On February 2016, an apparently politically-motivated hacker accessed the personal information of 20,000 FBI employees and 9,000 Department of Homeland Security employees in a phishing attack. Nobody is immune from the phishing epidemic, and as it relies on human fallibility as much as technical wizardry, there’s no reason to believe it’s a problem that will go away. So what does phishing involve? And how can we defend ourselves?
‘Phishing’ is a method of fraud that involves tricking the victim into volunteering information such as account names and passwords to their online accounts – be they email, social, or banking accounts. Usually, phishing takes the form of a spoof email or website to which the victim unwittingly submits their log-in details. Money or data is then illegally extracted – but insurance companies are unwilling to stump up when the leak can be traced to a mistake made by the victim themselves.
Phishing In Numbers
Phishing In The News
How to Identify Phishing Scams and Protect Yourself
Thankfully, as phishing relies on human error to succeed, vigilance and common sense form a key part a strong defense. There are different types of phishing scam floating around, so it pays to be aware of when you may be at risk – and how best to navigate a suspected threat.
- Deceptive Phishing
The most common phishing technique that hackers will use is to send a message purporting to be from one of your genuine service providers, and asking you to re-send personal information or log-in through a different portal. Often, the emails will come with a sense of urgency – warning either of potential charges or benefits that may be at stake. To identify such an email, look out for generic greetings or links within the email. Legitimate companies will not ask for your personal data in this way – neither will they expect you to click on a link within an email that takes you to a log-in page.
- Spear Phishing
It’s one thing to identify a generic email as a fake, but when phishers use existing information about you (often gleaned from social media) it takes a sharp eye to spot an imposter.
Look out for alarming threats that are designed to make you panic and respond instinctively. You can also reduce the chances of becoming a victim by being careful what you post on social media, and ensuring that your social media privacy settings exclude the general public. Use a different password for every site, so if one gets compromised, the others remain safe.
- CEO Fraud
Despite the name, CEO fraud is targeted at anyone within a company who has the power to enact payments or provide vital information. As we’ve seen from several high-profile cases, fraudsters assume the identity of an authority figure within a company and make a request to the accountant of the business to action a payment.
Be sure to double-check any ‘fishy’ sounding requests, and remember the boss will be more annoyed by a million-dollar scam than an extra phone call here and there. Companies are also encouraged to employ two-step or two-factor authentication as best practice to defend against such trickery.
Beyond dodgy emails, phishing also stretches to dodgy websites, where it is known as ‘pharming’. Scammers hijack a website’s domain name, and set it up to direct you to a fraudulent site where you will be asked for sensitive information.
You can check the certificate of a website on most common browsers by going to File -> Properties -> Certificates. Alternatively, some internet security products will automatically block suspicious websites, drawing your attention to potential traps.
- Dropbox Phishing
File-sharing giant Dropbox seems to be something of a magnet for phishers. Separate scammers have sent Dropbox-style emails to internet users, asking them either to validate their account (thus compromising their security details) or download a shared document (which turned out to be malware).
Again, two-step verification is the best way to stay secure – and Dropbox are happy to support this, for example if you want to use a USB key or receive a secure code on your phone.
- Google Docs Phishing
A particularly sophisticated scam, the victim is invited to check out a document on Google Docs – and the fraudster’s fake page is indeed hosted on Google Drive, so everything seems legit.
Go for two-step verification to make your system as secure as possible, but also look out for little clues such as errors in the text of the page or the drop-down language menu.
The pace of life is pretty fast in the digital age, and it’s easy to make a mistake when you’re scanning your emails in a hurry. If you want to stay secure, however, try to take time to honor the four-step anti-phishing mantra: QUESTION the providence of each email; CHECK they are what they say they are; REFUSE to provide sensitive information by email or to click on log-in links from your inbox; and REPORT anything suspicious to the owner of the service that is being spoofed
Learn more about anti-phishing authentication right here!
McAfee, J. (2016). An email hack can destroy our digital world and we won’t see it coming. ibtimes.co.uk
Computer Associates (2005). Types of Phishing Attacks. pcworld.com
Levine, K. (2015). How to Identify 5 Common Phishing Attacks. entrepreneur.com
Norton (2016). Spear Phishing: Scam, Not Sport. norton.com
Krebs, B. (2015). Tech Firm Ubiquiti Suffers $46M Cyberheist. krebsonsecurity.com
Norton (2016). How to Protect Against Pharming. norton.com
Sullivan, D. (2015). Two Dropbox Phishing Scams Cause Consumer Problems. cloudwards.net
Johnston, N. (2014). Sophisticated Google Drive Phishing Scam Returns. symantec.com