If something online seems too good to be true, it usually isn’t.
Phishing is one of those things that masquerade as legit and trustworthy to get a hold of your money, the kind of play-pretend I would call “phisy.” The bigger the company, the more complicated the consequences may get.
More often than it should, “phishy” isn’t “phishy” enough to stop one’s itchy finger from clicking on that temptatious link and from giving their sensitive information, thus compromising their entire company.
But just how “phishy” is Phishing actually? Keep reading to make sure you and your organization steer clear from it and its nasty consequences.
What is Phishing?
This form of online fraud uses subtle and cunning social engineering tricks that enable cybercriminals who push just the right psychological button to steal the victim’s sensitive data, which is far easier than breaking through a computer’s or a network’s security system.
Phishing is a type of cyberattack in which the attacker poses as a reputable entity or person, using diverse ways of online communication to distribute malicious links or attachments that can perform a variety of functions, but to one single end: stealing the victim’s data and money.
How does it work?
Usually, this sneaky but in plain sight attack will be carried out via email, but it can also target its victims via direct messages or SMS, also known as smishing.
Sometimes, phishers can access public sources of information to gather background data about the victim’s personal and professional history, interests, and activities, topically through social networks such as LinkedIn, Facebook, and Twitter.
All the information gathered can help craft a believable email, increasing the likelihood of the attack succeeding.
Other times, the attack isn’t specifically directed at someone or a certain organization. It is sent in bulk, and it only takes the unfortunate combination of unlucky and unprepared for you to become a victim.
Typically, the victim receives a message that seems to have been sent by a known contact or organization. The attack is then launched either via a malicious file attachment or through a link directing to a malicious website. Either way, the goal is to install malware on the targetted device or direct the victim to an illicit website, usually a fake login page asking for credentials and financial data.
Although some cybercriminals might get lazy from time to time and send out poorly written phishing emails that scream “scam” in your face, you shouldn’t breathe a sigh of relief just yet. The phishing trickery is getting increasingly sophisticated, leveraging the same techniques professional marketers use to identify the most effective types of messages.
How do you spot Phishing?
Successful phishing messages are difficult to distinguish from real ones. They often appear to be from well-known companies, including details such as corporate logos and other specific characteristics.
However, here are 8 red flags that may indicate you are being subjected to a phishing attempt:
- The recipient uses a Gmail or other public email address instead of a corporate email address.
- The message uses subdomains, misspelled or suspicious URLs.
- The tone of the message invokes fear or urgency.
- The message includes a request to verify personal information.
- You are offered coupons.
- The message includes a fake invoice.
- You are required to click on a link to make a payment.
- The message says they’ve noticed suspicious activity or login attempts.
How do you prevent Phishing?
Experts recommend layering security controls to prevent phishing messages from reaching users, which include:
- choosing a reliable antivirus software;
- enabling both desktop and network firewalls;
- installing antispyware programs;
- installing an antiphishing toolbar in web browsers;
- gateway email filter;
- web security gateway;
- a spam filter;
- phishing filters from trusted vendors, such as Microsoft.
All these security measures are even more recommended for enterprises. Mail servers should make use of at least one email authentication standard to verify inbound emails and block all messages except for those that have been cryptographically signed.
Although software tweaks can prove to be helpful in preventing phishing, phishers prey on human interaction, deeming the psychological factor as the prime target, which is why Cybersecurity Awareness Training is highly recommended.
Everything said, what degree of “phishy” makes you click away instantly from a phishing attempt?