‘Where do the fish keep their money? In a riverbank!’

Jokes aside, no matter how much you’re trying to protect your “riverbank,” there will always be someone trying to phish their way into it, and most of the time, without you even realizing it. 

Phishing attacks continue to be among the most effective ways to compromise an enterprise. In 2017, 76% of organizations experienced phishing attacks. According to Aviva, if your company is breached, 60% of your customers will think about moving to another vendor and 30% actually do. But what exactly is phishing and why is it important?

We will explain the term in a few moments, but first, it’s worth noting that as consumers become more savvy at identifying the most common phishing scams, attackers are finding new ways of scamming. Along with phishing, we will also explain other fancy terms such as smishing and vishing.

But first, let’s go phishing

Phishing is a form of fraud that uses both social engineering and subterfuge, and aims to steal personal identity data, financial account credentials or any other valuable data.

Although phishing emails and messages appear to be sent from a reliable source, they usually contain malicious links or attachments. Victims are prone to click on these malicious links or download attachments because they trust the source. The consequences can range from installing a fraudulent software to having login credentials or account information stolen.

To execute a successful phishing attack, an attacker may use link manipulation techniques, or URL hiding. By creating a malicious URL, which at first glance appears to be legitimate, attackers trick victims to click on the link and get bait on a hook.

Another phishing tactic is link shortening, using services such as Bitly and others in order to hide the link destination. To register malicious domains, attackers use different alphabet or numeric characters, which when read quickly appear to be look like the legitimate domain name. This technique is called homograph spoofing, where numbers 0 or 1 can be replaced by the letters O and I and can appear as, for example, mïcrosoft.com.

phish

How to spot a phishing email:

If the received email or message contains a link, don’t click on the link before checking where it might take you. Navigate your mouse over the link (or click and hold on your mobile device) to see whether the link’s destination is a valid one or not. Be especially cautious if the email appears to come from a financial institution. We advise you to go to the sender organization’s website and if you have an account there, login using your credentials and check whether you’ve received the same message in your Inbox. If the same message is there, then there is no reason to worry.

● Check if the email or message requests you to share personal information. If yes, don’t share any data by replying to the message.

● If you don’t know who the sender is, don’t click on any signature links identifying the source, but independently check the website and do a bit of research about the company.

Check if the email or message contains grammatical errors. It can be a good indicator that there’s something ‘fishy’ going on.

Now, off to smishing

Smishing is a form of phishing where a smisher sends malicious text and social media messages to obtain valuable information.

Smishing can often create more security risks than phishing as people tend to open text messages more often than emails. The global text message open rate is 94% compared to an average 30% email open rate.

The following tips can help identify a smishing attack and protect your from fraud:

● Don’t reply to people and contacts you don’t know.

● Do not click on links you get on your mobile phone, unless you are sure who the sender is. Additionally, it’s always better to double check with the sender to confirm they sent the link intentionally.

● Don’t install apps from text messages, even if you receive it from your friends. You should only install apps through the official App Store or Google Play store. Be aware, as only one text message can compromise your security and put your identity at greater risk.

Last but not least, vishing

Vishing is the telephone version of phishing, or a voice scam, designed to trick victims into sharing personal information, such as PIN numbers, social security numbers, credit card security codes, passwords and other personal data. The obtained information is then used to gain access to personal or financial accounts, or to compromise a brand reputation. Vishing calls often appear to be coming from an official source such as your bank or a government organisation. You should never provide your personal information or install software upon the request of a voice at the other end of the line. Vishing scammers can often use voice to text synthesizers or recorded messages to hide their identity. If you think that you received a vishing call, rush to say goodbye and hang up.

While education and awareness about phishing and its forms are crucially important when protecting your personal and business data, it’s not enough. That’s why at Fyde we focus on building phishing defense tools to protect your ‘riverbanks.’

Learn more about Fyde products here.

References:

  1. Tripwire
  2. Comparitech
  3. APWG
  4. Out-Law
  5. Esendex
  6. Smart Insights