Phishing Attack: How is It Engineered and How to Prevent It

Picture1.png
  • Phishing is a form of cybercrime in which the scammer asks you to provide them with your personal information through email, telephone, or text message by pretending to be someone else.

  • Phishing is easy to detect if you keep an eye out for bad spelling and grammar, email addresses that don't match the alleged sender, and requests for information you shouldn't provide over email.

  • Be suspicious if someone contacts you unexpectedly online and asks for your personal information. Only open emails, respond to text messages, voice mails, or callers that are from people or organizations you know, and even then, be cautious if they look questionable.

What is phishing?

The term "phishing" is a variation of the word "fishing." The analogy is of an angler throwing a baited hook out there (the phishing medium) and hoping you bite.

Types of phishing

There are several forms of phishing attacks. Nevertheless, all these different types of phishing attacks have a common objective. It tries to get the victim to do one of these two things:

  • Hand over sensitive information.

  • Download malware.

Scammers conducting a generic phishing attack may know nothing about you, which is why you may occasionally get an email asking you to reset your password for a bank or online service you don't even use. But in “spear-phishing” attacks, scammers might have hacked a list of users for a common website and email those users asking them to give up sensitive information.

Likewise, spear phishing can be ultra-targeted at specific individuals, with custom emails that appear to come from co-workers, clients, or vendors to persuade you to give up passwords, account credentials, or other sensitive information.

You may also see other phishing-related terms, such as smishing or vishing. Smishing is similar to phishing but uses text messages instead. On the other hand, vishing occurs when scammers use phone services, such as a phone call, a voice-activated machine, or voicemail to try to trick you into providing personal information by sounding like a legitimate business or government official.

Common phishing ploys

  1. Government impostor scams:

  • Government impostor scams occur when a scammer pretends to be an employee of a government agency. No government agency will ever demand you to make the payment immediately or through online transfers. They also won’t ask you to provide your personal details on the spot, such as bank account details, credit/debit card numbers, or passwords.

2. Fake person scams:

  • Fake person scams happen when a scammer hacks into someone’s email account and sends out fake emails to friends and relatives of that account holder, perhaps claiming that the real account owner is stranded abroad and might need your help to return home. If you receive such an email, make sure you contact the sender through other means before sending any money.

3. Love scams:

  • Love scammers normally take advantage of people looking for romantic partners, often via dating websites, apps, or social media by pretending to be prospective companions.

  • They play on emotional triggers to get the victims to provide money, gifts, or personal details. A love scam is not easy to detect as the perpetrators do not rush into it and instead take their time to woo their victim by promising many things.

  • With many people nowadays using social media and online dating sites to find their prospective partners, it is difficult to distinguish a genuine person from a scammer.

4. Employment scams:

  • Secret/mystery employment scams involve fake advertisements for job opportunities that claim to be hiring people to work from home. As a potential new employee, you might receive an official cheque as a starting bonus, but you are then asked to cover the cost of account activation.

  • If a job promises a high salary for little work, be wary. That is a common sign of a job scam. Some other key signs of a fraudulent job advertisement include a request for money remittance prior to any job interview or confirmation of a job offer.

How to detect a phishing attack?

There are a number of steps you can take and mindsets you should get into that will keep you from becoming a phishing victim, including:

  • Always check the spelling of the URLs in email links before you click or enter sensitive information.

  • Watch out for URL redirects, where you're subtly sent to a different website with an identical design.

  • If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply.

  • Don't post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media.

  • Before making online payments to sellers, check the bank account number or phone number through the “Semak Mule” application created by the police to identify if the account holder is a scammer at https://ccid.rmp.gov.my/semakmule/. This is only applicable in Malaysia.

What should you do about a phishing attack?

Never reply to a phishing email. If you get a phishing email, mark it as spam, which helps your email program know that it's not legitimate. Or send it to your trash folder.

If you are doing it for your organization, educate the employees using examples captured in the wild. Also, rewarding good behavior, perhaps by showcasing a "catch of the day" if someone spots a phishing email.

Previous
Previous

Stay Safe in the Cloud

Next
Next

The Do’s and Don’ts of Working From Home