As part of National Cybersecurity Awareness Month, we want to make sure employees understand the various threats attacking their mobile devices. This article will focus on phishing – how to know if you’ve been phished, how it happens, and what to do about it.
What is a phishing attack
Phishing is a type of social engineering attack hackers use to steal user data, including login credentials and credit card numbers. It occurs when an attacker masquerades as a trusted entity to dupes a victim into opening a message and clicking on a link. Once the link has directed the victim to a fraudulent website, the victim is then duped into entering the prized credentials or financial information which is funneled through to the hacker.
Phishing is a simple yet effective attack technique, which can provide the perpetrators with a wealth of personal and corporate information. The aim and precise mechanics of the attack can vary, but they usually centered around soliciting personal data from the victim or getting them to install malicious software that can inflict damage upon their device.
Phishing is not only regular, but it’s also the most damaging and high profile cybersecurity threat facing enterprises today – supported by research from Google, Black Hat, and US Homeland Security.
What are the symptoms
You might spot some signs you’re being targeted by phishing before you get to the point of handing over your valuable information.
- Suspicious messages, emails and social posts containing shortened links
- Pages that ask for login credentials
- Suspicious emails with uncharacteristic language
- Web pages with suspicious or copycat URLs
If you’ve been phished and handed over your information, there are some telltale signs that can help you figure out if you’ve been jibbed. Phishing attacks vary and because they are often packaged up with other threats like as a way of delivering malware, for example, the symptoms can be very broad. Here are some signs a basic phishing attack has been successful.
- Identity theft
- Unfamiliar transactions
- Locked accounts
- Spam email coming from your account
What are the causes?
Phishing usually begins with a form of communication to an unsuspecting victim: a text, an email, or an in-app communication. The message is engineered to encourage user interaction with an enticing call to action. Perhaps the chance to win a new iPhone, a voucher for a free holiday or more simply, the opportunity to gain access to a service like PayPal or Facebook.
In order to solicit personal information from the victim, the phisher will often lull them into a false sense of security by sending them to a legitimate looking webpage to fill in their details. This intel could either be used immediately to gain access to the service via the official site or the data could be harvested and sold on to others on the Dark Web.
If you’ve been phished, chances are the attack was delivered in one of these ways:
- Text messages (smishing)
- Whatsapp (whishing)
- Personal email
- Corporate email
- Highly personalized email (spear phishing)
- Email targeted at CEOs (whaling)
- Social media posts and direct messages
What is the treatment?
So you’ve been phished, what now?
- Change all your passwords for the accounts that have been compromised as well as the accounts that use the same or similar passwords to those that have been captured by the hacker.
- If you entered your credit card information in the phishing page, cancel your card.
- Take your computer offline or delete your email account to avoid spreading phishing links to your contact lists.
- Contact the company or person that was spoofed – it might be your CEO or it might be a friend or it could be a major company or bank.
- Scan your device for viruses – clicking malicious links can instigate silent downloads of malware that go to work corrupting devices without your knowledge.
- Watch out for warnings of identity theft and put a fraud alert on your credit account.
The best remedy is prevention. Stay safe from phishing by following this guidance:
- Don’t click on suspicious links
- Don’t enter your credit card information into unknown or untrusted services
- If a link directs you to your banking website, open up your banking site in a separate window by typing the name in manually
- Don’t fall for obvious scams that claim you’ve won a prize
- Check the address bar for suspicious or copycat URLs, for example, my.apple.pay.com
No matter how hard you try to educate yourself and your team, it’s inevitable that some attempts will slip through the net. To stay ahead of the attacker it’s imperative to have a security solution in place which is able to intercept traffic to phishing sites, stopping the threat at its source. For more information, download our Employee Protection Pack here.