Back to security basics: phishing

Chances are, your mobile device doesn’t have the same security defenses as your work laptop or desktop computer. That’s why it’s important that you, the end user, do all you can to protect yourself from cyber threats. This article will focus on phishing – how to recognize if you’ve been phished, how it happens, and what to do about it.

What is a phishing attack?

Phishing is a type of social engineering attack hackers use to steal user data, including login credentials and credit card numbers. It occurs when an attacker masquerades as a trusted entity to dupe a victim into opening a message and clicking on a link. Once the link has directed the victim to a fraudulent website, the victim is then duped into entering their login credentials or financial information, which is funneled through to the hacker.

Phishing is a simple yet effective attack technique, which can provide the perpetrators with a wealth of personal, financial and corporate information. The aim and precise mechanics of the attack can vary, but they are usually centered around soliciting personal data from the victim or getting them to install malicious software that can inflict damage upon their device.

Phishing is not only regular but it’s also the most damaging and high profile cybersecurity threat facing enterprises today.

What are the signs to look out for?

Hopefully, you’ll spot some signs you’re being targeted by phishing before you get to the point of handing over your valuable information. Look for:

• Suspicious messages, emails and social posts containing shortened links
• Web pages that ask for login credentials
• Suspicious emails with uncharacteristic language
• Web pages with suspicious or copycat URLs

If you’ve been phished and handed over your information, there are some telltale signs that can help you figure out if you’ve taken the bait. Phishing attacks vary and because they are often packaged up with other threats, like as a way of delivering malware for example, the symptoms can be very broad. Here are some signs that a basic phishing attack has been successful:

• Identity theft
• Unfamiliar transactions
• Locked accounts
• Unprompted password reset requests
• Spam email coming from your account

How does phishing work?

Phishing usually begins with a form of communication to an unsuspecting victim: a text, an email or in-app communication. The message is engineered to encourage user interaction with an enticing call to action. Perhaps the chance to win a new iPhone, a voucher for a free holiday or, more simply, the opportunity to gain access to a service like social media, bank accounts or work email.

In order to solicit personal information from the victim, the attacker will often lull them into a false sense of security by sending them to a legitimate looking webpage to fill in their details. This intel could either be used immediately to gain access to the service via the official site or the data could be harvested and sold on to others on the Dark Web.

If you’ve been phished, chances are the attack was delivered in one of these ways:

• Text messages (smishing)
• Whatsapp (whishing)
• Personal email
• Corporate email
• Highly-personalized email (spear phishing)
• Email targeted at CEOs (whaling)
• Social media posts and direct messages

What to do if you think you’ve been phished

So you’ve been phished, what now?

1. Change all your passwords for the accounts that have been compromised as well as the accounts that use the same or similar passwords to those that have been captured by the hacker.
2. If you entered your credit card information in the phishing page, cancel your card.
3. Take your computer offline or delete your email account to avoid spreading phishing links to your contact lists.
4. Contact the company or person that the phishing attack impersonated, if any – it might be your CEO, it might be a friend or it could be a major company or bank.
5. Scan your device for viruses; clicking malicious links can instigate silent downloads of malware that corrupt devices without your knowledge.
6. Watch out for warnings of identity theft and put a fraud alert on your credit account.

Proactive steps you can take to protect yourself

The best remedy is prevention. Stay safe from phishing by following this guidance:

• Don’t click on suspicious links
• Don’t enter your credit card information into unknown or untrusted services
• If a link directs you to your banking website, open up your banking site in a separate window by typing the name in manually
• Don’t fall for more obvious scams that claim you’ve won a prize
• Check the address bar for suspicious or copycat URLs like my.apple.pay.com