Certainly, each of us has encountered this term more than once. Some time ago, I asked my team what they would like to read about. Phishing was the most frequently mentioned topic, which I did not find surprising as it occurs frequently. Its effectiveness is surely underestimated and dangerous. Kevin Mitnick, aka Condor, one of the most famous hackers, used this method with great success. During his court trial, even the US government stated that if he wanted to, he could launch a nuclear weapon only by whistling into a pay phone. Although they were most likely carried away by their imagination, Mitnick is a world-class practitioner in attacks using social engineering. Who knows, then.
The origin of the word “phishing” is simple. The phishing process is similar to real fishing. You put a bait to deceit your victim, then you throw it and wait for your victim to catch it.
The term emerged in the 1990s in the context of obtaining information through deception. The general idea of phishing is that the message received makes an individual unknowingly reveal their confidential data. By using the same font, email footer, or company logo, such a message imitates common emails. Phishing can take many forms; however, the one mentioned above is the most popular.
We can distinguish the following types of phishing attacks:
- Phishing is about using emails.
- Vishing is obtaining confidential information by a phone call. This method is well-known thanks to Kevin Mitnick.
- Smishing uses text messages or instant messaging. An example of such an attack is a text message that looks as if it was sent by a bank or another trustworthy institution.
- Pharming is very similar to smishing but by intercepting the local DNS (Domain Name System) cache, it redirects a user to fraudulent websites to make them input their personal information.
- Spear phishing is an attack aimed at a specific target, such as the company’s system administrators. Let’s imagine a situation where an administrator gets an email impersonating a company they cooperate with, and in the message, there is a link to a release note.
- Whaling is a type of spear phishing, but the targets of the attacks are those at the highest level of the organization.
How to prevent phishing attacks?
There is no one completely effective solution, sadly. But knowing the threats and how hackers can attack us is the first step to successful phishing attack prevention. You should always act with common sense and be vigilant. What should raise your suspicions?
- a message that contains linguistic and grammatical errors
- a message that urges a receiver to act immediately and quickly. For example, by threatening them with unpleasant consequences like blocking the account or debt collection
- the email sender’s domain that looks different than usual
- a message that contains links that are not in the domain of the given company or institution
- a message, such as “your account has been blocked” or “your account requires verification”
- a phone call from a person who claims to be from your bank and asks for your details (it is recommended that you hang up and call your bank)
- incorrect message source
- a message in the form of one big graphic that suggests a real company
- headlines that blackmail, ask for help, or offer support
It is extremely important that you apply all these rules together. First and foremost, avoid acting on your emotions. Personally, I have received numerous messages that claimed I won a lottery or some sheik wanted to share his wealth with me.
Websites can be designed quickly and easily. That’s why you should pay attention first to the website address that contains a name confusingly similar to the original, but has a spelling mistake or a different domain name. You can also check if the SSL certificate is issued to the right company.
As far as the received links are concerned, the best method to verify them is to hover the cursor over them to see the displayed address that the links lead to.
What to do when you suspect phishing?
You can simply ignore the suspicious messages. But it is worth reporting them, which is extremely easy to do. Go to the CERT Poland incident-related website. After filling out the form, attach the message and send the report.
My piece of advice
Humans are always the weakest link so it is important to raise employees’ awareness of security issues. For this reason, conducting phishing campaigns in a company is a good idea. Just remember that such awareness raising should not turn into stress testing as it may end badly.
Google has prepared a quiz page to learn to recognize an attempted scam. Check yourself!
Author
- Senior software tester
-
Tester associated with the industry for almost 5 years. At that time, he implemented projects in the e-commerce sector. Always eager for new projects, as he combines work with passion. Security enthusiast who privately deals with Viking historical reconstruction and traditional archery.