UPDATE: 04/03/20 Before you continue, attackers are using the Corona Virus (COVID-19) for phishing emails, emails from the World Health Organisation are being circulated. Do not click on these suspicious emails and follow the guidance in this page.
Ever been caught out on a phishing email or want to increase your knowledge to protect yourself? Then you are in the right place.
Phishing is one of the most popular forms of attack used by malicious individuals and for very good reason. Why?
“90% of data breaches are caused by human error!“
That’s right, with the majority of successful breaches come from human error, so it is no surprise that individuals are targeted so heavily with phishing attacks.
In addition to this, it means that unless we increase our knowledge or use tools to protect ourself we are unfortunately going to be bombarded with phishing emails and potentially fall victim to the attackers.
To help you get to the right place if you are already familiar with phishing, we’ve laid out the contents of this guide;
- What is phishing
- Why do attackers use phishing?
- Should I worry about phishing in 2020?
- Different types of phishing
- Common examples of phishing
- What happens if you click on a phishing attempt or get phished?
- Top 5 things to spot a phishing attempt
- How to protect yourself from phishing attempts
What is phishing?
Phishing is form of social engineering attack. This is a type of attack that exploits human behaviours in order to trick you into doing something that you don’t want to. Often, social engineering is used to manipulate your emotions to give up sensitive data, such as passwords, personal details or even make a payment.
In conclusion, Phishing is a specific type of social engineering where an attacker attempts to use email or other electronic communications to obtain your sensitive information and passwords, posing as a trustworthy entity.
An easy way to think about phishing is to look at where the name comes from, it’s a play on the ‘fishing’ activity – putting bait in-front of a fish to tempt it to take it and get hooked.
Why do attackers use phishing?
In conclusion, attackers use phishing because the statistics are compelling. Below are some of the key statistics that make attackers look to phishing for their attacks;
90% of breaches are due to human error
In businesses, people are considered the weakest link in security and the statistics show this. Phishing is used in huge volumes against individuals when at work. This also translates to you personally. You’re likely to see training and awareness, e-learning and have more protections in place at work. At home it’s unlikely that you will have the same protections in place as most services you use, like email are free and limited in functionality. At work, your employer will pick up these additional costs.
It’s becoming easier for attackers to use legitimate looking sites
Attackers are becoming more intelligent and able to use trusted sites and sources as part of their phishing attempts. Therefore attackers can bypass a lot of protections and increases their success rate significantly and allows them to spend more time on making the email or contact method look legitimate. Unfortunately, one of the most common methods, is an attacker taking over a legitimate site and using one of their pages to present their fake login screens – this can be difficult to combat.
Phishing has the highest success rate of attacks
Simply put, people fall for it. If no-one clicked a link or accepted a vishing call (more on vishing later) then phishing wouldn’t be used. Also, attackers look for the easiest way in and the highest return on investment. Unfortunately, humans are notoriously easy to manipulate, and emotions can be twisted in favour of the attacker. It’s never been more important to have the right tools and skills to protect yourself.
Should I worry about phishing in 2020 😨
Yes. Phishing is becoming more complex, better quality and worryingly well time. For example, If you’re self employed, you may have had a perfectly timed email from HMRC or your countries tax body asking for payment or a refund seconds after you’ve submitted a return. Whether this is coincidence or not, it’s very easy to slip up but that’s for another conversation.
In addition to this, we continue to focus on speed and convenience too which introduces further risks as people make instant decisions rather than taking the time to review and think.
Thankfully there are a number of things you can do to protect yourself covered at the end of this guide, you can also check out our guide to staying safe online which has some overlap and further topics.
Different types of phishing
Phishing and social engineering isn’t limited to email, although this is one of the most common routes. Throughout this guide, we are going to cover the various forms of phishing to ensure that you know where you need to be more vigilant.
The most common form of phishing is via email – an attacker will try to convince you that you are receiving a legitimate email.
Thing to look out for
- Link within the email
- Attachment within email
- Request to transfer funds
What is the attackers goal?
- Steal your credentials or data
- Put ransomware on your machine
- Steal your money
Example of email phishing
As you can see, the actual content of the email has been written in a way to make you trust and believe that the sender is coming from Amazon. This is because the attacker is trying to show that the email has the best intentions.
Tactics like this are typically the ones that make you trip up as the average quality of a phishing email is usually poor.
Also, the subject line contained the amazon.com domain but clicking on the email header showed that this in fact came from a domain that definitely wasn’t amazon, “@amazon.com” / “[email protected]”
Unfortunately, this got through spam filters by hacking a legitimate website and using one of the page to host a fake login page. It was made more risky because it looked very similar to the amazon login page, something that could easily slip someone up.
Vishing is another common form of social engineering, this time taking the manipulation over the phone, hence the name deriving from ‘voice phishing’.
Thing to look out for
- Unexpected phone call
- Asking to remotely connect to you
- Urgent actions
What is the attackers goal?
- Catch you off guard
- Access your computer and hold hostage
- Convince you to make a decision
Example of Vishing
By now you may understand that the names are self-explanatory and already have an idea what Smishing covers. Smishing is phishing over SMS / Text messages.
Smishing is a method that is not as common as email but can be very easily to fall victim to. usually pretending to be your bank or another service, Smishing attacks will send you a text message with a name similar to one that you’d expect.
Thing to look out for
- Link to click on
- Trustworthy name
- Urgent actions
What is the attackers goal?
- Steal credentials and data
- Convince you it’s genuine
- Convince you to make a decision
Spear phishing is one of the most dangerous attacks, but also one of the least common due to the increased effort. If you are a person of influence, in a high paying role or within a large organisation you may be at higher risk.
This type of attack is a specific phishing attempt on an individual, typically using some in depth information to trick you as opposed too the standard poor quality, high volume phishing attempts. For CEO’s and other high net worth individuals, it’s often referred to as Whaling.
As the only different factor of this attack is the specific nature, there is overlap with Email Phishing, Vishing and Smishing we won’t call out what to look for specifically as you should consider all of the aspects of this guide to help you become more vigilant. It is worth considering if you are in this high risk category using a tool to understand your risk and digital footprint further.
Common phishing examples
Fortunately, the majority of phishing attacks follow similar trends. This allows us to build our knowledge around more risky subjects to have a higher chance of detecting. More importantly, it allows us to protect ourself from phishing attacks. Whilst this is a good thing, the reason why they proceed with these methods, is because they are ultimately successful. If they didn’t get success, they wouldn’t waste their time.
Some of the most common phishing scenarios;
Suspicious activity on your account
Ironically, the most common lie used for phishing is that you have a security alert or suspicious activity on your account.
The phsycology behind this is important, as it creates urgency and covers an area that people don’t tend to question. The attacker will suggest that you follow a link to reset your password, asking for your current password and typically the page will then fail.
The attacker now has your credentials for the account. Perhaps worse than this is they may have the credentials to all of your accounts, if you share the same password
You have an outstanding invoice or payment
Another common topic used to manipulate people is the outstanding invoice or payment. Usually around an overdue invoice which will result in some significant impact like a default or action from the bank.
Similar to suspicious activity, this plays with your emotions to convince you to make a quick decision.
he main difference with this scenario is that it usually has a file that needs downloading. Rather than stealing your credentials, this one is likely trying to install ransomware on your computer which will hold you hostage until you pay the bitcoin fee.
Sextortion / threatening
Sextortion and other threatening phishing attempts can be extremely damaging emotionally. Often used to force you into paying money to the attacker to stop them from revealing personal or sensitive details about you.
The typical sextortion attempt will email you with your IP address and often accompanied by your password 😨. Yes It will often include a password which really gets the emotions going and is followed by a threat which explains that you have been visiting an adult site and the attacker has images of you that they will release unless you pay a fee.
The attacker will get the password from a hack that you have been involved in and use this against you. Unfortunately people, arn’t usually aware that they have been involved in a hack so may still have the same password. Alternatively you may recognise it as an old password or one that has slight variation if you follow bad password practice.
Attacks like these are the reason why it is so important to have a handle on your digital footprint and understand if you’ve been hacked. I
Someone want’s to share a document with you
A classic phishing attack used against professionals. Document sharing is a very common activity now and most follow some similar email formats. This gives a prime opportunity to attackers to replicate and carry out malicious activities.
Typically from services like Dropbox or OneDrive, the email will look very similar but likely have a number of spelling mistakes or be unexpected.
The goal of the attacker here is to steal your credentials.
Tech support wanting to solve a problem for you
Another common topic but more focused towards vishing instead. This scenario involves an unexpected phonecall pretending to be a large organisation such as apple or Microsoft, requesting that they log onto your machine in order to carry out technical support.
As a result of this, they will often explain that you have a virus and they need to clean your machine to prevent it from causing damage – another attempt of creating urgency.
If successful in getting access to your machine (usually using Teamviewer) they will proceed to install ransomware on your machine and hold you hostage until you pay the fee.
Request from your boss / CEO
Finally in our list of common phishing scenarios is another work related attack and one in the spear phishing category.
The attacker will ‘spoof’ (pretend to be) or have access to a CEO or bosses email address and send an email to a colleague that has the ability to make payments.Also often asking to urgently transfer funds to a new payee.
As the email will come from the CEO’s email address it is often fallen for – to get around this, always check with the person directly before you make a payment.
What happens if you get phished?
Throughout this guide we have explained various parts of phishing and some specific scenarios. In addition to this, one of the final parts to cover is what happens if you get phished and what should you do in response.
If you’ve clicked on a link and put in your credentials, you either have been or will be hacked soon after because of this It’s important to take action now.
Change all of your passwords
Changing your passwords is one of the first things you should do as soon as you find out you have been hacked. This also means that your compromised password cannot be used to access other accounts. Now this isn’t much of an issue if you use seperate passwords across accounts.
Revoke access to your accounts, especially if it’s been hacked
Most accounts and services have the ability to revoke access. This is also referred to as ‘log out all sessions’ or ‘log out of all devices. This means that if an attacker is in your account, you can kick them out (digitally). Assuming that you had changed your password, they will no longer have access.
Set up additional protections on your accounts, i.e. suspicious notifications
If your services have the ability to enable suspicious notifications or an advanced security funtion, enable it. You will not realise how beneficial it will be until it’s too late.
Enable Two-Factor Authentication
The use of two-factor authentication dramatically reduces your risk of compromise and we can’t stress this enough. Two factor required a text or code in addition to your username and password. If your password is stolen, the attacker will not be able to get access. Most services now offer this and if they don’t – send them a note!
Consider reviewing your security questions if you’ve been phished
Dependant on what has been stolen, sometime it may also include security details. Especially if you use personal information as security details. When you check your breach in mappd, double check to see if this your security information has been stolen too. If it has been, change your security details across your accounts.
Reduce the amount of places where your data is
So you’ve been hacked and don’t want it to happen again? You can start by reducing the amount of places where your information is. This is because, the less places where your data is, the less likely it is to be stolen – this is basic digital hygeine. In your mappd app, request your data to be deleted from those companies that you don’t recognise or no longer want to share data with.
Sign up to mappd or another breach notification service
Signing up to mappd (some of our services are based on Have I Been Pwned APIs) will ensure that you are alerted should you be involved in a hack. Similarly, this allows you to work on making yourself more secure before the criminals get to you which is an important part of protecting yourself from phishing attacks.
Phishing is a well-known way of obtaining personal information, its normally used via email. We all normally call this spam email and around 10% of those emails get to you. Phishing is used to steal usernames, passwords and credit/debit card details.
Top 5 things to spot a phishing attempt
Many emails you get that are fake, are easy to spot. However, not all phishing emails are that easy. This is because attacker are trained to slip attacks into your day to day processes when you least expect it. Because of this it’s important that you consider the following when actioning emails.
What to look for;
Doesn’t contain your name or anything to identify you
Phishing attempts will often contain generic details as they are sent to people at volume, things like sir, madam will often be used. Legitimate businesses will often include your name, address or postcode as an identifier
Contains spelling mistakes or poor grammar
Surprisingly the majority of phishing emails will contain poor grammar and spelling making it relatively easy to spot. As a result of this, some are significantly worse than others, but this is one of the most effective way of identifying fakes.
Asks for sensitive information
The majority of legitimate businesses will not ask for sensitive information over email or other electronic communications. Especially PIN numbers and passwords. If in doubt, contact the company and double check.
Unusual email address or website URL
When you receive an email that you think may be suspicious, you can click on the email header (screenshot below) which will expose the full email address and name. You will often find the information here to confirm that an email is false and doesn’t match.
Poor formatting and design
Phishing emails, messages and phone calls are all likely to have poor processes and formatting. Therefore you may notice pixelated images, plain emails without graphics or incorrect logos. Attempts are constantly getting better, so remaining vigilant is important.
Some of the ways to spot if they are fake: the email doesn’t contain your name. They will use words like Sir, Madam, Client and things like that. Many emails will have spelling mistakes. They will ask for very sensitive information like your PIN. No real, professional companies will ask you for your PIN so never give it out.
How to protect yourself from phishing attacks
In addition to the section where we covered what to do if you have been successfully phished, there are a number of things that you can do to prevent them from occurring in the first place.
Also, by getting this far through the guide, you’ve already taken yourself to a point where you have significantly reduced your risk through education for free 🎉.
Education is the most important factor when protecting yourself from phishing attacks as ultimately, it’s an attack on your human nature.
Finally, If you are interested in taking your protection further and getting one step ahead, you can sign up now for a free trial of mappd. Mappd shows you where your data is around the world and monitors your accounts for hacks and threats – we charge a small fee to allow us to build and support the technology to do this, but it’s less than the price of a coffee per month ✅