Phishing attacks are a practice by the bad actors sending fraudulent communications that look like it came from a trusted organization.
These email addresses from the bad actors typically appear legitimate if read hastily. And their ultimate goal is to steal your credentials for your credit card, log-in information, and passwords.
Identity theft, financial loss and months or years of issues may result.
What are the most common Phishing techniques?
- Shocking and Emotionally Charged Messaging
As an example, you will receive an email that your bank account has been temporarily disabled.
As a bank account holder, your initial reaction would be shock! You would immediately take action so your bill payments don’t bounce, and your credit rating remains intact.
That action you take will be solely based on the instructions given by the bad actor in the email you received.
This is where the phishing will start!
- Realistic Hyperlinks and Hidden Links
Your first instinct at getting the shocking message from what looks like a trusted sender is to click the link they tell you to.
That link could be as simple as “Fix this issue now – click here” – if you hover over that link, you’ll see the actual website address is not what you would expect. But in the moment, it’s an easy mistake to make!
A slightly more sophisticated method is to mimic the sending company website. Instead of http://verifiedtechnologies.com it might be http://www.verifiedtechnnologies.com.
Again, it’s designed to pass a cursory look while the impact of the message – account suspension in the case of our example – is still in play.
- Spoofed Landing Pages
After clicking on the hyperlink, you will then be redirected outside of the email platform to a landing page.
In the case of a bank it could look exactly like a real page on the bank’s website.
It’s a simple process to copy a financial institutions logo, color scheme and font to give the page the appearance of being legitimate.
Even the things that banks and other institutions warn you about, like “we will never ask you for your social security number” or “Only log in to our portal directly” are easily ignored because this is already the 3rd step in the attack:
- Shock value email
- Realistic looking or hidden links
- Perfect replica landing page
And once you typed in your credentials to the text fields, you are the official victim of phishing attack.
How to Spot Phishing Attacks
- Unusual Sender and Content
Never open your email to strangers! Or rather, never open an email from a company or individual you don’t recognize.
If you’re not part of a fantasy football league, for example, don’t open that “great draft pick” email from someone you don’t know.
When you HAVE opened an email just out of routine, you can sometimes easily identify a phishing attempt due to just bad writing. Many pfishing attempts in the United States come from outside the borders from non-English speaking perpetrators. It’s fairly simple to spot.
- Weird or Unlikely Messaging
A spoofed email address is one that is VERY similar to one you trust– or even exactly that email address.
This is where stopping, reading the text of the email, and maybe the only way to prevent that disastrous click.
- Does this seem like something the Sender would actually say?
- Is this a reasonable request? For example – does the warehouse manager need your password?
- Are they asking you to click a suspicious link?
Here’s an example of a spoofed email address:
The original email address is:
customerservice@usbank.com
But the spoofed address is:
customerservice@vsbank.com
- Spoofed Landing Pages
After clicking on the hyperlink, you will then be redirected outside of the email platform to a landing page.
In the case of a bank it could look exactly like a real page on the bank’s website.
It’s a simple process to copy a financial institutions logo, color scheme and font to give the page the appearance of being legitimate.
Even the things that banks and other institutions warn you about, like “we will never ask you for your social security number” or “Only log in to our portal directly” are easily ignored because this is already the 3rd step in the attack:
- Shock value email
- Realistic looking or hidden links
- Perfect replica landing page
And once you typed in your credentials to the text fields, you are the official victim of phishing attack.
How to avoid against phishing attacks?
Using our common example of a “banking emergency, here are the right steps to take if you get an email that’s believable, but suspicious.
1 Call the bank or the person who the email content is pretending to be. Confirm the details provided by reading to them everything that was written in the email.
2 Read the senders list email address CAREFULLY. Always make it a habit reading the sender’s list email address – read it letter-for-letter and word-for-word just to be 100% sure. Because if you don’t, you might be the next victim of a phishing attack by way of spoofing email.
3 Activate two-factor authentication (2FA) and compliance with strict password management – these are the most effective security measure in countering phishing attacks. Even when your credentials are already compromised, two-factor authentication prevents the use of the compromised credential since you have a two-level security. Having only your credentials are insufficient to gain entry
4 Read the landing URL or website address CAREFULLY. Bad actors will often build a website that looks the same as the bank’s official website. If you HAVE clicked on an emailed link, check the URL of the landing page carefully before going further.
For example:
The official URL of a bank is:
https://capitalone.xyz
But the URL of the phishing website will look like this:
https://capitol1-online.xyz
Phishing, Hacking and the Reality of Recovery
Dealing with the consequence of phishing attacks is not only tedious but expensive.
A careless click will potentially compromise the entire network of your business or your personal finances.
That’s why, if you are responsible for a company network in particular you should do the following:
- Educate your Employees – we’ve seen company’s go from fending off the results of phishing several times per quarter to only very rarely. Just from continuing employee education and awareness
- Have a Disaster Recovery Plan – Develop your response in advance, because at some point a mistake will be made. How you react to it, the plans you have in place, will make all the difference to your business!
Talk about education and phishing recovery plans with the team at Verified Technologies here.
