Phishing. It could happen to anyone, not paying attention after a long day at the office, or perhaps the attack is just a little too plausible to raise a red flag even among the security conscious. Phishing is using some electronic means to lure a target into giving up sensitive information such as credit card information or account credentials, or opening a malicious file on a device.
Although any electronic medium can be used as a conduit for phishing attacks -- instant messaging programs such as IRC and AIM or SMS (text messages) on your cell phone for example -- the most common attack vector remains email. From targeted attacks at large companies to basic catchall attempts sent to batch of gathered recipients, billions of phishing emails are sent every day.
Here is just one example of a phishing attack received recently by a colleague:
First of all, the recipient had not recently purchased a Bentley. This is a common phishing tactic, as the natural reaction is one of alarm. Someone else has compromised and used your information to buy something on your behalf. Perhaps your identity has been stolen, the worst nightmare of many in the digital age. Many such attacks are as simple as the one above, though more sophisticated attempts look like real receipts from stores such as Amazon complete with pictures of recommended products like the real Amazon receipts. Only further inspection would reveal that the email came from firstname.lastname@example.org or email@example.com, small matters that are easily missed, particularly when your heart is already racing from your potentially compromised credit card numbers.
Phishing attacks can either trick you into browsing to a dummy site, that looks and feels like the original, but instead sends your login to the attacker, or like in the case above can prompt you to open a file. By hovering over the link in the email above (or hold down the link to see a pop-up with the full URL on a phone or tablet), you can see it actually points to a link at dropbox.com instead of bentleyclassic.com, as one would expect if this were a legitimate receipt from a vendor. File sharing sites are a common resting place for malicious files or malware. Don’t download a suspicious file without taking the necessary precautions for malware analysis; in some case even just downloading the file is enough to infect your computer. You cannot rely solely on anti-virus software to protect you. While anti-virus is great at picking up threats it is familiar with, sophisticated malware is specifically crafted with bypassing anti-virus as a top priority. Generally speaking though, the end user should just leave a link unclicked if there is a doubt of its authenticity.
Of course it is perfectly normal for me to send a Dropbox link to one of my friends in an email. Context comes into play with phishing attacks; perhaps that is why they are such a difficult problem to solve. Very sophisticated phishing attacks are practically indistinguishable from legitimate email, and it only takes one mistake to give attackers access to your accounts or your internal network. Here are some key points to avoid becoming a victim of a phishing attack:
- Keep calm if you receive a strange email, such as a receipt for goods you have not purchased. Rather than a sign that your details have been compromised; this is often instead a phishing attack.
- Check the sender address on your received emails. Just because the sender name is Georgia Weidman make sure it is an address with which you have communicated with Georgia previously. If the sender is a business, make sure that the address for the domain is spelled correctly.
- Verify that links go where they say they do, and where you think they should. It is easy to make HTML links appear to point one place when they actually lead somewhere else entirely. Your email client should show you the actual link URL when you hover over it with a mouse or hold it down on a touch interface.
- If an email seems suspicious from someone you do know, follow up using a different medium (phone call, text message, instant message, etc.) to make sure the email is legitimate and not the result of your friend’s email account being compromised.
In these days when highly sophisticated attacks using unknown vulnerabilities are in high demand, it is sad that a simple attack that can be carried out for free and with little to no technical know how is still so successful. Education is the best way to combat phishing scams, so make sure that end users know what to look for and know how to react when they encounter this sort of attack.
This article is published as part of the IDG Contributor Network. Want to Join?