FireLight IT Solutions

View Original

A Guide to Phishing

How to Spot a Phishing Attack

Fraudsters use email, text messages or phone calls to try and trick you into handing over your personal information. This could be your password, bank account details or national insurance number. If you've ever received an unexpected email, text message or phone call asking you to provide information in return for something, then you may have been targeted in a type of fraud called "phishing".

The methods used by scammers are updated regularly but there are some tell-tale signs that should alert you to the fact that there's something suspicious going on.

A company that you know or trust sends you an email or text message.

This could be from a bank, online payment site or any online service that you use. They tell you there is a problem or something unusual, for example:

  • there's a problem with your account or payment information.

  • you've won something.

  • you're being offered a voucher.

  • your subscription payment failed.

  • they've noticed some suspicious activity or logins on your account.

  • you have quarantined messages.

  • you're due a tax rebate or owe tax that you didn't know about.

And that:

  • they need you to confirm your personal information, such as email address, password, address, bank details etc.

  • you need to click on a link to make a payment or update your payment details.

  • you should view the attached invoice.

  • you should click on a link to confirm the problem that they've noted above.

  • you need to rectify the problem they've alerted you to urgently or face the consequences.

The email or text message looks legitimate so you open the attachment or click the link and provide them with the requested information.

The message however was fake and sent by a scammer, and providing this information could leave you open to identity theft and clicking on the links or opening the attachments opens you up to the installation of malware.

A Colleague Sends You an Urgent Email

Another common tactic is where a colleague, trusted contact or friend sends you a message asking for help.

You receive an email, phone call or text message from someone that you work with asking for some confidential company information that they need to provide to the company owner urgently.

Again, this message is fake and if you provide the information the scammer would gain access to confidential company information. Among many consequences these targeted attacks can end up with the target authorising payments to the scammers thinking that the request is genuine.

Example

Let’s take a look at an example of a phishing email, see if you can spot any of the giveaway signs. For the purpose of this example, your name is Joe Bloggs and you work for ABC Company.

Looks legitimate right? Now let’s go through some of the tell-tale signs that indicate that this message is a scam.

  1. Looks like it’s come from your company (abc-company.com), but look at the actual email address that it’s been sent from in angled brackets (webmaster@xyz-123.net) - this is clearly not the correct email address.

  2. The subject is marked as important to instil a sense of urgency and impel you to act. Your email address is also shown in an attempt to make the message look more legitimate.

  3. Looks as if the email has been addressed to you personally but all the scammer has done is used the first part of your email address.

  4. More attempts to instil a sense of urgency/panic by stating that your account will be restricted if you don’t act.

  5. They’ve attempted to make the email look authentic by signing it off as your support team.

Now we’ll test the link that the button will take you to without clicking it. Hover your mouse over the button and you should be shown the address of the link like below.

As you can see the link shown is to an address that looks very suspicious.

This is clearly a phishing email and if you receive a message like this do not click any of the links or open any attachments. Delete it, or if you’re in any doubt forward it to your IT provider to check for you.

How to Protect Yourself from Phishing

  1. Protect sensitive information.

  2. Don't send sensitive information such as bank details via email. If this is unavoidable send the information as a new message rather that replying to a message sent to you using an email address for the recipient that you know is correct. If possible encrypt or password protect the information and send the password separately via text message.

  3. Double-check the address. Look into who sent the email. Things to check:

  4. - does the format look right and are there any spelling mistakes?

  5. - is the address made up of random numbers and letters?

  6. If you know the person sending the email and it looks suspicious, call them directly on the phone to check that they actually sent it to you.

  7. Never click on links without checking them out first.

  8. Instead hover your mouse over the link and check that the destination looks correct. If in doubt search for the correct address instead of clicking it.

  9. Be wary of attachments.

  10. If you weren't expecting an email with an attachment don't open it. If in doubt forward it to your IT provider to check if it's safe.

If you're ever in doubt, check with your IT provider.

Security Best Practices to Help Protect Yourself

  • Security software.

  • Install a reputable anti-malware solution on your computer and ensure that it is kept up to date. Monitor it regularly to check for any detected attacks.

  • Restrict privileges.

  • Keep your user profile separate from the “Admin” profile on your computer. The user profile is used for day-to-day work and isn’t able to install software. If you need to install software switch to your Admin account which has those permissions. This will help stop unwanted software from accidentally being installed on your computer. See these links for how to do this on a Mac or PC.

  • Update Applications and the Operating System.

  • Always keep your system up to date, enable auto-update where available. Many of the malicious attachments and links used in phishing emails rely on your system being out of date in order to install malware without your knowledge.

  • Enable Multi-Factor Authentication.

  • If it’s available for your app or service, always enable MFA. With this enabled, whenever you try to log into the service with your password you will be sent a code to your phone which you then use to prove that you are who you say you are. If your password is compromised the hacker will still require that code in order to log into your account.

  • Don’t Re-Use Passwords.

  • One method that hackers use to log into your account is by "credential stuffing", This is where they attempt to log in using credentials already leaked online in older data breaches.  So never use the same password for more than one service, and ideally store them all in a secure password manager.

  • Back Up Your Data.

  • If the worst happens and your computer is compromised, and you lose access to your data, you should ensure that you have a number of full backups of any important files. These backups should be tested regularly to make sure they’re working correctly. A good rule of thumb for backups is the 3-2-1 policy, whereby you would have three copies of your data, two of which are stored locally on different devices, and one is stored offsite.

Featured Image Source