Quick guide to phishing
Phishing… it’s a scam where an Internet user is tricked (usually by a deceptive email message) into revealing personal or confidential information that can then be used illicitly by the scammer. It all starts with an email from something that appears to be from a trustworthy source designed to lure a victim. The message could look like a request from the bank, your Internet provider, or even the company you work for or follow. They usually contain a link to click or an attachment to download.
Phishing has been around for more than ten years; “Back then, because personal computers in the home combined with Internet usage were a fairly new experience, this method proved quite effective but was not observed with as much population as phishing is today.” (James 2005)
The first phishing attack against financial institutions was reported in 2003. Companies with all the expensive firewalls, SSL certificates, and IDS rules could not foresee the most critical threat of them all: the human element.
Anyone with an email address has probably received a phish, and most of them have clicked.
Why is Phishing so dangerous?
Because of the rise of COVID-19 cases, many companies have experienced changes in their working conditions, increasing remote work, and, therefore, the use of email.
Although phishing has been around for a long time, cybercriminals are taking advantage of the situation, knowing most people are working from home.
According to Infosecurity Magazine, email phishing attacks have spiked over 600% since the end of February 2020 due to the Coronavirus pandemic.
How to identify a Phishing email?
The first step is the easiest one, but sometimes the one we often forget: Take time to evaluate! Use these questions from Phishing expert Christopher Hadnagy² as a guide to identifying phishing.
- Does the email come from someone I know?
- Was I expecting this email?
- Are the requests being asked reasonable?
- Does this email employ the emotional content of fear, greed, or curiosity, or, most important, does it try to get me to take action?
Once you took your time to answer those questions, consider that phishing emails usually:
- Look identical to messages from a real reputable organization
- Sound urgent and try to create fear
- Claim to have important information or breaking news leading to an attachment or a link
How to stay protected against a Phishing attack
Use these steps from the European Union Agency for Cybersecurity to avoid taking the bait:
- Take time to reflect on a request for your personal information and whether the request is appropriate. Do not open any unsolicited email from people unfamiliar to you or click on suspicious attachments that you did not expect.
- Never supply any personal or financial information and passwords to anyone via email.
- Avoid emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action.
- Look for wording and terminology. Apart from phishing, cybercriminals could also trap a specific person via spear-phishing using the receiver’s full name. Check for terms and language that are normally expected in the type of email you receive.
- Check the sender details. Check the sender’s name, email address and whether the email domain matches the organization that the sender claims to be from. If not, it is probably a phishing attempt.
- Check the link before you click. See your emails in plain text to check for the hyperlinked address to see the real hyperlink. If it is not the same as what appears in the email, it is probably a phishing attempt.
- Keep an eye out for spelling and grammatical mistakes. If an email includes spelling, punctuation and/or grammar errors, it could be a phishing email.
- Be wary of third-party sources spreading information about COVID-19. Refer to the official websites for updates on COVID-19. Fraudulent emails can look like they come from a real organization, but legitimate government agencies will never call you or email you directly for this information.
- Protect your devices. Install anti-spam, anti-spyware, and anti-virus software and make sure they are always up to date.
- Visit websites by typing the domain name yourself. Most businesses use encryption and Secure Socket Layer (SSL) / Transport Layer Security (TLS). If you receive a certificate error while browsing, consider it as a warning sign that something is not right with the website.
- We recommend that you keep your private address secret and only use it for official transactions. For your other activities, use an email alias, that way, you can quickly end on-going phishing attempts without compromising your mail email address.
What to do if you become a victim of phishing
- If you have clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software and run a scan.
- If you entered login credentials to access information, change them immediately.
- If you have provided your bank details, contact your bank or credit card company.
Protecting ourselves against scams is both a feasible and essential step. If you receive a phishing email, you should:
- Report it to your IT department by compressing/zipping the email file and forwarding it as an attachment. (This prevents the message from being opened accidentally which could activate the scammers tracking pixels etc.)
- Delete it.
- Notify the organization being spoofed to prevent other people from being victimized.
James, Lance (2005) “Phishing Exposed.” (1st ed.) Syngress Publishing Inc.
Hadnagy, Christopher (2015) “Phishing Dark Waters.” (1st ed.) John Wiley & Sons, Incorporated.
European Union Agency for Cybersecurity. “Understanding and dealing with phishing during the COVID-19 pandemic.” May 6, 2020 from: www.enisa.europa.eu/news/enisa-news/understanding-and-dealing-with-phishing-during-the-covid-19-pandemic