We may earn a small fee from the companies mentioned in this post.
Phishing is one of the most common forms of what can be considered cybercrime, yet many people are still unaware of the risks and how to protect themselves. This blog focuses on how to protect against Phishing attacks using best practice advice and real life stories.
Phishing can be described as an adversary or fraudster who attempts to trick someone into doing something to the detriment of the victim, such as clicking a bad link within an email or SMS (text message) that will download malware, or direct the target to a malicious website, or perhaps to disclose personal information, or make an unsolicited payment.
This article focuses on the techniques used by fraudsters and provides information that will help you stay protected from scammers using phishing techniques. However you may wish to jump directly to the 9 best ways to protect from a phishing attack.
Knowing how to recognise phishing attempts and avoid them is essential for remaining safe from fraudsters and scammers. One of the best ways to protect against phishing attacks and scams is to be wary of emails or SMS messages that appear suspicious or pertain to derive from a trusted source but require you to take an action that involves the disclosure of personal or financial information, or requires a payment/transfer of funds.
Phishing emails or SMS’s can reach millions of targets in one campaign, with minimum effort from the fraudster and hide amongst the huge number of benign emails that people receive on a daily basis. It is easy to become email content blind due to the endless stream of spam messages within your inbox, so you may inadvertently click on a link or download a file through routine.
How to spot phishing emails
When you protect against phishing attacks it is important to understand the most comment methods used by scammers. As email is considered the number one communication medium you need to understand how to spot a potential fraudulent email.
If an email address or sender name looks unfamiliar, or the request is unexpected or unusual, it’s best to avoid clicking any links or downloading any attachments in case they contain malicious code.
It’s also important to be aware of any phishing scams using similar brand names or logos as trusted companies.
Phishing emails can target individuals or businesses of any size and sector. You might form part of a mass Phishing campaign, where the fraudsters are seeking to collect login credentials or simply on the lockout for easy cash. A Phishing email could form part of a targeted attack against you or your organisation, where the aim could be something much more specific. This could include the extraction of personal or even sensitive data.
In a targeted Phishing campaign, the fraudsters may use information about a company and its employees, that they extracted from sites such as LinkedIn or even company websites. These types of more directed, or targeted attacks are commonly referred to as spear phishing.
One of the most common forms of directed Phishing attacks are those that attempt to fool you into believing the email has been sent from a senior trusted employee (such as a CEO, CFO, Head of IT or Head of HR) within an organisation or perhaps a trusted 3rd Party.
Whilst an attacker is not able to use an internal email address john.smith-CFO@company.com they may be able to purchase a similar domain, and send an email from email@example.com.
Whilst both emails appear the same, under close scrutiny the email domain within the second email transposes the ‘o’ in company.com with a ‘0’ (Zero) making the second email address appear the same yet completely different.
This technique is being used to great effect to trick unsuspecting targets that an email from their CFO requesting a payment is legitimately from that individual.
Other examples of this is transposing an ‘S’ for a ‘5’ (Five), or an ‘m’ for a ‘rn’ (r & n).
So john.smith-CFO@company.com becomes john.smith-CFO@cornpany.com.
As there are so many permutations of different company names, most businesses can’t purchase all of these variants so there are many combinations that can be used to target employees or clients of these businesses.
Real world example of a targeted Phishing attack
Let’s provide an example of how this technique can be applied by a fraudster to attack an unsuspecting client of a financial institution.
A client (target) regularly receives email communications from their trusted Wealth Manager regarding their investments or pension. The client uses a well known cloud based email solution such as Gmail or Hotmail but utilises a weak password and hasn’t switched on 2-FA (2-Factor Authentication). The email account uses a password that is similar or in some cases the same as their other online accounts as they find it difficult to remember all the passwords on different machines and accounts.
Alas one of the online accounts the target used was compromised (but not their email account) and the password subsequently stolen from that account. The password for the compromised account was encrypted but as the target chose a simple weak password that was easy to remember it was easily cracked (decrypted by the cybercriminals that compromised/hacked the online service).
The victim’s password was based on the name of their granddaughter Jennifer, and the year of her birth. Jenny2014! they believed they were safe as they had added a ‘!’ at the end.
In reality this password was cracked in a few seconds but an experienced cybercriminal gang. As the compromised account was associated with a username that was also the target’s email account the criminal gang had the email address firstname.lastname@example.org and a decrypted password Vicky2014!. This information was then bundled together with other compromised accounts and credentials and sold on the Dark Web.
Fraudsters often crawl the Dark Web looking to purchase compromised online accounts so they can leverage them for malicious purposes. The target’s email address and password was purchased and subsequently found to provide access to the target’s primary email account.
It didn’t take the fraudsters long to determine that the target had some interesting contacts and warranted their attention. Contrary to popular belief many fraudsters play a long game and will patiently wait until an opportunity arises.
They identified an email stream with a wealth manager email@example.com. They studied the way the individual wrote emails, how they signed off, including any signature email graphics etc.
The fraudster then purchased a similar domain name to company.com replacing the ‘o’ with a ‘0’ (zero) as described previously. Posing as the wealth manager firstname.lastname@example.org the fraudster sent a Phishing email to the target pertaining to be from the wealth manager to state they had changed the wealth manager’s bank account and for all future payments to be directed into a new account.
This email was then followed up by a phone call to the victim from someone claiming to work for the wealth manager, the fraudsters used a simple technique to disguise their actual telephone number so the number appearing on the client’s phone appeared to be the legitimate wealth manager telephone number.
The email combined with the telephone call reinforced the legitimacy of the fraud. The target soon became another victim of cybercrime.
How to prevent a Phishing attack
There are a multitude of things you can do to significantly reduce the risk of becoming a victim of a Phishing attack.
In the real world example the importance of using separate strong passwords was critical and could have prevented becoming a target of the fraudsters in the first place.
In the example provided the victim didn’t independently verify communication, the email as sent to them and the call was made directly to the victim from the fraudsters.
Traditional defences against phishing often rely on education with the emphasis on individuals being able to spot phishing emails. Whilst this is an important element, knowledge empowers etc, a multi-layered approach is often more effective.
Perhaps you would enhance your defences and include more technical measures. This will improve your resilience against phishing attacks without disrupting your life. You must also accept that no control is infallible and some Phishing attacks will get through your defences, but accepting this fact will help you plan for these incidents, and minimise the damage they may cause.
You can equip yourself with some good anti-virus software, which scans your computer or mobile device for malicious viruses and trojans which may have been sent by a scammer. Most good anti-virus software also has built-in protections against Phishing attacks so you can stay protected while browsing the web.
It is essential to be cautious when sharing personal information online, such as bank details or passwords. Employ a traffic light system for you and your family, if you receive an unexpected email and it doesn’t look or feel right, ask a member of your family or a trusted friend to check the email. Sometimes a second pair of eyes can bring context and guidance. This would be considered an amber warning. If however you receive an email, SMS or call requesting personal or financial information, especially if this is unexpected, this should be considered a red warning and you should definitely seek advice and independently verify before you disclose any information or make any payments.
Scammers and fraudsters will often express urgency when requesting information or forcing you to take an action. This is designed to prevent you analysing the request in any detail or applying any scrutiny. This is enforced through the act of fear that ‘if you don’t do this immediately something bad will happen’.
One of the main reasons Phishing attacks are successful is that humans have a tendency to trust if they believe the email or message appears to be from a legitimate body. Most people do not understand email is based on technology that is more than 50 year old and was never conceived for security. Email can be easily manipulated to appear to be from anyone. The same applies to SMS and even telephone calls, combine the three and its difficult to determine the legitimacy of the communication.
Phishing emails can look very authentic because the information within the message may contain personal details that may convince you the sender has some form of authority. The scammers rely on this as most people don’t realise this information is available on the Internet for anyone to find and use.
Take a look at the information you are freely sharing on Facebook, Instagram or even LinkedIn. You would be amazed how a skilled individual could leverage this data to create an incredibly detailed dossier that can be used to attack and scam you.
The use of Artificial Intelligence to produce convincing Phishing emails
There has been a huge amount of media attention relating to Artificial Intelligence (AI) recently, describing how it can be used by malicious individuals. With any new technology It is likely AI will be used for both good and bad purposes.
On the one hand, AI can be used to automate processes, identify patterns, and make decisions in a way that can help people do their jobs more effectively and save time or money.
On the other hand, AI can also be used to commit malicious acts such as crafting phishing emails and cyber attacks. It is therefore important that everyone is extra observant when scrutinising emails that can look very realistic.
AI-based tools will allow fraudsters to incorporate natural language processing (NLP) to automatically generate text that appears to come from a legitimate source and is tailored to the target person or group of people.
For example, an AI-based tool could analyse past emails sent by the intended recipient and use their writing style to create a convincing, yet malicious email. Additionally, AI-based algorithms can analyse large amounts of data quickly in order to identify patterns and trends that may be used for constructing more realistic phishing emails.
9 best ways to protect against phishing
- Never share personal information in response to an email, SMS message or social media post unless you are absolutely sure about who is asking for it and why.
- Make yourself more resistant to Phishing by ensuring that all important email or SMS requests are verified using a second type of communication that you instigate. Call the person back on a number you know and that wasn’t provided by the individual sending the communication.
- Protect yourself from malware, which is often hidden in Phishing emails, or in websites that they link to. Employing good computer (and smart phone) defences can stop malware installing, even if the email is clicked.
- Ensure your computer and/or smart phone has all the latest software patches to ensure malware can’t infect your computer because you have failed to install the latest Microsoft or Mac updates or your anti-virus software isn’t up-to-date.
- Don’t use the same password across multiple accounts, accept most websites will be compromised by hackers so limit the damage inflicted if one username and password was exposed.
- Ensure you use a truly strong password, follow the three word process and follow my good practice guide
- Use a good Password Manager (Vault) to easy save and remember your complex passwords.
- Whenever possible use 2-FA security to logon to an online account.
- Trust but verify (independently), never be forced into making a quick decision, no matter how much pressure you are placed under.
Phishing attacks are becoming more and more sophisticated, making it difficult to distinguish legitimate emails or other forms of communication from fake ones.
As a result, it is important to be aware of the tell-tale signs of a phishing attack, such as was the request unsolicited, is the sender applying pressure to disclose information, click on a link or download a file urgently. Is there poor grammar or incorrect spelling, although this is much more rare today. Is the messaging requiring you to disclose any personal or financial information, and are you able to independently verify the request.
It is imperetive you always exercise caution when clicking on links or opening any attachments. Never become a victim to email blindness and accidently click on a link or open a file through routine. Separate those emails that contain attachments taking extra care before opening them.
Additionally, it is important to keep your computer’s security software up-to-date and to create strong passwords that are difficult to guess.
Phishing attacks can be prevented and adopting good cyber hygiene will help protect yourself from becoming a victim of Phishing and cybercrime. Small steps can make a huge difference in ensuring your online safety whilst reducing the risk of financial loss.
With more than 35 years’ experience in the IT industry, Jon has held a variety of senior IT positions since starting his career in mainframe computer systems in the 1980s.
Jon is a highly respected technical leader and security specialist, passionate about IT security he holds numerous globally recognised cyber security certifications including CISSP, CISM, C|CISO, CEH, CHFI and MBCI. In 2016 he returned to academia and obtained a Masters Degree (Distinction) in Cyber Security.
Jon is an experienced Information Security professional with a proven ability to independently master complex products and technologies. He is a regular speaker at global cyber security events, working with a plethora of cyber security visionaries.
With over three decades of experience in the heart of London’s financial sector, I have dedicated my career to the pursuit of robust cybersecurity practices and IT leadership. As a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Chief Information Security Officer (C|CISO), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI), I bring a wealth of knowledge and expertise to the table.
My journey in the field of cybersecurity has not only been about personal growth but also about sharing my insights with others. As an international speaker, I have had the privilege of addressing audiences worldwide, discussing the importance of cybersecurity in today’s digital age. My passion for knowledge sharing extends to my work as an author and blogger, where I delve into the complexities of cybersecurity, offering practical advice and thought leadership.
In my role as a CISO and Head of IT, I have overseen the development and implementation of comprehensive information security and IT strategies. My focus has always been on creating resilient systems capable of withstanding the evolving landscape of cyber threats.
My Master’s degree in Cybersecurity has provided a solid academic foundation, which, when combined with my practical experience, allows me to approach cybersecurity from a holistic perspective.
I am always open to connecting with other professionals in the field, sharing knowledge, and exploring new opportunities. Let’s secure the digital world together.