There was a time, not so long ago, when computers, smartphones, and social media did not exist. It seems crazy—but it’s true. Before the creation of the internet, it was not possible to reach someone through text or email. You had to pick up the phone and call them if you wanted to have a conversation. If you were stuck in a project, you had to search through manuals and encyclopedias. There were no websites, no learning games, and no pictures on screens—only books, magazines, and other written papers. Information was much, much harder to find before the internet came along. It might seem like life was harder back then, and maybe it was a little. But life was also a lot simpler because we only had to worry about real-life dangers.
Today, we still have to wear our seatbelts and look both ways before crossing the street, but we also have to be careful during our screen time. Why? Because we now live in two different worlds—the real one we can touch and the virtual one that lives on our screens. This virtual world is sometimes called cyberspace. And just like in the real world, there are dangers in cyberspace. To stay safe and not end up a victim, we need to understand more about cybersecurity. Cybersecurity is about protecting yourself from online danger and crime. And one of the biggest dangers on the internet right now is a scam called phishing.
What is a Phishing Attack?
Phishing is a social engineering attack used to steal user sensitive data. This data includes login credentials, credit card, and banking information, and other sensitive data. A scammer or attacker impersonates and mirrors a trusted site or entity to trick you into opening a malicious link, email, instant or text message.
There are a lot of special words to remember when talking about cybersecurity and types of phishing. But one of the most important is vulnerability. If you are vulnerable to something, it means you are open to being a victim or threat of being harmed. If you walk out in the middle of traffic, you make yourself vulnerable to injury. If you sit out in the hot sun, you become vulnerable to sunburn. And if you are not careful about what you do on the internet, you may be vulnerable to a cyber-attack. One of the most common cyber-attacks on the internet today is known as phishing, and it uses email as a weapon.
Even in the “old days,” all human communications had a vulnerability. Smoke signals could be seen by anyone looking at the sky. Carrier pigeons with messages tied to their legs could become disoriented or lost. And secret codes created by the military could be “cracked” by clever mathematicians. Even the super-modern telephone had a vulnerability—you never knew who might be listening in on the wire. And today, attackers target the modern communication of email.
The Sneak Attack - Phishing Emails
So, who are these “attackers” or “scammers” anyway? The truth is you will probably never know. What you do need to know is their goal is to install malware and steal login credentials, sensitive data, and whatever else they can. And so, just like you watch out for strangers in the real world, you must also watch out for scammers and criminals on the internet. The most important word to remember is trust. Do not hand your trust out easily. It is something that should be earned by those around you, not casually given away. It doesn’t matter if it’s a sketchy email from a friend or a weird knock on the door—always think before giving anyone access. When it comes to the internet, think before you trust.
These scams from phishing emails look like real, legitimate email messages from someone you trust. Your boss. Your colleague from work. Maybe, someone, you don’t know but who sounds believable. When you read a scam email, it is worded in a way that tricks you into believing the message is real. And because it seems like you’re communicating with someone trustworthy, you are likely to follow the directions of the message. You might think it’s easy to tell the difference, but a good phishing attack can be hard to spot.
Think about it this way. What if you received an email from your mom telling you she is out at the store and has forgotten her debit PIN number. She is hoping you can remind her. The message is short and to the point. It doesn’t really sound like your mom, but it’s hard to tell because it’s only a few sentences. She did use your name, and she did know your email address—so it must be her, right? Maybe. But maybe not. It could be a super clever phishing attack aimed at you. And when you email back to “mom” with her PIN number, the attackers on the other side of the screen have what they want. You just become a victim of a phishing scam.
Other times, phishing schemes actually use your own mind to trick you. It sounds crazy, but it’s a method of attack known as social engineering. As people, we all have certain natural personalities and behaviors—they make us unique. But there are also some characteristics we all share, like curiosity, excitement, or fear. If we see a child standing in the road, our first reaction is to pull them to safety. And if we see something shiny on the ground, we may not be able to resist picking it up. In this way, phishing scams use social engineering to predict what someone will do in a certain situation. If a scammer can make you feel curious enough or worried enough, they might get you to click that malicious link or offer up some private information—whatever it is they want. In other words, these attacks are only successful if you play your part.
Let’s look closer. Say you sit down and open your email. Your inbox has one message from a gaming site you love to use. You really, really love this site. Their games are fun, not too expensive, and your scores are getting better every day. It looks like the website has sent you a message about a contest. You read more and see you have won something for being such a good player. What? You’ve won a free game of your choice for one year? No way! All you have to do is click the link in the email to claim your prize. What happens next depends a lot on your personality. Do you click the link? Do you stop, take a deep breath, and think, “Hmm, maybe this is a scam?” Or do you click immediately, already planning which super fun game you will pick? Just remember—what you do next may have significant consequences, so choose wisely. Don't let this social engineering attack method choose for you.
NOTE: A HTTPS certificate or a secured lock symbol beside does not mean that the website is safe and not a phish. It is very easy to get an HTTPS certificate for a website.
Clicking some weird link in a silly phishing email may not seem like a problem, but it is for your computer. As soon as you click it, you give cybercriminals access to your computer and all of its information. Plus—you also allow malicious software, otherwise known as malware, to be downloaded onto your device. Malware is just a special word for harmful software—you know, the kind that slows down your computer, uses up all your memory, and steals your private information and password. Malware is not something you want on your personal device. But hackers and criminals love it because it gives them access to the most valuable thing on the internet—your data. This data can be details about your passwords, location, name, birthdate, even information about your family or your school. And cybercriminals can use this data to create bigger and worse attacks in the future. Because in the virtual world, information is like gold.
Recognizing Malicious URLs and Malicious Emails
Let’s consider another scenario. What would you do if you receive this email? Will you realize that it is a phishing email?
This email comes from a scammer who is posing to be an IRS agent. The email address domain says irss.com, and when you hover over the hyperlink, you see http://irsss.com/tax-refund/credit-card. The IRS would not ask you for your credit card details or bank account information.
Four Ways to Identify Phishing Emails and Sites
- Check for the spelling. Most of such email phishing websites tend to mock the real ones. Just like irsss.com tried to be irs.gov.
- Try to stay away from the Pop-ups. They occur more frequently on a counterfeit site than a legitimate one. If you come across any click the x button.
- If the domain does not look familiar, use https://www.whois.net/ and Google searches to see if it is legitimate.
- Advanced users can make use of Registrar, Updated date, Created Date, and other information from sites like https://www.whois.net/ to make their decision. But be wary that most of the content is now hosted on services like AWS, GoDaddy, etc. which makes it highly difficult and cumbersome to check the authenticity of a domain.
Four Ways to Protect Yourself From Many Types of Phishing Attacks
- Security Software Protection: Use updated security and anti-virus software protection on all devices, including your cell phone and set it to update automatically. This will help you protect yourself against new security threats.
- Use Multi-factor Authentication to Protect Accounts: If any of your accounts offer extra security by requiring two or more credentials to log in to your account – take advantage of this additional protection. Multi-factor authentication makes scammers have to work harder to steal your account information and minimizes the chance of identity theft.
- Backup Your Data: Make sure to back up your data regularly. Do not connect your backup to your home network. Copy files to external drives or cloud storage. Detection is the first step to prevent phishing attacks
- Anti-phishing Solutions: Check if a suspicious URL is a web page or a phishing scam or site by using Bolster’s anti-phishing solutions at https://checkphish.ai/.
Detection is the first step to prevent phishing attacks. Don’t become a victim of a phishing attack by falling for impersonation or forgery of an organization or website.