We last reported on phishing scams in 2016. Since then our daily lives continue to become more intertwined with technology. Each service we use for television, games and work requires us to create personal accounts and we are placing more information about ourselves online than ever before.
As our use of technology and the internet grows, so does the need for security online. Phishing attacks are some of the most common and reliable methods for criminals to access your digital accounts. However, according to security experts, ProofPoint, nearly two-thirds of us know what a phishing scam is. They explain further in their 2019 State of the Phish report. That means phishers have to adapt their tactics as well.
In this updated post we’ll cover some of the new tricks phishers are using to fool users into handing over their information and money.
What is a phishing scam?
For those who fall into the one-third of people unaware of these attacks, phishing scams are malicious attempts to obtain your sensitive information such as usernames, passwords, and financial details.
Usually, phishing scams take the form of an email that appears to be a legitimate communication from a person or entity you know. Phishers are also using other formats like text messages and direct chat messages as well as promoted ads on social media. Some phishing attempts like tech support scams even combine an online and offline action where an email leads the user to call a number to solve a fake computer problem, then a real person pretends to offer support while stealing your information.
We call these “phishing” scams because attackers know the majority of users will recognize their deception and immediately delete the email or notify there security team of the attempt. That means phishers have a limited timeframe to trick a few unfortunate souls and take their information. The name both serves as an analogy to catching one fish from a pond that contains many, and also as a reference to the original form of hacking known as phone phreaking. Hence, the “ph”.
What does a phishing email look like?
Phishing emails, generally resemble a message you would receive from a trusted person or entity.
Key details you can look for to identify a malicious email are:
- A “from” address that resembles a name or company you’ve done business with but is miss-spelled or slightly different than it should be, or even an entity that would never normally contact you.
- The message of the email almost always creates a sense of urgency or ask you to complete an action immediately.
- One or more links will be included that direct you to a site or page you have no reason to visit. Often the text won’t match the linked address.
- Warning of severe consequences if you don’t do what’s been asked.
This example is a fairly easy-to-spot malicious email. The phisher hasn’t done a great job of covering their fake information. However, attackers are becoming more sophisticated and putting much more effort into tricking users with well-designed emails and web pages.
What are new phishing tricks?
Recently spotted phishing attacks are being carefully constructed to look identical to real emails. For example, including contact information that displays the real phone numbers, email, and addresses of businesses while redirecting the user to different phone numbers.
Phishers are even making the added effort of designing login and payment pages to resemble big name brands. One recent attempt was embedded in a fake promoted tweet with Netflix’s logo and branding, but redirected users to fake PayPal logins, that looked very similar to the real-deal.
Previously phishers sent messages to a large number of recipients. They’ve adopted a new method of “spear phishing” – a more targeted approach toward a single individual or organization. One type of spear phishing is called Business Email Compromise or BEC. Hackers spoof (copy) and email of an executive member of a company, a CEO or CFO and use it to request payments or additional information from employees lower on the chain. This makes it seem as though the requested action is okay because it came from someone with authority.
Attackers have taken the spear phishing approach to an all new level as well by creating sites mimicking corporate webmail. This allows them to compromise user accounts and engineer more malicious attacks that actually come from a real address within the company.
Clone phishing is another one to be aware of. Phishers copy or clone a legitimate email that’s previously been used by a company and include malicious links. This way they avoid making the message seem too fake, by trying to copy images and formatting.
Whaling, an attempt to get people higher up in a company to reply to complaints or threats of legal action. These higher ups will often comply to protect their companies and employees from large monetary and reputation losses.
How to protect yourself against phishing scams
Congratulations! You’ve already taken the first and most important step to protect yourself against phishing scams by reading the information above.
- Stay informed about phishing techniques. This is the reason we’ve written this post, keep checking back for more updates. As we’ve mentioned, new phishing scams and methods are being created all the time. Without being aware of these new tricks you could accidentally fall prey to an attacker.
- Think before you click. The moment an email, link or message seems out of the ordinary or like it shouldn’t be there – stop! Take a close look at the message and check for wrong information, statements that are too good to be true, and any urgent actions requested. When in doubt, go directly to the source an email claims to be and find your information that way. If it seems phishy it likely is.
- Check every link. The simple way to check a link is to simply hover your mouse pointer over it. When you do, the link’s destination URL will appear in the bottom left of your browser window. If the domain (example: www.ThisPartIsTheDomain.com) doesn’t exactly match what you already know (or what you’ve Googled), don’t click it! If you’re using a mobile device, long-press the link with your finger until a message pops up on the screen – this should show you the link’s destination URL.
- Verify a link and website security. Before clicking a link or entering any information on a website, check that the URL starts with https:// – this bit means the owner of the site has set security protocols to protect your information. If the URL doesn’t have that bit, don’t click it. Thankfully, most browsers alert you when the site your visiting isn’t secure.
- Install anti-phishing toolbars, extensions, and plugins on your internet browser. Most browser can be customized with extensions that run quick checks on known phishing scam sites and links, then alert you if one is found. These are free, and easy to install. Give us a call or email us for recommended plug-ins and extensions.
- Check your accounts regularly. You probably visit your bank account daily or much more frequently than some accounts you have and may notice those changes easier than others. Regularly login and check all your accounts for any changes you haven’t made. Update your passwords at that time too. Your passwords should be unique for every account and be secure with uppercase and lowercase letters, numbers and symbols so that hackers can’t easily guess what it may be. Don’t use your birthday, or spouse’s birthday. Check out our full password management guide.
- Never give out personal information. If a site or form is asking for your name, address, phone number, social security number, or any information – don’t enter it, unless you are absolutely sure it is safe and absolutely necessary.
- Consider using a VPN. A Virtual Private Network is a special connection that can improve both your privacy and security online. Read more about when to use a VPN.
Phishing attacks are a serious problem – thankfully, the solution is simple: when a surprise request for information lands in your inbox, just say “no.”If you’ve fallen victim to a phishing scam and your computers have been running slow it’s possible your computers have been infected with malware. Friendly PC are experts in computer repair and security. Give us a call at (402) 965-3300 or contact us online and we’ll help secure your information.