What is phishing and how to prevent it

There are hundreds of different attack strategies used by cybercriminals. One of these techniques is phishing. Although it is an older strategy, it is still used successfully by cyber criminals with new variations being considered and implemented, but what is phishing and how can you prevent it ?

What is Phishing?

Phishing is a form of cybercrime which involves the attacker contacting someone claiming to be from reputable companies with the aim of tricking the user into accessing sensitive, confidential and crucial personal and organizational data, or to deploy malicious software such as ransomware. Your bank details and your company access password are the information most sought after by cybercriminals.

What are the different types of phishing?

There are different types of phishing techniques used by scammers and the list keeps growing as cybercriminals think of new ways to gain access to the information they need. As internet technology and services evolve, hackers look for new opportunities to exploit weaknesses in security systems and gain access to confidential information, which can lead to users being caught in a more phishing type of attack. recent and less known. We explore some of the different types of phishing scams below:

  • Deceptive phishing
  • Phishing
  • Whales hooking
  • Pharmacy
  • Smishing
  • Google apps
  • False invoices

What is deceptive phishing?

Deceptive phishing, or email phishing, is the most common type of phishing attack and has been used for decades. A fraudulent, well-crafted and manipulative message is sent to impersonate legitimate organizations. Usually there is only a slight variation in the sender’s email address and can often go unnoticed by regular internet users. The email contains a link that leads to a fake webpage or installs malware on your device. These messages are not personalized or targeted to a specific individual and are also known as “bulk” phishing. The intention is to hack your data and gain access to your confidential or secret personal information.

What is Spear Phishing?

Spear phishing is a strategy aimed at people who work in a particular company or industry, with the aim of gaining access to the real target: the company itself. The emails are at least personalized and tend to use logos and email signatures, so the emails are presented as a corporate marketing campaign and leave very little room for the recipient to doubt its authenticity.

What is Whale Phishing?

Whale phishing is a highly targeted phishing attack aimed at the “big fish” in an organization – senior executives, including business owners, managers and key personnel. The attackers carry out intensive research beforehand and to appear legitimate, the emails are presented in a personalized manner mentioning the essential details of the organization. The sender uses an email address similar to that of the tax department or any other government agency and often requests crucial information or a money transfer. The overall impression of the email is very professional, but since it targets higher-order smart staff, its success rate is quite low.

What is pharming?

Pharming is another phishing strategy in which fraudulent emails are sent from genuine sources such as banks and social media sites. These emails ask you to perform an urgent action in your account. It can range from changing the password to taking security measures and manipulatively redirecting you to a fake webpage. Pharming not only involves fraudulent emails, but it also manipulates the DNS cache. It uses the same web address as the source and appears to be exactly like the original site. It asks for your login details and hacks your accounts.

What is Smishing?

Smishing is a type of phishing attack that involves the use of SMS. Fake text messages are received that either ask for a direct response or contain a link to a phishing website, which often looks like a site you know better.

Can I be hacked through Google apps like Docs?

A large number of Internet users are dependent on Google applications, from the Play Store to Gmail. A Gmail account lets you access and use a wide range of Google services. Most people use Google Docs, Sheets, Drive and other Google apps to store documents and photos as it seems very convenient and safe. This is the reason why hacking Google passwords is one of the main targets of scammers. They design emails and send them to Gmail users who direct them to their Google login page. Once you enter the password, your account and all the files stored in it become accessible to the scammer.

Additionally, in early 2022, it was reported that Google Docs’ commenting feature was being exploited to send seemingly legitimate emails to convince targets to click on malicious links. The threat actor creates a Google Docs document and adds a comment containing the malicious link, the victim is added via the “@” function triggering an email with a link to the Google Docs file. The email will show the full comment, including bad links and any other text added by the attacker.

Can I be scammed from an invoice?

Yes, fake invoicing is a type of phishing scam in which an invoice or bill is sent to a business or individual, requesting payment for goods or services. This can be a request for funds, the payment due date being exceeded, or a notification of a change in payment details.

How to prevent phishing

Phishing attacks are a growing concern for businesses. According to a recent IBM report, phishing is the second most common cause of data breaches, but it’s also the costliest, costing businesses an average of $4.91 million. But what steps can your business take to prevent phishing attacks?

  • Check the content
  • Check all links
  • Secure your identity
  • Digitally signed emails

Check the content

Most scam emails have many flaws in their content. Although most phishing emails come directly to you and use personal information to trick you, they don’t contain all the information. If you carefully examine the subject and content of these emails, you can get an idea of ​​its authenticity.

  • Beware of attachments – are you expecting them (eg invoice or file upload)?
  • Be careful when giving out sensitive information such as login credentials, credit card details, phone numbers or bank details
  • Watch out for bad grammar and spelling mistakes

Click for more tips on how to spot malicious emails

The main trick that scammers play is that they create a sense of urgency with their phishing emails. You only fall into the trap if you act hastily. Thus, it is essential to stay calm, think before you click and act wisely.

Check all links

To avoid phishing, it is recommended that you double-check email addresses and website links before clicking on any link. Fraudulent addresses are almost identical to the original addresses, but they are not the same, often with a slight change in spelling or character usage.

  • If the link asks for login information, go directly to the site and not via the link in the email
  • If you’re on a computer, you can hover over a link before clicking to make sure it’s a trusted link
  • Find HTTP secure sites for trust signing as a site with a TLS certificate

Secure your identity

A VPN, or Virtual Private Network, provides an encrypted tunnel for all of your online activities. It disguises your original identity and location and allows you to connect to the world through secure remote servers. This eliminates the risk of spying and snooping, and cybercriminals cannot access your information and identity. A powerful VPN also helps protect your connection from any attacking malware and makes your online existence safe and secure. The VPN is a secure barrier preventing phishing emails from reaching your device.

Digitally signed emails

Counter phishing attacks with digitally signed emails and strengthen your company’s email security with S/MIME certificates. Using two cryptographic functions, S/MIME can verify the origin of emails and the identity of the sender and protect email communications in transit through mail servers with encryption. With the S/MIME protocol, it is impossible to intercept and remove the digital signature of the email and digitally signed emails are guaranteed valid and legitimate.

Learn more about S/MIME

Editor’s note – this blog was originally published in 2019 and updated in 2022 by GlobalSign Chief Content Officer, Michelle Davidson

Comments are closed.