Social Engineering: What is Phishing?
Phishing (pronounced “fishing”) is a kind of identity theft that is growing in popularity amongst hackers. By using fraudulent websites and false emails, fake phone calls, and whatnot – perpetrators attempt to steal your personal data – most commonly passwords and credit card information. In this blogpost you will learn what is phishing and how to protect yourself against it.
Cyber perpetrators do this through the use of social engineering or deception – usually by sending you links to sites that look like sites you trust, such as your online banking provider or social networks, and are able to steal your data as you enter it. These spoofed sites most most regularly include social media, email services, financial institutions other sites that people generally creates an account on to use the offered service.
This knowledge base article will tell you what to do when you receive a phishing email.
HOW TO RECOGNIZE A PHISHING MESSAGE
Phishing scams are among the most prevalent forms of cybercrime. Although phishing is widespread, it is beatable. Apart from ensuring you install security software, the best way to combat phishing scams is to identify as you see them and following points will outline some practical ways that will help you to do so.
- Spelling and bad grammar – Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam.
- Beware of links in email – If you see a link in a suspicious email message, don’t click on it. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company’s web address.
Also do check mismatched URL’s (or misleading domain names) – they can also lead you to .exe files. These kinds of files are known to spread malicious software.
- Threats – Have you ever received a threat that your account would be closed if you didn’t respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised. For more information, see Watch out for fake alerts.
- Spoofing popular websites or companies – Scam artists often use pop-up windows. For more information, see Social Engineering attacks.
- Other important indications – Asking for personal information – The offer seems too good to be true – You have to receive/send money – You didn’t initiate the action – Or anything which just doesn’t look right!
Apart from traditional phishing emails coming from or targeting different companies, it may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as
- natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
- epidemics and health scares (e.g., H1N1)
- economic concerns (e.g., IRS scams)
- major political elections
How to protect yourself against phishing
- Be wary of emails asking for confidential information – especially information of a financial nature. Legitimate organizations will never request such information via email, phone calls or by any other means. Instead, always pay attention to the sender’s email address. It may imitate a legitimate business with only few characters altered or omitted.
- Never opens a suspicious attachment, as it is a common delivery mechanism for malware. Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information. Be sure to contact the merchant directly to confirm the authenticity of their request.
- Watch out for generic-looking requests for information. Fraudulent emails are often not personalized, while authentic emails from your bank often reference an account you have with them. Many phishing emails begin with “Dear Sir/Madam” or other generic greetings/signature, and some come from a bank with which you don’t even have an account.
- Don’t get pressured into providing sensitive information and never submit them via embedded forms within email messages – a very common phishing practice and widely pushed onto your junks/spams folders on daily basis.
- Never use links in an email to connect to a website as they could be spoofed hyperlinks. The links not matching the text that appears when hovering over them should raise a red flag. This also include the use of URL shortening services. Instead, open a new browser window and type the URL directly into the address bar (or check where that short link leads to e.g. see links below). Often a phishing website will look identical to the original e.g., https://wwwpaypal.com/ is different from https://www.paypal.com/. Similarly https://www.paypaI.com/ (with a capital letter “i” instead of a lowercase “L”) is different from https://www.paypal.com/ – look at the address bar to make sure that this is the case (and the connection is secure – such as https://).
Even more tips to protect yourself
- Make sure you maintain an effective environment to combat phishing (via any third-party anti-viruses) and reputed browsers and keeping all your software up-to-date. Use encrypted services such as Mailfence to communicate and further safeguard your privacy.
- Use Password managers that auto-fill passwords to keep track of which sites those passwords belong to. If the password manager refuses to auto-fill a password, you should hesitate and double-check the site you’re on. See this blog post, to avoid bad password habits.
- Always be suspicious – Phishing emails try to freak you out with warnings of stolen information (or worse) often with poor grammar and sentence structure, misspellings, and inconsistent formatting. Then offer an easy fix if you just “click here!” (The flipside: “You’ve won a prize! Click here to claim it!”) When in doubt, don’t click. Instead, open your browser, go to the company’s website, and then sign in normally to see if there are any signs of strange activity. If you’re concerned, change your password.
Types of Phishing attacks
- Spear Phishing: A phishing attack that targets organizations and specific individuals instead of sending bulk emails
- Smishing: Phishing attack that instead of emails uses SMS text. Hence the combination of words SMS+phishing
- Vishing: This attack involves the perpetrator actually uses voice to trick you into completing an action.
- Whaling: An attack that targets “whales” such as senior & executive members of an organization. The term whaling comes from the idea that if a senior employee completes an action like transfer it could lead to tremendous results for the attacker.
If you have fallen victim of a phishing attack, check out our blogpost on hacked emails.
You also check test a particular link before opening it on where it leads to:
- Where Goes, Redirect Detective, Internet Officer Redirect Check, Redirect Check, URL2PNG, Browser Shots, Shrink The Web, Browserling
Further, you can also report the phishing attempts at:
Most of all, rely on common sense. You can’t win a contest you didn’t enter. Your bank won’t contact you using an email address you never registered. Know the warning signs, think before you click, and never, ever give out your password or financial info unless you’re properly signed into your account.
Mailfence is an encrypted email suite, and only uses following email addresses for official or legitimate communication.
firstname.lastname@example.org – For all kind of reporting, support and payment related queries.
email@example.com – For new message notification, account activation and password reset links.
firstname.lastname@example.org – For all kind of marketing related queries.
email@example.com – For all kind of press related queries.
In some cases, e.g. for billing/payment:
firstname.lastname@example.org – For payment and related queries
Any email claiming to be from us but is not sent from one of the above mentioned addresses, should be regarded as suspicious and immediately reported to support[at]mailfence[dot]com
– Mailfence Team