What are Phishing Attacks? A How-To Guide on Phishing Protection with Examples

Hacker

Keeping our credentials and bank details safe is cyber security 101, we hear so many experts barking on about how important it is to keep our details private and secure. But what if you were fooled into believing a reputable organisation’s email, or call to action? What if you were a victim of phishing?

If you’re trying to avoid a phishing attack, or have recently been subject to a malicious attack on your online data, perhaps by means of text message, much like the COVID-19 Certificate scam that recently hit Malta, or perhaps a seemingly verified email that turned out to be totally dodgy, read this 4Sight blog to learn more how to prevent this from happening again.

What is a Phishing Attack?

Phishing is a means by which hackers gain personal data for malicious purposes. This social engineering attack steals login credentials, credit card numbers and all the other shiny bits that might be of some sort of value for further fraudulent activity online.

But the way phishing attacks take place aren’t in the form of rather obvious pop ups that promise to make your life better with their get rich quick or lose weight fast scams! Rather, they take on the appearance of a reputable entity, a trusted name that tricks its victims into sharing details. This can be done via email, instant message, text message or other creative ways, tricking you into sharing valuable information or clicking on a malicious link.

When this takes place, malware takes over your device, using ransomware attacks to reveal sensitive data for purchase of illegal products, use on dark web websites, identity theft and so on. Phishing experts will use your images, details and information to trick others into going through with the same dupes, as they masquerade as company officials and such like.

On a personal level, this could be detrimental – leaving all victims with a negative sum in their bank account, having to endure quite a steep uphill climb back to stability and security. But when phishers target companies, such as corporate or governmental organisations in larger attacks referred to as advanced persistent threats, they find a way to infiltrate the organisation. They bypass security perimeters, distribute malware and gain access to secured data.

As a result, this sort of loss can result in a deduction of huge amounts of money, as well as the company, for example bank, university or public service organisation’s reputation and consumer trust. Some phishing attacks also reveal certain disclosed information to the public, in turn destroying a company and its status.

Examples of Phishing Attacks

Urgency, fear and embarrassment are often motives for phishing attacks to take place.

Email phishing attacks

A phishing attack can come directly from your employer or educator, telling you that your email, profile or access password needs renewal in the next 24hrs. This sort of information will generally be followed by a direct link that will seemingly save you time and sort out your issues immediately.

But one the contrary, what this link is set to do is actually skim your device for all the beneficial information it can find – stealing your data in the process. They will do this by reading your old password from the false link, and using it to access the original “Renew Password Page” that you are trying to update.

Alternatively, the hijacker will send you to the original, authentic page and run a malicious script, taking over the user’s session cookie – this is a reflected XSS attack that will allow the hacker into the organisation’s network.

What to look out for:

  • Typos
  • Repetition of language
  • Overly urgent language
  • Broken English
  • Lack of an email signature
  • Spammy subject line
  • Lack of logos

What should you do when you think you’ve opened a spammy email:

  • Do not click on any links
  • Take all images to Google Images to find source
  • Report the email to Gmail/Outlook/Firefox
  • Inform the actual organisation that you’ve received such content

Text Message Phishing attacks

The same can be done via medical information where passport or identity details are requested, used and abused for malicious practice. In recent weeks here in Malta, an SMS made the rounds, asking users to click on a link to activate their COVID-19 certificate. With the urgency of travel, returning to normal and general curiosity as to what this ‘new document’ will look like, many were fooled into believing that the contents of this SMS were sent from the health authorities. Tricking tonnes of innocent locals in the process.

How to Protect yourself from a Phishing Attack

Protecting yourself from phishing attacks might be easier said than done, especially when spear phishing takes place. Spear phishing is a practice that hackers use to target specific individuals or companies – it’s a sort of direct vendetta that is either based on malicious intent or malicious gain.

If you’re trying to keep safe in the climate of online hacks and attacks, your best bet is to be vigilant. Those subtle mistakes in an email will allow you to catch the crooks and send the email straight into your spam folder. Look out for domain names, urls as well as the above mentioned criteria.

You can prevent phishing attacks with Two-factor authentication for all your log-ins, enforced with a strong password practice and educational campaigns to keep your staff, students and family knowledgeable about the risks they could endure.

If you’re worried about phishing attacks affecting your studies, business or family’s protection, get in touch with 4Sight for more information and guidance on how to limit your risks and be more mindful of your online actions.