A Guide To Avoiding Phishing Attacks

One of the most common types of cyberattacks are phishing attacks. This kind of attack occurs when a cybercriminal sends you an email that looks like it comes from a legitimate source but is actually malicious in nature. Phishing attacks come in many forms, but in general, they intend to trick you into one of the following:

  • Clicking on a link.
  • Opening a document.
  • Installing some software on your computer.
  • Entering your credentials into a fake website posing as a real website.

Typically, phishing attacks will try to lure you into entering your password for an online service, like your bank or even your Netflix account. The attackers will then use these credentials to steal your account, access your employer’s IT infrastructure, or empty your bank account. Phishing attacks can also trick you into installing malware, seizing control of your computer to steal information or spy on you.

This guide intends to help you first spot a phishing attack and equip you with some effective means to defend against them when they occur.

Different Kinds Of Phishing Attacks

Credential Harvesting

Sneaky phishers trick you into giving them your username and password by sending you a link that looks familiar and legitimate but is actually a link to their fake service. These are sometimes hard to spot, as phishers conceal their fake links using clever combinations of letters that are slightly off the real URL, usually replacing a letter or two. For example, netflix.com becomes netllix.com, and if you only scan the URL without looking, you can miss the subtle difference.

When you click on the fake link, it directs you to a webpage that looks like the real Netflix login page, but isn’t. If you aren’t paying attention, you can very easily enter your credentials on that fake page. Some of these fake login screens look very authentic, and it can be tough to tell the difference from the real ones unless you spot small things. If you do try and log in through them, the attackers will have your credentials.

Before you type any passwords in online services (especially ones that somebody sends you a link to), it is always best to check the address bar and inspect the URL, which will always show the real domain name. Remember, just because a page looks like the real thing, it doesn’t mean that it is.

Those fake URLs can be tricky; lots of phishers use domains that look just like the real ones to try and trick you. For example, https://wwwgmail.com is not the same domain as https://www.gmail.com even though at a glance they look almost identical. Another common tactic is to use URL shorteners, which are great at making long URLs easier to type or read, but a devil for hiding the real URLs.

It’s also really easy to fake email addresses that look like they come from a legitimate domain. Even checking the address of the email is sometimes not enough to confirm the email was sent to you by the actual organization you think it is. Always remember to check the URL in the address bar carefully!

Sometimes these kinds of phishing emails are sent to tens of thousands of people, and rather than try to trick you into visiting a fake URL, they want you to click on an attachment. They may pretend that you have an invoice due or that a payment has been made to you.

It takes a lot of discipline not to click on a PDF attachment of a payment you supposedly received, especially if you were expecting a payment from somewhere. Always remember, if a stranger sends you an invoice or a payment confirmation, it's probably a phishing attack!

Phishing With Spears

Sometimes spearphishing attacks are based on something unique to you, something that the criminals know about you personally. This is where the term ‘spearphishing’ comes from, and here’s how it works.

Let’s say you get an email from a female coworker, one that you have been publicly flirting with on Twitter (which was noticed by the phisher). The email subject line says NAKED SELFIE OF ME and it looks like it’s from that girl’s email address. What do you do? You open it, of course. Many have already been spear phished this way.

The email contains a PDF called selfies.pdf, so you click on it. There may very well be some sort of naked pictures in that PDF, but there is also a kind of malware that would quietly install itself on your computer. This malware can be used to spy on you, everything you type, and even your webcam and microphone.

The best way to prevent this from happening to you is to NEVER click on any links or attachments in emails. However, this is not realistic advice. So let’s talk about the sensible ways you can defend yourself from these attacks.

How To Protect Yourself Against Phishing

Always Verify A Strange Email

A quick and easy way to check the authenticity of an email is to call the person who sent it to you and ask them if they sent it. So if that pretty coworker you like sends you what appears to be some photos, quickly check with her that she emailed you before opening them.

If your bank sends you something with an attachment by email, don’t open it until your bank has confirmed that they sent it. Your bank will rarely email you asking for your credentials or send you an attachment, but it’s still best practice to verify before trusting a strange email.

Always Use A Password Manager

The great thing about password managers is that while a fake URL could fool you, your password manager will never be fooled by a fake URL. It will simply refuse to auto-fill the login page with your credentials. If a password manager doesn’t auto-fill, then you know you need to double-check. If you are on the right URL, your password manager will work correctly and fill in the login.

Open Suspicious Attachments With Google Docs

If you receive a strange attachment in an email, you can probably open it in Google docs without actually opening it on your personal computer. Google Docs will open Word, Excel, and Powerpoint files in a way that will not open the file locally.

Open Google Docs, import the file into Sheets, Docs, or Slides, and the file will safely open in the Google cloud so that you can read it.

Make Sure Your Apps and OS Are Up To Date

Most of the malware used in phishing attacks depends upon you having out-of-date software, such as Adobe Acrobat or Microsoft Word. The malware depends on this because they take advantage of bugs in the software to infect your computer.

While the software makers usually fix these bugs as soon as they are discovered, this doesn’t help you if you haven’t updated.

Use U2F

U2F is short for ‘Universal Second Factor’ which is not to be confused with two-factor authentication. In short, some websites let you use a hardware token (a U2F token) that is able to foil phishing attempts. The tokens talk to your browser and validate the credentials that you use to login with.

You log in as you normally would, but then have to connect the key to your personal computer and then press the button on the token to log in. If you are on a fake website pretending to be a legitimate login page, the browser will refuse to log you in, so even if you are fooled into entering your credentials, the phishers will not be able to access your account.

Be Wary of Instructional Emails

Sometimes, a phisher will send you an email pretending to be from the technical support department, asking you to let one of their technical support staff remotely access your computer. They may also ask you to turn off a security feature or request your password so that they can ‘fix’ your computer. Sometimes they pretend that your computer has been hacked, that your email is full, or some other excuse to get you to do something that will compromise your security.

The general rule is to never give anyone any technical information about your computer. Never let anyone log in remotely unless you called up the Geek Squad or requested technical support from your employer. Even then, verify before you trust them!

Remember, if you ever get a strange email with a suspicious link, attachment, or instructions, verify before clicking. It's the only real way to be safe in the face of the increasingly crafty and cunning phishers. If you need technology, people, or processes to help defend against phishing attacks at your organization, get in touch today. The experienced professionals at Digital Hands specialize in cyberattack solutions and are always happy to discuss improving your cybersecurity.