How Do They Work?
Phishing scams usually consist of sending bulk e-mails out to a large number of unsuspecting users. These e-mails often contain information such as fake competition winnings, false promises of rewards or a warning of an account that has been compromised in order to lure the recipient to fall into their trap of clicking a bad link or downloading an attachment. By doing so, the scam will either install malware on the computer or take you to a fake website that will steal your data.
Regular phishing e-mails are both easy to discover and automatically blocked by email services and security tools alike, however, there is a more dangerous version – a spear phishing attack. This is a targeted version of the scam and is more direct attack in which tailored personal information will be included in the scam so as to improve the chances of tricking a particular victim. Unfortunately, these kinds of e-mails are a lot more difficult to discover and actually have a reasonably high success rate.
How Can I Protect Myself?
The first thing you need to do to make sure you’re protected is to be wary of any attachments and links that are contained within e-mails – even from a source that you consider to be trusted. By hovering your mouse over a link before clicking it you will see the URL appear. Make sure that when you do that the link is from a reliable source. The best thing you can do is to avoid clicking anything and to manually type the proposed link into a search engine so that you know it is safe.
Using Twitter as an example, you will know that URL’s can sometimes be shortened. Attackers also use this method so that they can obscure the destination of their links. If you’re not sure, use a service such as www.getlinkinfo.com
A general rule of thumb is to be wary of any password resets sent to you by e-mail, even if it looks like it is from a trusted source like Google. If you need to change a password, make sure to go to the website directly. As for attachments in an e-mail, it is best to be wary of them and have an anti-virus software installed that can scan attachments before you manually open them. Most e-mail services will already have these features, and if not, will be able to integrate with any antimalware solution that you have installed on your computer. Be particularly aware of any file involving a password protected .RAR archive, as it will bypass the virus scanning software.
Below is an example of a spear-phishing scam. Note how although it is signed off by Google, the e-mail address at the top is from a gmail account.
Finally, the best way to protect your credentials from thieving hands is to set up a two-factor authentication. This adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that’s considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. The three types are:
- Something you know, such as a personal identification number (PIN), password or a pattern
- Something you have, such as a credit card, phone, or key fob
- Something you are, such as a biometric like a fingerprint or voice print.
By doing this, even if someone manages to get a hold of your username and password, they will still need the second key to be able to have any chance of accessing your account.
In essence, the internet is full of phishers. Consider applying some of these tips to make sure you don’t fall victim. If you would like any advice or help with making sure that the online side of your business is secure then Increase the Wedge can help.