Recognizing a phishing attack - A phishing awareness training resource
How to recognize phishing emails - The following resource can be used in a phishing security awareness training. Help everyone to recognize phishing!
We all have experienced those unfamiliar, “too-good-to-be-true” email messages that incite us to open a particular link that would ensure that we have won a free ticket or perhaps won a lottery. Most of us already know about the term “phishing”. It is a fraudulent way in which a cyber-criminal tries to trick a person into giving their sensitive information online. The main purpose of these scams is to collect account passwords, credit card number, information containing financial data, or any other information such as name, address or date of birth to commit identity theft. Even though awareness about phishing has grown in the recent years, it is still a very much successful way of scamming. This is because cybercriminals have also developed new and smart ways to trick individuals into falling for their bait. However, there are some distinctive characteristics of most of the phishing emails that can be recognized and help us identify phishing emails.
Mindsett Security Your Human Factor Security Partner ...
With implementation support, custom software applications, and several different types of exercises, we support our customers in creating a culture of security company-wide.
1. Don’t Click on Unfamiliar Links
Link manipulation is one of the most commonly used techniques for phishing scams. It is done by provoking a user through convincing ways to click a link to a fraudulent or forged website. Because many users now know that they are not supposed to click on suspicious links, hackers have now started using manipulative ways in order to get the users clicking. They typically try to convince user to provide their username and passwords, to gain access to their online accounts. This way they can steal your data, withdraw money from your bank accounts, use your credit cards online, or even lock you out of your own account. For this purpose, they often use embedded URLs, that seem like normal URLs from first look but if you hover the cursor over the link you can see the actual URL where the link will take you to, once you click it. This is why link such as “Click Here” or “Subscribe” should also be checked for a phishing attempt before being clicked. Another way to manipulate links is the use of sub-domains. People who are not aware of sub-domains often fall prey to this trick very easily. For example, a user supposedly gets an email from their “abc bank” asking them to click on the link www.abcbank.clickandwin.com. Now, in this link, the actual domain is “clickandwin” and not “abcbank”. The cybercriminal has used the name of the legitimate “abcbank” bank in its subdomain to trick the user into believing that the email is actually from “abcbank” bank. This link will take the user to “abcbank” part of the “clickandwin” domain, rather than taking them to “clickandwin” part of “abcbank” domain. It is always a good practice to study the URL carefully before clicking and avoid clicking any suspicious one.
2. Beware of Disguises
One of the most successful phishing attacks were those where the attacker had disguised themselves as someone the employee was familiar with. This makes a phishing email look more personalized and believable. Before you open any attachments, use your common sense and stay vigilant. Were you actually expecting that sudden email from your boss? Did you order anything online which needs a confirmation? Is your friend asking for money transfer over an email actually in need of money? If not, most probably it is a phishing attempt. You can always make a call to the concerned individual or department and cross-check the legitimacy of the email.
3. Play Close Attention to Grammar and Spellings
A legitimate email from a corporate department will always send a professional email free of erroneous words and sentences, after going through some rounds of proofreading and editing. If you receive an email from a professional department or individual with grammatical and spelling mistakes, it is probably a phishing scam. Also be skeptical of generic salutations like “Dear Member” or “Dear Customer” because a legitimate organization would use your name in the salutation.
4. Be wary of pop-up messages
Pop-up messages are an easy way to carry out phishing attacks successfully. Hackers send pop-up messages to users to send them to forged websites and enter their login details, ultimately stealing their useful information. “In-session phishing” is also a common technique whereby a user who is already logged into a banking website gets a pop-up window asking them to enter their bank login details “again”. Try to avoid responding to pop-up messages that appear by themselves without any link being clicked. It is also a safe practice to block pop-ups from your browser and always log out of your sensitive accounts soon after the work is finished.
5. Don’t Fall for Intimidation Tactics
Messages such as “Your Account will be Closed” or “Urgent Action is Required” take advantage of your immediate concern that such a statement may come true if you don’t act as asked. Always call your bank or other concerned entity to confirm if something does not feel right.
2. What can an Attacker can do through Phishing?
Phishing works in a number of ways for cyber-criminals, with some attempting to gain your financial information such as credit card and bank account details, while some working to steal your business secrets. Every phishing scam comes with its own motive. Some of the ways in which successful phishing can help an attacker are:
- Making a transaction with the victim’s credit card or withdrawing and transferring money from their bank account.
- Misusing victim’s data to sign up for fake accounts and carry out illegal transactions in their name.
- Using data in targeted computers to access employee credentials and other organizational secrets.
- Installing viruses through the victim’s computer systems and further propagating phishing emails to people in their contact lists.
Now let us look at some of these scenarios in detail:
2.1. Getting your Financial Details
With phishing attacks, cybercriminals aim to fraudulently gain your personal financial information such as bank account details and credit card numbers. Once they have the information, they can carry out transactions online or withdraw all your money from your bank account. They can also use your account to carry illegal transactions under your name for their own benefit, without you being aware of it.
2.2. Causing Reputational Damage
It takes businesses a lot of persistent hard work and customer satisfaction to create and maintain a brand image. Trust in a brand takes years to develop but even a single mistake can create unrecoverable damage to a brand’s reputation. This is why, successful phishing attacks can be used as a way by competitors of your business to defame your organization’s reputation.
2.3. Installing Ransomware
Ransomware is just like any other malware, with the major difference being that it solely intends to extort money from the victim. Phishing is an easy and successful means to install ransomware in a target’s computer system. Ransomware works by restricting an individual victim or users of an organization from having access to their workstations, servers, mobile devices and other IT systems, until they pay a ransom. Though it may seem hard to happen, ransomware is actually becoming an exponentially growing threat in recent years. Here again, the motive for cyber criminals is financial gain.
2.4. Causing Financial Losses to Business through DDoS Attacks
Causing financial loss to a business by conducting DDos Attacks through phishing is very common particularly in holiday season and online businesses are mostly a target. A DDoS attack on a business can start from something as small as an employee clicking a phishing email. Apart from revenue losses, a DDos Attack resulting from a phishing scam will also include costs of investigation, customer support expense, lawsuit settlements, etc.