Phishing is a form of online fraud – phishing emails and phishing websites are used as bait to steal personal information and identities, usually following on from emptying bank computers or damaging businesses.

Online scams are not unknown to us. There is hardly anyone who has not received an email in our bad native language from an unknown victim who has a million dollars in his account and for some unknown reason cannot get to it, so he needs our selfless help and personal information to selflessly share his treasure with us later. The messages are varied and fanciful, but it is immediately clear that this is a scam, an online fraud attempt, criminal activity under a common name – phishing.

Just as the messages and the addresses they were sent from resemble some real-life situations and known addresses, the word phishing, when pronounced, sounds like “phishing,” which means “fishing” in English language. Fishing, angling, hunting in the mud, that’s exactly what phishing is at its core, and the methods are different and more sophisticated.

Phishing is a type of online fraud where identity theft occurs and the result is usually the theft of money.

Unlike fake bookings, where a fraudster uses a false identity to extort money from us, phishing attempts to obtain our personal information, based on which the fraudster can easily hack into our email or bank accounts.

History of Phishing

Phishing is just one of the techniques used to steal identities. It is a form of crime that has been around longer than the Internet itself. The term phishing comes from the English word “fishing,” which metaphorically describes the process by which unauthorized users trick Internet users into voluntarily giving up their confidential information.

The prefix “ph” is thought to come from the term phreaking, a now largely forgotten technique by which unauthorized users compromised phone systems. Combining these two expressions (fishing + phreaking) created a new coin called phishing.

Phishing campaigns are the biggest security risk in any organization and email itself is the primary vector for data theft, credentials, and overall compromise of an organization’s security.

Why phishing increases during a crisis?

The answer is quite simple: people are much more vulnerable in times of crisis. Lack of caution, a stressful environment and it is enough  to not pay attention to the details that can reveal a fraud.

How does phishing work?

The most commonly used phishing methods:
– a simple request from the user to send (in response) his sensitive data by email, the sender falsely pretends to be an administrator of a web service that needs this data to verify data, update the system, etc.

– fake links in emails (usually a fake or manipulated link in a message leads the user to a malicious website where they are asked to enter their username and password or other sensitive data);

– fake websites (a user may be tricked into clicking on a link that takes them to a web server that uses scripts, changes/overwrites the real URL of their website and sets a legitimate one, fooling a user into thinking they are on a legitimate website and thus collecting data as they enter it);

– fake (pop-up) windows on legitimate banking websites (“pop-up” windows with fields for entering confidential information. “Popup” window appears when visiting a legitimate web server).

– “Tabnabbing” – one of the newer methods that takes advantage of the fact that web browser users usually have multiple tabs open at the same time and one of the inactive tabs is updated, but with malicious content that mimics a legitimate web page (relies on the user’s inattention, i.e., they do not notice the new address);

Phishing emails usually look authentic and can be addresses from unknown senders or known addresses, such as those of the online advertiser we work with. Fishers are often used by addresses of Internet services such as Apple, Microsoft or Dropbox, and the messages are almost identical to those we receive in the form of various notifications from these organizations.

So, it seems that the message is coming from an organization we trust, and if we are not careful enough, we will fall for the bait. We need to check every message that asks us to enter personal information several times. Phishing emails usually contain a form or a request for data or links that lead to pages that are almost identical to the pages we normally use. These are known as phishing websites.

Phishing websites are fake websites that appear to be identical to the real sites and attempt to trick the visitor in various ways. In the case of a well-designed scam, it is almost impossible to tell a fake site from a real one.

The only way to protect yourself from phishing sites is to never sign up through links in the email, but to go directly to the service site we use. The online providers whose services we use have good security systems, and all the notifications concerning us are on their user interface. Thus, we can easily check if any unusual requests from known addresses arrive in our inbox.

In addition to the above methods, there is also a case of false inquiries. E.g. if some resident inquiries about the availability of off-peak season accommodations for a large group for more days. This sounds too good and our caution wears off as we all hope for such guests. However, after the initial, unsuspecting email communication, the potential “guest” immediately requests our personal information. This is when we need to be extra careful and find a way to make sure the request is not fake. It is desirable and permissible to Google the guest, their name and email address and continue the communication to ensure the request is true.

How to recognize phishing?

1.Who is the email intended for?

Many phishing emails use a generic greeting to the recipient (e.g. Dear Customer) before calling the recipient by their real name. This is especially important if you receive an email from an organization to which you have personally provided your information (e.g., PayPal). If you have provided your details to the organization, your name can be inserted into the name of the email using very simple technology.

So, if your name is missing from the email address, it is very likely that the “reward”, “gift” and “special occasion” is a big scam! Of course, this does not mean that every email that begins with Dear Customer is of dubious credibility – more often than not, phishing emails have other identifiable characteristics as well!

2.The credibility of the email address and domain

Sometimes messages received may appear to have been sent from a genuine address, but in reality, the message is unrelated to the original, real organization supposedly behind such a message. Reputable organizations, in most cases, use their own domains (or addresses) to associate with their websites.

You can check this feature by hovering over the address the message was sent from and verifying that it is real. Sometimes the differences are very small, in added numbers or letters to make it look as credible as possible. But again, keep in mind that the same organization can have different domains for different purposes.

3.Grammar and spelling of the message

This is one of the very old but useful tricks. Most reputable organizations will compose and send an email that is flawless in spelling and grammar and has the right “tone” and purpose. This type of writing is consistent across different messages. Despite the technological advantages and greater sophistication of phishing attacks, grammar and spelling errors are still common. Therefore, reading messages carefully can prevent the theft of personal information.

4.Requested information or actions by the recipient

“Real” companies will not email their users asking for personal information. If the email contains a link or attachment with instructions to collect sensitive information to accomplish something (e.g., a tax refund) or avoid something (e.g., close an online account), it is likely phishing.

In addition, domestic companies strive to communicate with their customers in a consistent manner. If their emails do not contain links and you now receive numerous links at once, this could be a sign that it’s a scam. This consistency also applies to the writing style of the messages as well as the reason the other person is contacting you.

Phishing emails sometimes try to get the user to do what they want by blackmailing them that undesirable consequences will occur if the request is not carried out. It is also possible for the attackers to first send an initial email asking the recipient to respond. If the recipient responds, a link or attachment intended for the scam will likely appear in the next email. This is how we try to play the “loyalty and consistency” card we have already pointed out.

5.Links

Most phishing emails tend to redirect users to websites where they are supposed to leave their private information. Genuine organizations can also send links, but links are extremely common in the phishing world, so it’s important to check them more closely. You can verify the authenticity of the link by comparing the link to the domain of the email. If the link does not match the domain of that domain’s regular website, it’s probably a scam! In addition, phishing emails may ask their recipients to take different actions that lead to different URLs. But if you look closer, all the links lead to the same place and are looking for the same data. Sometimes an entire email is sent as a link, and if the recipient clicks anywhere on it, the link takes them to a fake website.

6.Attached documents

If the email is unexpected and contains attachments, it is likely a scam or some other form of online violence. Of course, many credible organizations send attachments to their users and customers. Therefore, it is helpful to think about the style of the email written and its purpose before classifying it as a scam. Some attachments may contain malware that can harm your computer. Special care should be taken with attachments with the following extensions: .exe, .msi, .jar, .bat, .cmd, .js, .vb, .vbs, .scr, .psc1

Types of phishing attacks

Email scam
Phishing attacks, in their most common form, are emails that ask the recipient to do something, usually to achieve one of two goals:

• to deceive you and get you to divulge personal information
• to trick you into downloading malicious software

Once you have given them access, the hackers can access your bank account, steal your identity, or make purchases in your name.

In recent years, email scams have increased by more than 400%. The growth and success of email phishing has also led to limitations of this method.

SMiShing
As the name suggests, SMiShing is similar to email scams but scams users via text message. Many are familiar with email phishing, but fewer people distrust text messages, which increases the likelihood of falling for scams.

Spear phishing
Spear phishing uses the same methods as the above scams, but targets a specific person. You may receive a series of emails designed to trick you into taking a certain action. Spear phishing attacks can also target you across multiple messaging platforms.

Whaling
Similar to spear phishing, whaling also targets an individual or organization. However, it’s usually someone with a lot to lose, such as CEOs, celebrities, politicians, or wealthy families.

There are countless phishing scams, but they use a similar lure to fool their victims: Social media phish, Search engine phishing, Angler Phishing, Voice phishing, Internal phishing, Content Injection, CEO Fraud, Fake Websites, Clone Phishing, Pharming, Tabnabbing, Covert Redirect, Mobile Phishing, Session Hijacking, Evil Twin Wi-Fi, Pop-up phishing…

Tips to help prevent phishing attacks

In addition to the caution already recommended and checking senders of unknown email addresses, not opening attachments or clicking on links in unverified emails, there are a few other ways to protect yourself from phishing attacks:

Avoid pop-ups
A phishing attack may use pop-up banners that appear on known and verified websites. A pop-up may look like a sign-up form on a familiar site. We should never sign up on a pop-up site.

Use multi-factor authentication
Wherever possible, protect yourselves with multiple steps, such as a password and some other personal information, just as most banks now use a few steps to log in or confirm a money transaction. A token is one of the most secure ways to protect sensitive information.

HTTPS or HTTP?
All banks use https: // in the address of their websites because such websites are harder to hack. Please check the prefix of the address before entering personal data.

Use a VPN
A VPN is a virtual private network, the use of which creates an additional barrier between your computer and virtual networks. A VPN takes care of encrypting the data coming from our computer so that the Internet world sees us as part of the VPN network and cannot monitor the data to our computer. It is possible to connect to a VPN server through several servers. The most reliable of them are NordVPN, Pia, Express VPN and others.

Change your passwords more often
When was the last time you changed your email account password? Do that…

What to do if you have been a victim of a phishing attack?

– Report it! The police are always a good choice.
– Change your passwords.
– Scan your computer for viruses and malware.

5 ways that your company can do to increase its phishing awareness

1. Employee awareness training
2. Deploy email security solutions
3. Make use of endpoint monitoring and protection
4. Conduct phishing attack tests
5. Limit user access to high-value systems and data

Conclusion

Phishing teaches us that it is not enough to protect a website from hackers using only high-quality security tools such as Virusdie, but that we also need protection from other security threats. This protection lies mainly in our mutual responsibility and caution. The online world is great as long as you do not encounter scammers. Just like in the real world. Therefore, always be careful.

———

Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.

Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.