The word “phishing” has become known even beyond the Internet, as phishing attacks have done so much harm that you can often hear about them on TV and radio or read about them in newspapers. However, if you have passed this danger, you may not even know what a phishing attack actually is.
In this post, we will talk about what phishing attacks are, their main features and goals, what techniques hackers use during such attacks, and we will advise on how not to become a victim of phishing.
What are phishing attacks?
As the name suggests, phishing has something in common with what fishermen do. It is true! A phishing attack is luring out, or one might say – fishing out sensitive data from unsuspecting users. Phishing is interesting because it is a hacker attack in which the exploited vulnerability of the targeted system is its user’s inattention. In fact, attackers can do without using malicious programs, limiting themselves to social engineering. Basically, phishing is just a scam, but since it is carried out in a modern information technology environment, it is also considered a cyber threat. The potential harm from phishing attacks is enormous.
How does it work?
So, first of all, phishing attacks are always impersonation and deception. Under the guise of someone whom their victims trust, hackers lull users into revealing sensitive data. For example, passwords. Or credit card details.
A phishing attack is carried out most often through email, as it looks the most official and gives more room for action than, for example, instant messengers.
A typical example would be a letter from a large company, such as Facebook, saying that all users have to change their passwords. To do this, you can follow this link, says the message. Services will always ask you to enter your old password first. A trusting user enters their password and then invents a new one. But all the victims really did at that point was just send their actual password to the thieves.
Why does the user even believe that the letter is from Facebook in the first place, you might ask? And this is where spoofing comes into play.
Spoofing is a part of a phishing attack related to the appearance of the elements of a fraudulent scheme – counterfeit signs that you are dealing with a reliable counterpart. For example, you receive a letter stating that a parcel has arrived in your name through the FedEx service. For you to peck at this, the letter itself will have a beautiful FedEx logo, and the sender’s email address will be very similar in appearance or meaning to the address of the real service, so as the site to which the link will direct you.
You can hardly imagine phishing without spoofing. Fortunately, some things can easily give out a spoof. First of all, these are email addresses and addresses of websites to which links lead. Just compare the first and second domain names of the site you are about to be sent to with the one on the legitimate website. Facebook customer support might be on help.facebook.com (“facebook” is the second domain name, “com” is the first), but certainly not on help-facebook.com.
In addition, fake sites are more likely to use HTTP instead of secure HTTPS. It is easy to check: look at the very beginning of the address.
Also, look for errors, both accidental typos in the message text and manufactured distortions. The latter make the website or mail addresses look similar to the original ones.
Still, the phishing hacker’s main weapon is social engineering. The phishing attack does not imply your doubts. If the victim is in doubt, the attack failed. The main thing here is to create such an illusion that does not even raise questions. Often, phishing is a targeted campaign – not a random spam mailing but a spear attack on the victim. But, oddly enough, it is more difficult for bandits to act here. By trying to impersonate someone you know or at least someone you expect to receive an email from, cybercriminals take a step on shaky ground. Follow the nuances. If something seems strange to you at your friend’s request, check whether or not you are not dealing with a phishing attack. The best way to do this is to contact the sender through a different channel.
Motivation for Phishing
- Withdrawal of funds
If the victim has given the scammers his or her credit card, bank account, or e-wallet details by entering them into a payment form the user thought was legitimate, the next step of the perpetrators is easily predictable.
- Identity theft
If, as a result of a phishing attack, the villains obtained the victim’s password from an account on a social network, everything is ready for identity theft. Before the victim realizes that something is wrong, before they warn everyone they know that their account has been hacked, hackers will do many things using the mask they got themselves. Most likely, this will be an attempt at financial fraud or malware infection.
The greatest danger is that phishers get the password to the user’s email since it can give access to many other accounts through the Forgot password function. Protection against such a disaster requires two-factor authentication.
- Infection with malware
Malicious programs have recently become quite a commercial phenomenon. Ransomware, crypto miners, inclusion in a botnet, spyware, adware – all these troubles can happen to a phishing victim and her contacts. Moreover, an infection can be both the primary goal of the initial attack and the accompanying aim of opportunity.
How not to become a victim of a phishing attack?
- First of all, be vigilant! It is the golden rule for any Internet user. No matter how tempting the email headers in your inbox are, don’t even open suspicious emails. If you have already opened the letter and realize that you do not remember the addressee, or do not immediately understand how the message is related to you, do not try to download and open the attached files or follow the links given in the letter. The same goes for messages from weird senders on social media and messaging apps.
- Remember that a phishing attack can be directed at you personally, so any oddities in a seemingly usual email should also alert you. Check the sender’s address and the website appearing in the link; double-check everything that can be checked.
- Remember that no company will ask you for your password via email. It’s as unthinkable as a bank teller asking you over the phone for your credit card PIN. Your passwords, the pin code from the card, and your card details are intended solely for your interaction with automatic systems. Although, even from these, you should choose those you can trust.
- Install an effective antivirus system. Yes, it will not save you from phishing scams, there is no protection here, except for personal vigilance, but it will become a reliable protection for malicious programs that scammers can install on your computer. Loaris Trojan Remover is a multifunctional program that will instantly clean your device from any known harmful program. In addition, Loaris TR Internet Security will warn you if any link tries to redirect you to an unsafe website.