How to protect against phishing attacks

How to protect against phishing attacks

What is Phishing

Phishing is one of the most common forms of what can be considered cybercrime, yet many people are still unaware of the risks and how to protect themselves. This blog focuses on how to protect against Phishing attacks using best practice advice and real life stories.

Phishing can be described as an adversary or fraudster who attempts to trick someone into doing something to the detriment of the victim, such as clicking a bad link within an email or SMS (text message) that will download malware, or direct the target to a malicious website, or perhaps to disclose personal information, or make an unsolicited payment.

Knowing how to recognise phishing attempts and avoid them is essential for remaining safe from fraudsters and scammers. One of the best ways to protect yourself from phishing scams is to be wary of emails or SMS messages that appear suspicious or pertain to derive from a trusted source but require you to take an action that involves the disclosure of personal or financial information, or requires a payment/transfer of funds.

Phishing emails or SMS’s can reach millions of targets in one campaign, with minimum effort from the fraudster and hide amongst the huge number of benign emails that people receive on a daily basis. It is easy to become email content blind due to the endless stream of spam messages within your inbox, so you may inadvertently click on a link or download a file through routine.

How to spot phishing emails

If an email address or sender name looks unfamiliar, or the request is unexpected or unusual, it’s best to avoid clicking any links or downloading any attachments in case they contain malicious code.

It’s also important to be aware of any phishing scams using similar brand names or logos as trusted companies.

Phishing emails can target individuals or businesses of any size and sector. You might form part of a mass Phishing campaign, where the fraudsters are seeking to collect login credentials or simply on the lockout for easy cash. A Phishing email could form part of a targeted attack against you or your organisation, where the aim could be something much more specific. This could include the extraction of personal or even sensitive data.

How to protect against phishing attacks

In a targeted Phishing campaign, the fraudsters may use information about a company and its employees, that they extracted from sites such as LinkedIn or even company websites. These types of more directed, or targeted attacks are commonly referred to as spear phishing.

One of the most common forms of directed Phishing attacks are those that attempt to fool you into believing the email has been sent from a senior trusted employee (such as a CEO, CFO, Head of IT or Head of HR) within an organisation or perhaps a trusted 3rd Party.

Whilst an attacker is not able to use an internal email address john.smith-CFO@company.com they may be able to purchase a similar domain, and send an email from john.smith@c0mpany.com.

Whilst both emails appear the same, under close scrutiny the email domain within the second email transposes the ‘o’ in company.com with a ‘0’ (Zero) making the second email address appear the same yet completely different.

How to protect against phishing attacks
Email attachments warning message on a laptop screen. Computer Virus and Antivirus. Cyber security concept.

This technique is being used to great effect to trick unsuspecting targets that an email from their CFO requesting a payment is legitimately from that individual.

Other examples of this is transposing an ‘S’ for a ‘5’ (Five), or an ‘m’ for a ‘rn’ (r & n).

So john.smith-CFO@company.com becomes john.smith-CFO@cornpany.com.

As there are so many permutations of different company names, most businesses can’t purchase all of these variants so there are many combinations that can be used to target employees or clients of these businesses.

Real world example of a targeted Phishing attack

Let’s provide an example of how this technique can be applied by a fraudster to attack an unsuspecting client of a financial institusion.

A client (target) regularly receives email communications from their trusted Wealth Manager regarding their investments or pension. The client uses a well known cloud based email solution such as Gmail or Hotmail but utilises a weak password and hasn’t switched on 2-FA (2-Factor Authentication). The email account uses a password that is similar or in some cases the same as their other online accounts as they find it difficult to remember all the passwords on different machines and accounts.

See my article on How to Create a Good Password

Alas one of the online accounts the target used was compromised (but not their email account) and the password subsequently stolen from that account. The password for the compromised account was encrypted but as the target chose a simple weak password that was easy to remember it was easily cracked (decrypted by the cybercriminals that compromised/hacked the online service).

The victim’s password was based on the name of their granddaughter Jennifer, and the year of her birth. Jenny2014! they believed they were safe as they had added a ‘!’ at the end.

In reality this password was cracked in a few seconds but an experienced cybercriminal gang. As the compromised account was associated with a username that was also the target’s email account the criminal gang had the email address jane.doe@hotmail.com and a decrypted password Vicky2014!. This information was then bundled together with other compromised accounts and credentials and sold on the Dark Web.

Read my article on the 7 Best Password Managers

Fraudsters often crawl the Dark Web looking to purchase compromised online accounts so they can leverage them for malicious purposes. The target’s email address and password was purchased and subsequently found to provide access to the target’s primary email account.

It didn’t take the fraudsters long to determine that the target had some interesting contacts and warranted their attention. Contrary to popular belief many fraudsters play a long game and will patiently wait until an opportunity arises.

They identified an email stream with a wealth manager joe.brown@company.com. They studied the way the individual wrote emails, how they signed off, including any signature email graphics etc.

The fraudster then purchased a similar domain name to company.com replacing the ‘o’ with a ‘0’ (zero) as described previously. Posing as the wealth manager joe.brown@c0mpany.com the fraudster sent a Phishing email to the target pertaining to be from the wealth manager to state they had changed the wealth manager’s bank account and for all future payments to be directed into a new account.

How to protect against phishing attacks

This email was then followed up by a phone call to the victim from someone claiming to work for the wealth manager, the fraudsters used a simple technique to disguise their actual telephone number so the number appearing on the client’s phone appeared to be the legitimate wealth manager telephone number.

The email combined with the telephone call reinforced the legitimacy of the fraud. The target soon became another victim of cybercrime.

How to prevent a Phishing attack

There are a multitude of things you can do to significantly reduce the risk of becoming a victim of a Phishing attack.

In the real world example the importance of using separate strong passwords was critical and could have prevented becoming a target of the fraudsters in the first place.

In the example provided the victim didn’t independently verify communication, the email as sent to them and the call was made directly to the victim from the fraudsters.

Traditional defences against phishing often rely on education with the emphasis on individuals being able to spot phishing emails. Whilst this is an important element, knowledge empowers etc, a multi-layered approach is often more effective.

Perhaps you would enhance your defences and include more technical measures. This will improve your resilience against phishing attacks without disrupting your life. You must also accept that no control is infallible and some Phishing attacks will get through your defences, but accepting this fact will help you plan for these incidents, and minimise the damage they may cause.

You can equip yourself with some good anti-virus software, which scans your computer or mobile device for malicious viruses and trojans which may have been sent by a scammer. Most good anti-virus software also has built-in protections against Phishing attacks so you can stay protected while browsing the web.

See my article on the 9 Best Antivirus Products

It is essential to be cautious when sharing personal information online, such as bank details or passwords. Employ a traffic light system for you and your family, if you receive an unexpected email and it doesn’t look or feel right, ask a member of your family or a trusted friend to check the email. Sometimes a second pair of eyes can bring context and guidance. This would be considered an amber warning. If however you receive an email, SMS or call requesting personal or financial information, especially if this is unexpected, this should be considered a red warning and you should definitely seek advice and independently verify before you disclose any information or make any payments.

Scammers and fraudsters will often express urgency when requesting information or forcing you to take an action. This is designed to prevent you analysing the request in any detail or applying any scrutiny. This is enforced through the act of fear that ‘if you don’t do this immediately something bad will happen’.

How to protect against phishing attacks

One of the main reasons Phishing attacks are successful is that humans have a tendency to trust if they believe the email or message appears to be from a legitimate body. Most people do not understand email is based on technology that is more than 50 year old and was never conceived for security. Email can be easily manipulated to appear to be from anyone. The same applies to SMS and even telephone calls, combine the three and its difficult to determine the legitimacy of the communication.

Phishing emails can look very authentic because the information within the message may contain personal details that may convince you the sender has some form of authority. The scammers rely on this as most people don’t realise this information is available on the Internet for anyone to find and use.

Take a look at the information you are freely sharing on Facebook, Instagram or even LinkedIn. You would be amazed how a skilled individual could leverage this data to create an incredibly detailed dossier that can be used to attack and scam you.

Best practise to stay safe from scammers and fraudsters

  • Never share personal information in response to an email, SMS message or social media post unless you are absolutely sure about who is asking for it and why.

  • Make yourself more resistant to Phishing by ensuring that all important email or SMS requests are verified using a second type of communication that you instigate. Call the person back on a number you know and that wasn’t provided by the individual sending the communication.

  • Protect yourself from malware, which is often hidden in Phishing emails, or in websites that they link to. Employing good computer (and smart phone) defences can stop malware installing, even if the email is clicked.

  • Ensure your computer and/or smart phone has all the latest software patches to ensure malware can’t infect your computer because you have failed to install the latest Microsoft or Mac updates or your anti-virus software isn’t up-to-date.

  • Don’t use the same password across multiple accounts, accept most websites will be compromised by hackers so limit the damage inflicted if one username and password was exposed.

  • Ensure you use a truly strong password, follow the three word process and follow my good practice guide

  • Use a good Password Manager (Vault) to easy save and remember your complex passwords.

  • Whenever possible use 2-FA security to logon to an online account.

  • Trust but verify (independently), never be forced into making a quick decision, no matter how much pressure you are placed under.

Conclusion

Phishing attacks are becoming more and more sophisticated, making it difficult to distinguish legitimate emails or other forms of communication from fake ones.

As a result, it is important to be aware of the tell-tale signs of a phishing attack, such as was the request unsolicited, is the sender applying pressure to disclose information, click on a link or download a file urgently. Is there poor grammar or incorrect spelling, although this is much more rare today. Is the messaging requiring you to disclose any personal or financial information, and are you able to independently verify the request.

It is imperetive you always exercise caution when clicking on links or opening any attachments. Never become a victim to email blindness and accidently click on a link or open a file through routine. Separate those emails that contain attachments taking extra care before opening them.

Additionally, it is important to keep your computer’s security software up-to-date and to create strong passwords that are difficult to guess.

Phishing attacks can be prevented and adopting good cyber hygiene will help protect yourself from becoming a victim of Phishing and cybercrime. Small steps can make a huge difference in ensuring your online safety whilst reducing the risk of financial loss.

For more information on Phishing please visit the Nation Cyber Security Centre

About the author

Jon Cosson
Jon Cosson MSc.

With more than 35 years’ experience in the IT industry, Jon has held a variety of senior IT positions since starting his career in mainframe computer systems in the 1980s.

Jon is a highly respected technical leader and security specialist, passionate about IT security he holds numerous globally recognised cyber security certifications including CISSP, CISM, C|CISO, CEH, CHFI and MBCI. In 2016 he returned to academia and obtained a Masters Degree (Distinction) in Cyber Security.

Jon is an experienced Information Security professional with a proven ability to independently master complex products and technologies. He is a regular speaker at global cyber security events, working with a plethora of cyber security visionaries.