Staying secure
So you would like to know more about phishing e-mail attacks in other words fake e-mails, you are in the right place.
What is a Phishing Attack?
Phishing attacks, in simple words, are e-mails targeted to individuals in order to gain access to their personal information. The information the attackers might be after can be, usernames, passwords, personal information such as date of birth, address and etc.
The most common methodology attackers use for these attacks are to impersonate an actual legal body or a company and either refer the victims to their fake website or even worse make them install a malware on their computer.
Why your Antivirus/Antimalware software alone can’t protect you?
E-mail is one of the oldest Internet protocols out there and some of the exploitations available to cybercriminals are related to its age. It wasn’t designed having security in mind however, software we have today in both e-mails servers and clients are smart enough to filter out most of the maliciously intended messages.
Although we have these sophisticated security solutions in place, it’s not so easy to filter out phishing e-mails. One of the reasons for this is, phishing e-mails can blend in as a legitimate, benign e-mails due to the nature of how they work. They don’t carry a malicious payload that can be directly scanned by security software. Instead they either inject the malicious payload into a regular attachment such as a document file or they will ask the victim to click to a link that will trigger the download of malware.
Don’t get me wrong, I’m fully advocating for everybody to use an antimalware solution, especially one that is scanning your mailbox against phishing and other type of malicious e-mails, however being an educated user is the most important aspect in order to keep yourself safe from ‘social engineering’ attacks. That is why large organizations train their employees on a regular basis in order to protect their IT assets, they don’t even trust on their expensive security software alone when it comes to social engineering attacks and you shouldn’t as well.
What are some tell signs of a Phishing E-mail?
Sender Address
Spelling
Call to Action
Threats
Hyperlinks
- If the domain name matches the real domain name of the institution they claim to be. Be real careful because attackers usually try to get a real close domain name to the actual one.
- If the link starts with a ‘HTTPS://’. If you have been sent a request for something that requires privacy and security that web page should be SSL encrypted therefore should start with ‘HTTPS://’
- However having HTTPS in front of it alone is not enough to identify authenticity of a website. Make sure the SSL certificate can state the institution’s correct legal name. Certificate Authorities conduct series of identification challenges before processing these SSL certificate requests, hence an attacker can’t obtain this certificate to use on their fake website.
Attachments
Be careful about is attachments. Companies and institutions almost never will send you private information such as invoices as a direct e-mail attachment. This would be a huge risk for them because they would be trusting another party other than their own to secure their and practically their customer’s data.
Common practice would be to take you to their website and allow you to view the document once you can authenticate in other words prove your identity. Keep in mind that, this is also how attackers might get access to your username and password, so it’s very important that you visually analyze the website they referred you to.
Check its address and SSL certificate for authenticity
As a rule of thumb, do not trust any attachment you receive that claims to have private information. Especially executable files, however lately cyber criminals was able to inject malicious code inside regular Microsoft office documents and PDF files so you are never %100 safe unless you really trust the sender.
Further actions you can take to protect yourself for phishing attacks?
ScamWatch – https://www.scamwatch.gov.au
Backed by Australian Competition and Consumer Commission (ACCC) this websites goal is to educate Australian businesses and consumers against scammers and provide guidance on securing themselves against such scams. Make sure you subscribe to their e-mail alerts for receiving regular updates and stay ahead of the hackers.
Stay Smart Online – https://www.staysmartonline.gov.au
Stay Smart Online program is similar to ScamWatch however its covering a broader range of attacks. On top of scammers, stay smart would also send you notifications on various types of IT security exploits that have been discovered. It’s being managed by Cyber Crime and Security Branch, Attorney-General’s Department and provides valuable information to Australian people in terms of the digital security.
Here is a summary of actions you have to take in order to increase your chances against malicious e-mails:
1 – Have a reliable antimalware solution that receives regular updates and provides security against phishing e-mails.
2 – Learn common tell signs of scam e-mails, so you are better prepared to identify them yourself.
3 – Subscribe to e-mail alert lists that can provide you up-to-date and reliable information on recent attack types and forms, you are on alert for those.
It all comes down to experience and knowledge
Hopefully, after reading this article you are now better informed of the evil minds behind the phishing attacks that are designed to get pass our software security mechanisms and targeting our human nature via something security experts calls ‘social engineering’.
As I’ve mentioned before, what you should aim is to develop a sceptical mindset and an intuition to detect malicious communication you may receive. How you build this is related to your knowledge and understanding of Internet and digital world in general, the more you know better you are prepared.