How to Protect Against Phishing (No.1 Cyberattack) to Stay Secure?

Many of you might have somewhere heard about phishing at some point of time. Have you ever wondered what is phishing? Well! It is the most common attack that targets all types of users. Cybercriminals use it as their favorite tool to con people for their personal gains. Let’s understand important concepts of phishing such as what phishing is, types of phishing, how it is carried out, how to protect against it, etc.

What is Phishing?

Phishing simply refers to the acts of sending fake communications to target users by cybercriminals who impersonate themselves to con them. Cybercriminals will send messages pretending to be some trusted entity (a company, institution, or user). Phishing is the most widely used social engineering technique used by cybercriminals to gather sensitive information, make them download malicious software, ask for money, and perform immediate actions such as sharing personal sensitive information and access credentials.

Sensitive information here refers to any information that is considered highly confidential and should not be shared with others. This includes debit/credit card details, social security ID, login credentials of any online account, etc. Cybercriminals or attackers can use this sensitive information to carry out more severe attacks. Also, many phishing attempts target users to click on suspicious links and download malware.

Some Stats Regarding Phishing Attacks

Stats indicate that phishing is still the most popular weapon of threat actors. In recent times, the rate of phishing attacks has increased manifolds. According to Verizon Data Breach Report 2020, 36% of breaches involved phishing. If we dive deeper into this report, we get to know that 

• Human risk constituted 67% of breaches
• 46% companies got malware via phishing emails
• 86% attacks were targeted for financial gains
• 27% malware incidents had ransomware

Earlier, attackers used to target big organizations and corporations via phishing. However, even small companies and individuals are getting targeted these days. One of the major causes of this extended outreach is the widespread attack surface. Small companies and individuals are easy targets for attackers as they are less cautious about cybersecurity. There has been a steady rise in phishing attacks in recent times as most employees are working from home and using their personal devices. Personal devices are not as secure as corporate devices so they are more vulnerable to cyberattacks.

How Phishing is Performed

Cybercriminals use various resources available online (social media accounts, LinkedIn profiles, and job portals) to collect important information about their target. This may include their names, job titles, email addresses, company names, etc. This information would help them appear more real in front of their target. They pretend to be someone who is trusted by the target, for example, their bank, workplace, university, etc.

After gathering personal information, they send fake messages, emails, and chats to the target with their information. This makes the target feel like the communication is coming from a reliable resource as it contains their real information. Phishing communication often contains text that urges the target to take immediate action like sending money, sharing their personal details (e.g., credit/debit card details), visiting a malicious website, and downloading malware.

Cybercriminals may also create fake websites (e.g., e-commerce websites) that are a copy of real trusted websites to trick people and gain their confidence. Through these websites, they make users enter their personal details, including credit card information. These personal details will later be used by attackers to launch more targeted and severe attacks.

Consequences of Phishing

Most phishing attempts are meant to collect the credit/debit card information of their targets to carry out fraudulent transactions. Some attempts target users to give away their login credentials to compromise their accounts and steal confidential information. Phishing is the initial step for advanced cyberattacks such as ransomware and APT attacks.

How to Identify Phishing?

Though phishing is the most popular cyberattack, it is not impossible to detect it at an early stage to avoid becoming a victim. Below are some signs that should make you alert before trusting the communication.

Asking for an immediate action

Look out for any communication that demands urgent action like paying some penalty, sharing login credentials, and verifying bank details. Such emails often threaten to take action immediately warning them of severe consequences otherwise.

Unusual requests

If the communication asks you to install some suspicious software, carry out some transaction on someone’s behalf, or provide personal details to get a handsome amount in your bank, trust that this communication is phishing.

Unprofessional tone

Message tone that is more casual rather than professional from any institution, organization, or bank is highly unlikely and may point towards phishing. Most phishing communications have a casual and unprofessional tone.

Fake domain

If you get a suspicious email claiming to be from an organization, check its sender’s domain address. Verify it with a Google search against the original domain of that organization. For example, bank-of-america.com (fake domain) can be used to send emails impersonating bankofamerica.com.

Linguistic errors

Linguistic errors are the most common sign of a phishing attack. Always be cautious with handling communications that have an unusual amount of errors, including grammatical errors.

Jackpot/prize messages

Communications that claim you won some lottery or prize in a contest you never participated in is also a sign of phishing. Never trust such messages, and report them if possible.

Urging to share personal details, credit/debit card information, and OTPs

Some phishing emails contain links to external websites created to extract login credentials. Such websites are designed to look similar to the real website. Users are tricked to enter their banking details and perform transactions. When they enter their details, these details are stored by the phishers who created the website. These credentials may later be used to perform bogus transactions.

Types of Phishing

Phishing is classified into various types based on the modes used by cybercriminals. Various types of phishing include the following:

Email Phishing

This is the most common type of phishing that involves sending fraudulent messages using emails. In this type, attackers use emails to trick common users to perform certain actions, sharing their information, visiting malicious websites, downloading malware, etc.

Spear Phishing

Unlike email phishing, this type of phishing targets a specific group of people (e.g., employees of a particular company). Before sending phishing emails, attackers gather all relevant information about their targets. This makes spear phishing more effective for attackers because the victims get impressed and carried away by the communication authenticity, thinking that it is from the claimed sender. Victims are tricked into performing certain tasks like transferring money to a particular account.

Whaling

Like spear-phishing attacks, whaling attacks are also targeted at a particular audience. Mostly, higher management staff get targeted by attackers in whaling attacks. Attackers use the staff’s information available online in the public domain to launch such attacks. Using this information, they send highly personalized messages to extract sensitive information and use it against the organization where the staff work.

Angler Phishing

Angler phishing targets both organizations and their customers. In angler phishing, attackers set up fake accounts of famous organizations on social media. They use these fake social media accounts to pose themselves as real. When customers of such organizations have complaints and reach out to these fake accounts (thinking of them as real ones), attackers ask them for personal information in the name of solving their problems. 

Once a customer provides their personal information, this information will be used to launch further attacks. Attackers also create customer support webpages to attract customers and get their personal information such as login credentials and credit/debit card numbers.

Smishing and Vishing

Smishing is a type of phishing attack that involves sending fraudulent messages via text message on smartphones. Smartphone users are sent messages that tell them that they won big prizes without even participating in any contest. Attackers send messages that claim that the sender is some well-known organization so that users can trust them. The major intention behind smishing is to dupe the victim financially.

Vishing is a form of phishing that involves voice-calling victims for asking for confidential information. Attackers may impersonate themselves as officials from known banks, institutions, or organizations and ask for sensitive information (e.g., credit card details) to verify their identity in the name of securing their accounts.

Stay Safe from Phishing

Preventing phishing is not impossible. Though phishing comes in various flavors and forms, we can still stay safe by identifying it and taking correct measures timely. 

Implement the following security measures to prevent phishing:

Use email security solutions

Email security solutions play a vital role in preventing email phishing. They serve as the first line of defense in tackling phishing attacks. These solutions are capable enough to detect and block/label emails that contain malware, malicious links, and spam content & attachments, thereby alerting users about potential phishing attacks.

Train your employees

Organizations must train their employees on different types of phishing attacks, signs of these attacks, and how to report them to security teams. This can be done by conducting phishing awareness programs.

Restrict access to privileged systems

Attackers usually target highly privileged accounts and systems because they store valuable data. Organizations can secure these systems and the sensitive data stored in them by limiting user access to these systems. This will also reduce other cyberattacks like data leakage. Organizations must implement the least privilege policy on such systems and ensure that only authorized users access them.

Employ endpoint monitoring and protection

With cloud computing getting more popular these days, unprotected endpoints are increasing in number. Organizations must ensure that they monitor all endpoints that connect to their corporate networks. Also, they must have threat response and remediation processes to tackle and mitigate endpoint security attacks. Unprotected endpoints are at a higher risk of being exposed to various forms of cyberattacks, including phishing.

Simulate phishing attacks for testing

Security teams should evaluate how effectively they can defend against phishing attacks and how well employees can respond to phishing attempts. This can be done by simulating phishing attacks without letting the users know about it (just to test how well they handle it). Mimicking real phishing attempts will help understand and fix the loopholes in technology and people to effectively handle such attacks when they actually occur.

Bonus Tips to Prevent Phishing

Apart from the above-mentioned security measures, follow these rules to stay safe from phishing attacks:

• Never open links received in emails or SMS from unknown sources.
• Never reply to suspicious emails or messages.
• Always check the authenticity of the information received. Do not trust information sent in emails/messages blindly.
• Cross check the domain name if you receive an email that claim to be from a trusted source.
• Always check the website when you get redirected from a mail/message to avoid landing on a fake one.
• Never pay money on the pretext of winning prizes or securing your device. Some attackers extort money by telling that your device is infected and they can secure it if you pay certain amount. 
• Have a good antivirus solution on you device.
• Check the trust badge besides websites. Popular antivirus solution display trust badges besides websites to indicate if they are safe to access.
• Delete suspicious mails identified by Google as spam.
• Enable multi-factor authentication on your accounts or devices to protect sensitive information.
• Never reveal personally identifiable information to anyone unless you are sure about the person/organization on the other side.
• Report concerned authorities if you suspect or have become a victim of a phishing attack.

Wrapping Up

As attackers are using sophisticated social engineering methods to launch phishing attacks, no one can be completely secure unless they are aware of all strategies that attackers use. By following the security measures and tips, we can avoid phishing attacks to a great extent. Awareness of new phishing techniques and using advanced technology are the key to stay protected from phishing attacks.