Cybersecurity has gone mainstream, thanks in part to the hacking of the 2016 Presidential election. But how many of us know how the attackers in this case actually achieved their ends? The truth is, that one of the oldest, but most effective weapons in the cybercriminal’s arsenal, undoubtedly used in those attacks, is a threat still facing all of us today: phishing.
Phishing can be the first stage in a sophisticated information-stealing attack on a large organization. But the same techniques are used by cybercriminals the world over to steal your personal information for ID theft and to spread dangerous malware. With this in mind, Trend Micro has put together a handy two-part guide giving you the lowdown on phishing attacks—what they’re designed to do, what they look like, and how you can avoid getting caught by the hoax.
Why do cybercriminals phish?
Phishing is fundamentally a confidence trick. It’s an attempt by hackers to get their hands on your online log-ins, your financial information, or other sensitive details they can use to impersonate you for monetary gain. They do this by persuading you they’re someone else—typically a familiar organization you work with. They might want to steal your bank log-ins, your Apple ID, even your Uber account credentials. ID theft is particularly dangerous, since it can open up a world of credit or purchases for them. Or they might try to trick you into downloading ransomware, crypto-mining software, banking Trojans, adware or even info-stealing malware, to help them generate profits. Phishing represents a potential cornucopia for them, of ill-gotten gain.
How do they phish?
The bad guys have a wealth of techniques at their disposal, but they mostly boil down to one thing: social engineering. Fundamentally, this is the art of persuasion. As mentioned, it could mean spoofing an email to appear as if it came from your bank, asking you to update your details with them. Or perhaps it’s a ‘security alert’ that appears to have been sent by Apple or Microsoft. Or maybe it’s a required software update from Adobe, typically around Adobe Flash. Or it might even be a too-good-to-miss offer or piece of outrageous gossip to click on social media.
It’s all about getting you to click on that malicious link, open that malware-laden attachment, or submit your log-ins and personal details. Sometimes you’re taken to a separate website to submit those details, also spoofed to appear legitimate. The idea is to first target the user, rather than attack the machine directly. That being the case, if you improve your awareness of the characteristics of phishing, you can minimize the effectiveness of the phishers.
Here a few common generic phishing attacks:
The scammers are getting smarter
The bad news is that the phishers are refining their tactics all the time. Mobile phishing attacks are increasingly popular as users tend to be distracted and therefore more likely to click through in malicious SMS messages. Phishers are also increasingly likely to use popular events in the news to trick you into clicking, as with a major data breach like Yahoo or Uber, which you may have been caught up in.
Another tactic designed to increase the chances of phishing success is to use to spoof the domains of legitimate sites by using internationalized domain name text. Then too, you need to beware of new “angler” attacks, which typically involve the creation of fake social media profiles resembling brands’ support accounts. Criminals will search for users contacting those companies and hijack the conversation with phishing links.
So what can you do to protect yourself from phishing attacks?
Stay tuned for Phishing, Part 2: Staying Safe, where we’ll brief you on ways to stay safe from phishing attacks.