Phishing attacks are amongst the most common online attacks carried out by cybercriminals.
Despite the rising number of phishing attacks, many people still fall victim and even really smart people aren’t left out. According to the Anti-Phishing Working Group (APWG), between July to September 2019, the number of phishing websites detected was 266,387. Which is 46 per cent higher than what was recorded in the second quarter of 2019.
Understanding how phishing attacks work will help you identify a phishing attack so you can prevent an attack from happening to you or your loved ones.
This article is part of our series on security in the cryptocurrency space. Our intention is to share important tips and methods you can adopt to ensure your digital assets are safe and secure both on and off Quidax.
What Is Phishing?
Have you ever received an email that seemed like it was from your bank, except that it wasn’t?
This email probably asked you to verify some sensitive information else your bank account would be frozen. This email also probably instructed you to click a link or reply to the email.
Thousands of people across the globe receive these types of emails. Often times, the emails appear to be sent from a reliable source like your bank with a reputation spanning up to hundreds of years.
Phishing is a type of social engineering attack. Cybercriminals often use phishing to rob people of valuable information like login and ATM card details (pin number and security number {CVV}).
A phishing attack happens whenever an attacker pretends to be a trusted individual or organisation (like your bank) to trick targets into opening an email or message from them or clicking a malicious link that could cause malicious software to automatically get installed on the target’s device. Clicking through malicious links like these could also lead to the freezing of the target’s system or divulging sensitive information as a part of the attack.
Types Of Phishing Techniques
Phishing attacks take a number of different forms. Understanding the various types of phishing attacks used by attackers would greatly help reduce the chances of becoming a victim of one. When you can see the patterns, you’re less likely to go ahead with the very action the attacker expects of you and this gives you the needed advantage.
Here’s a list of some of the most common techniques deployed by attackers.
Email Phishing
In this type of attack, attackers send out several emails to as many as thousands of people with the hopes that a number of them would fall for the scam. These attackers employ certain techniques to ensure that they have some amount of success rate with their victims. Often times they even pose as very reputable organisations in the emails they send by going as far as using the logos, typefaces and signatures of these organisations in order to make you believe that the message is authentic.
Spotting emails like these could be challenging at times. One red flag to look out for when you open your emails is grammatical errors. Emails sent by attackers are often ridden with a few grammatical errors.
In addition to checking whether or not the email is free of grammatical error, confirm that the sender’s email is absolutely correct. Make sure that the email has been sent from someone within the organisation or with the organisation’s official email address.
For example, Quidax will never send you an email with a sender email address that doesn’t end with “@quidax.com”.
Email phishing attacks also come with a sense of urgency in many cases. The urgent undertone that is characteristic of such emails aims to spur victims to take immediate actions to their detriment before they are able to give careful consideration to what they’re about to do.
So, if you receive an email riddled with grammatical errors, from an email address inconsistent with the email/website of the supposed organisation that prompts you to take action immediately else you risk losing something, then, it’s definitely a time to step back and assess the entire situation critically to avoid falling victim.
Spear Phishing
Unlike normal phishing activities that are targeted at general emails, spear phishing is a type of phishing attack that’s targeted at a specific individual or organisation. In carrying out this malicious activity, the attacker in this situation needs to have unique information about the target in order to execute the attack successfully.
Spear phishing attacks have a much higher success rate because, in this situation, the attackers pay more attention to details and craft the information with a specific audience in mind. Attackers that deploy spear phishing target high-value victims.
The psychology behind this sort of attack is that instead of targeting so many different people who may end up having a comparatively lower value for the attacker, they’d instead focus their effort on a specific individual, organisation or business who has exactly what they’re looking for.
The major difference between normal phishing attacks and spear phishing is that spear-phishing attacks are more difficult to recognize. This is because the attacker is usually armed with enough information patterned to the victim.
Whaling
This is a phishing attack that’s aimed at the top-level management of an organisation. So, if you fall into this category, it’s imperative to pay extra attention to your security on the internet.
This type of phishing attack is done because the attackers believe that compared to a normal employee, a top-level management executive is in possession of information that’s of more value. Whaling attackers aim to steal money, employee information and crucial data.
Like spear phishing, whaling demands good research to execute successfully. The attacker would have to gather enough extra information like who the victim talks to and the types of conversations they have.
Clone Phishing
In this type of phishing attack, the attacker creates a message that’s very similar to an original message from a legitimate individual or organisation. Here, a message that’s been sent earlier from a legitimate organisation is cloned and resent from the attacker’s email. Usually, the only difference it’d have from the original email would be a malicious link within the body of the email.
People are more susceptible to this type of attack because they are less guarded in situations like this. When the attacker sends a cloned email, they often inform the receiver that they’re sending the email as an update to the earlier one or that a minor adjustment has been made in order to allay any fears or objections the victim may have.
Clone phishing also happens when an attacker creates a website that’s a clone of a legitimate one with a disguised domain to trick the target into falling for the scam.
Vishing
This type of phishing attack is quite common. In a vishing attack, the victim gets a phone call with a voice message that’s supposedly from a legitimate source like their bank. In situations like this, delicate information like their pin or password is asked of them.
So, whenever you receive that phone call or voice message supposedly coming from your bank, think twice before divulging any information at all.
How to Protect Yourself from Phishing Attacks
Examine Link Destinations
Many emails we receive come with links. But simply because the link looks legit doesn’t mean the destination is. Inspect the destination of any link you click from your email before you proceed with any activity on the site.
Watch Out For Shortened Links
A Bit.ly or Linktree link is a typical short link. Phishing attackers use short links a lot. This is why you need to pay extra attention when you see a short link feature in your email before you click through.
Threats and Urgent Deadlines are Red Flags
Urgent deadlines are common characteristics of phishing attacks. The sense of urgency and threat is included to hasten the victim’s action and cloud their sense of judgement.
Is There an “s” after the “Http”?
Only browse on websites that are secure to ensure that you are protected. It’s important to ensure that the websites you browse on have the secure “s” after “Http” beside the secure padlock sign.
Change your passwords often
We’ve heard it so often it’s become a cliche. Things like using strong passwords. Sounds familiar right?
Phishing attackers leverage password hacks and mismanagement. Thus, it’s imperative to not use one password across different platforms and to always use strong passwords even though it may not be always convenient.
There are apps that have made this easier and more achievable. A couple of password management tools you can use are Last Pass, KeePass, Dash Lane and Keeper Security.
We recommend doing your own research before selecting the password management tool to use.
Enable Two-Factor Authentication
Enabling two-factor authentication is another step to take to safeguard your account. It reduces the chances of a 3rd party accessing your account even if they have your password.
If you ever experience an attack where your password is compromised, the attacker would still be unable to access your account because they’d need to have your authentication code as well.
If you want to be a little extra cautious, you can add 2FA to your social media accounts because cyber attackers can use them as a funnel to reach your friends and family.
Remember that anyone can fall for a phishing attack irrespective of how smart they are. We recommend taking the steps above to protect yourself and those you care about from being attacked.