What Is Phishing And How To Avoid It
Phishing – an explanation
Phishing is not new, in fact, it predates computers. Before the widespread use of the PC, it was called social engineering, and crackers used the phone to extract sensitive information from their unsuspecting victims. The delivery system has changed; fake web pages and spam replace the phone.
Types of phishing scams
Phishing attacks vary according to the attacker’s objective. The complexity of the fraud and quality of the forgery varies considerably. Also, targeting of specific individuals (Spear Phishing) and C-level executives (Whaling) in general, is popular. A common type is called deceptive phishing. In this scam, fraudsters impersonate a legitimate company and attempt to steal personal information and login credentials. The fraudsters use scare tactics and a sense of urgency to force users to comply with the email. A more devious phishing attack is the pharming technique that poisons the domain name system (DNS) cache.
Spear phishing is a form of an attack targeting specific individuals, roles or organisations. Attackers do in-depth research about the person or organisation they target, making the attack more believable and increasing the possibility of success.
“Whaling” describes spear phishing attacks directed at executive officers or other high-level targets in business or government. The goal is to trick the target into disclosing sensitive corporate or governmental information through social engineering, email spoofing and content spoofing efforts. Sending your executive team on security awareness training helps prevent successful “Whaling” expeditions.
Deceptive Phishing is the most common type of phishing scam. The intention is to impersonate a legitimate company’s official correspondence successfully. To protect yourself from this kind of attack:
- Always check the URLs for redirections to unknown websites
- Look for generic salutations
- Check for grammar and spelling errors scattered throughout the email
Pharming is a scamming practice that installs malicious code onto a PC or server and re-directs the user to fraudulent websites without their knowledge or consent. Pharming is often called “phishing without a lure”.
Phishing scam techniques
Some of the more popular phishing techniques are:
- Embedding a link in an email that redirects you to a scam website
- Installing a Trojan via an email attachment that allows the intruder to obtain sensitive information
- Changing (spoofing) the sender address in an email to appear as a reputable source and request confidential information
- Requesting confidential company information over the phone by impersonating an employee
There are human and technological aspects to consider that prevents the organisation falling victim to phishing attacks.
Do not respond to emails requesting financial or personal information:
Due to security reasons, banks and reputable organisations never send emails requesting confirmation of account numbers, pin numbers or any personal information. Phishers often use scare tactics when requesting personal and financial information (e.g. “Urgent – your account details may have been stolen”) to get an immediate response from the recipient.
Do not click on embedded links in suspicious emails:
Phishing emails often contain embedded URL’s re-directing you to a fictitious site that asks you to enter your financial or personal information. Rather type the URL yourself to see where it takes you. Never click the link as it could re-direct you away from the site listed in the URL.
Protection through software
The combined use of anti-malware, anti-spyware and the correct configuration of the firewall can help prevent phishing attacks. Also, ensure that all software is continually up to date.
Phishing is a form of fraud where the attacker attempts to steal personal information such as your computer username, the password and your banking details to gain access to your accounts. Educating the end-user to these threats and implementing anti-malware and anti-spyware solutions will reduce the success rate of the phisher.
 [Overview of IRS Phishing Activity, https://www.irs.gov/uac/overview-of-irs-phishing-activity] (accessed June 26, 2017)
Under attack? Contact Onsoft Hotline