message. But sooner or later, phishing artists will likely ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.
9. You didn’t initiate the action
If you receive a message from someone unknown to you who is making big promises, the message is probably a scam. Messages that have a lot for you, like “You have won the lottery!!!!” Number one, you didn’t even buy any lottery ticket. If you get such a message informing you that you have won a contest you did not enter, you can bet that the message is a scam. Such messages are clear before your eyes that they are phishing scams.
10. Something just doesn’t look right
The moment you receive a message and it seems suspicious, then it is usually in your best interest to avoid acting on the message. When your instinct tells you that there’s something wrong with that message in your inbox, then follow your instincts.
Usually, phishing scams will appear suspicious to you the moment you paraphrase through the content in the message. This is a clear indicator that something just isn’t right in the message. Therefore, ignore such messages or first confirm whether they are from the real senders that they claim to be from.
To Read: 5 Quick Tips on How to Avoid Email Spammers 2017
Protecting Yourself From Phishing Scams
- Learn to identify suspected phishing emails
The first step in the process of preventing yourself from a phishing scam, is to identify the suspected phishing emails. If you can’t identify them, then you are likely to fall a victim. You should always take a close look at the sender’s display name when checking the legitimacy of an email.
Just like I mentioned in the previous discussion of identifying the phishing messages, most companies use a single domain for their URLs and emails, so a message that originates from a different domain is suspicious.
- Enhance the Security of Your Computer
As a cautious way of keeping safe, you should always have the most recent update on your operating system and web browsers. This is because updated operating systems and browsers are safer than the outdated one that are prone to attacks.
Therefore, always have anti viruses installed on your computer in order to be safe. Having a safe computer is a double security of protecting yourself from falling a victim of phishing scams
- Check the Source of Information from Incoming Mail
It is a good habit to always call your service providers whenever you receive an email that is from them especially if that email looks suspicious. For example, your bank will never ask you to send your passwords or personal information by mail.
Therefore, never respond to these questions, and if you have the slightest doubt, immediately call your bank directly for clarification. By this, you will get direct information and you will not have to fall a victim in case it is a scam.
- Periodically Check Your Accounts
It is always advisable to always check your bank accounts periodically to be aware of any irregularities in your online transactions. Taking long minus checking your account will put you on a likelihood of unusual activities happening without you noticing.
This is why checking your account regularly is very important.
- Never Go to Your Bank’s Website by Clicking on Links Included in Emails
Always type in the search bar the domain name of your bank or any other agency whenever you want to visit their website. Therefore, never click on hyperlinks or links attached in the email, as it might direct you to a fraudulent website.
Type in the URL directly into your browser or use bookmarks / favorites if you want to go faster. By this, you will not fall a victim of finding yourself on a phishing website.
- Enter Your Sensitive Data in Secure Websites Only
Always check for mismatched URLs because however much an embedded URL might seem perfectly valid, hovering above it might show a different web address. You should avoid clicking links in emails unless they are certain that it is a legitimate link.
Safe sites always begin with ‘https: //’ and your browser should show an icon of a closed lock. In addition to this, you should never click links or download files even if they come from seemingly “trustworthy” sources.
- Phishing Knows All Languages
You should always lookout for any grammatical errors and spelling mistakes. Also, phishing messages can reach you in any language. However, such messages are usually poorly written or translated, so this may be another indicator that something is wrong.
For example, if you are always using English on the website of your service provider, Bank or any company, why should they send you a message in French? This should show you that something is wrong somewhere and you ought to call that particular company for confirmation.
- Always be up to date with the recent malicious attacks and phishing scams
When you are up to date with information about the recent threats, then chances are that you will not fall victim. For example, Gmail users who did not get to know about the recent Gmail phishing attack are likely to fall victim since the phishing criminals use a similar URL with the Gmail URL account. Keeping up to date helps you know how to identify the phishing messages and what to do about them.
- Reject any suspicious email
The best way to prevent phishing is to consistently reject any email or news that asks you to provide confidential data. Delete these emails and call your bank to clarify any doubts. Paying attention on these emails will prompt you into clicking on their links or downloading their files. Therefore the best way is to ignore the email and call the company or agency for confirmation.
Of late, there has been another Chrome and Firefox Phishing Attack that used Domains Identical to Known Safe Sites. In a wordfence public announcement, Mark Maunder the CEO mentioned that this variant of a phishing attack used unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.
This affected the different versions of Chrome and Firefox browsers. This does not affect Internet Explorer or Safari browsers.
You should never error on the side of caution when it comes to sending out personally identifiable information through messages and emails. Therefore if the message seems suspicious, it probably is.
When you suspect a message to be a phishing message, then chances are that it is indeed a phishing message. Phishing is on the rise and many people have fallen victim of the phishing scams. Clicking on links sent by phishers is one way of letting them into accessing your personal information.
Therefore with the ability to identify these phishing messages, you will be able to prevent yourself from falling a victim.