When hackers attempt to steal data behind a well-structured cybersecurity system, they often start by stealing access credentials through manipulating the system users.
Unlike computers, humans are prone to make mistakes quite often. Mistake tends to happen when we are emotional, distracted, and especially nervous moments. A case of an emergency situation can pressure us to make a decision without much thought, which can bring bad results.
Therefore, there is no surprise that some hackers believe we are the biggest security hole. Fraudulent attacks that target humans for stealing secure information by communication and manipulation are extremely common. These types of attacks are called phishing.
What is Phishing?
Phishing is a cyber-security term that describes a fraudulent practice of sending a message with the intention of stealing private data, such as username/password credentials, credit card numbers, and financial information.
The phisher will engage the target through an urgent message in a form of email, Short Message Service (SMS), instant message, or even voice message. The victim who receives the message gets lured into fraud by following the instruction.
Phishing Victims and Financial Statistics in 2019
- The average total financial cost caused by a data breach is $3.92 million (IBM).
- The average size of a data breach is 25,575 records.
- Phishing is involved in 32% of all data breaches.
- The number of phishing emails increased by 25% compared to last year.
- Credential compromise increased by more than 70% (Proofpoint).
- Phishing attempts to increase by 400% (Webroot).
Phishing Target Characteristics
Phishing targets can be categorized into two types, individual and corporation.
For individual phishing, the primary goal is to steal personal identity information in order to access financial accounts. An example of individual phishing will be, a caller informing that your Social Security Number got involved in a crime and verification is necessary to start taking legal action.
Social engineering manipulates victims by introducing him/herself with a fake identity and giving instructions for immediate action.
A corporation or group phishing utilize many complex tactics to maximize the damage against a large number of people and system. The initial phase is phishing the victim by installing malware into his/her device.
Malware will then trigger the second phase by sending out generated phishing emails to other workspace devices to expand the infection. Multiplied malware will then seek confidential information and steal data by sending it to the outer endpoint.
Types of Phishing Techniques
A phishing attack is performed in a variety of ways depending on the efficiency to reach a larger number of targets or known vulnerabilities that bring a higher success rate.
A traditional phishing technique that uses a 'spray and pray' method where attackers will send millions of emails to many people as possible. The email contains an instruction to pressure the receiver to send their personal information by filling and submitting a form.
The personal information will then be used by the attackers for illegal activities. Most phishing emails tempt to make the reader feel alerted by explaining that urgent account update or credential verification is required to resolve the situation. In some cases, email may contain a website link asking to allow unauthorized download that can be harmful.
Opposite to the 'spray and pray' method, an attacker who uses the 'spear' method is after a specific individual or corporation using the tactics that they believe will be most effective to the target.
Therefore prior research is usually performed to collect critical information that has a higher chance to entrust or trick the victim. Attacks tend to occur repeatedly in various ways due to the nature of the hacker's narrow focus.
SMS Phishing (SMiShing)
An act of scam conducted using Short Message Service (SMS) or text message to lure the receiver into sending out secure information or malware installation. Smishing texts are usually sent with a link associated with a phishing website with an attempt to make the reader click.
Voice Phishing (Vishing):
Vishing is another technique to attack phone users by calling and ask to dial a number. The number will connect to a voice guidance line which insists on the caller to give out personal information such as Social Security Number and Credit Card details.
Vishing messages commonly use generated robotic voice and try to convince the situation is urgent. As for reference, listen to this example of Vishing.
How to Avoid Getting Phished
What makes phishing scams so popular is the high success rate that continues bringing profit to the hackers. The best way to not be tricked by such long-living fraud methods is to understanding how phishing details work and prepare to take proper actions against unfamiliar events.
Here is a guide to help you acknowledge potential phishing scenarios and how to act when you encounter one.
Know the Characteristics of Phishing
The primary reason phishing succeeds is that many people are not aware of such a scamming mechanism. Knowing how phishing works and what type of method exists can significantly increase the chance to recognize fraud.
Be Informed with Latest Phishing Techniques
Technologies are constantly improving and so as phishing techniques. Keeping close attention to fraud trends can help to be aware of new scams tactics. For more details, take a look at the Security Awareness Training.
The best way to prevent getting phished is by blocking the message in the first place. Anti-Phishing software is designed to scan and analyze any incoming message to detect potential attacks. This style of protection is most effective for a group of devices or a corporate environment where a solution needs to cover multiple endpoints.
Use Latest and Updated Browser
Website phishing sometimes attempts to attack against known browser vulnerabilities and security loopholes. Although security patches are constantly released, it is the user's responsibility to keep an eye on updates to improve protection.
Always Secure Personal Information
A good practice to protect yourself from fraud is to never give out personal information. Whenever an instruction gives you an urgency or pressure that relates to sensitive information, doubt that it could be a trick. Make sure to validate that the message is from a legitimate source before taking any further action.
Check Referenced Link for SSL
Analyzing the website link referenced in the phishing message can give a lot of valuable information about the security characteristics. Make sure the website's URL starts with 'https' ensuring all communication is encrypted by Secure Socket Layer (SSH) technology.
Poor Grammar and Sentence
When it comes to scam message, lack of accuracy in grammar and sentence is quite common. Message from legitimate business spends dedicated attention to writing professional content. Misused punctuation, un-natural sentence, and misspelled words are a potential sign of unauthorized contact.
What to do if you think you got phished
Identity Theft - If your personal information such as phone number, home address, or Social Security Number got exposed by the phishing activity, report a fraud alert to protect your credit. Follow the instruction provided by the Federal Trade Commission's Identity Theft website to properly prevent further identity breach.
Account Credentials - If you believe you revealed your account details, login username, or password to the phisher, quickly contact the service provider and explain the fraud details. Place a block on the account and request a new account using different credentials.
Organization Information - If an organization related information was involved in fraud, report all the details about the theft incident to your organization security division or network administrator. Further investigations and appropriate security actions will be handled by the professionals.