How to protect against phishing attacks

Nowadays, being hacked is one of the dangers that one can fall into while on the Internet. There are many ways someone can be a victim of hacking as it can come in many shapes and forms. However, there is one that stands out the most for users who are trying to protect their most valued accounts: Phishing

Phishing commonly tricks its victims into giving up their personal details or sensitive data using emails, telephone calls, or text messages resulting in identity theft or financial loss. In many cases, spoof emails are sent, pretending to come from large and recognized organizations or companies, as an excuse to gain private information putting the victim later on in difficult situations like ransomware or credit card fraud.

Phishing has its origin during the mid-’90s carrying its first attacks on AOL Inc, or America Online, an American web portal, and online service provider, which affected a lot of people turning it into what is now a big headache for internet users. The word has been changed and turned to phishing in relation to the group of people, known as “phreaks”, who first planned these scams. As its name suggests it compares internet users to fish as potential victims ready to fall for any traps or baits in the form of emails containing malicious attached files or links to fake websites.

Since its origins phishing has evolved and developed in so many ways to scam Internet users around the world. Before you can protect your accounts against phishing it is important to know how to identify phishing and its different kinds.

Here we have listed some of them:

• Spear phishing This plot typically uses spoof emails from a reliable source to get the victim’s details. The more research has been done on a specific individual the more it increases the chances of that person falling into the trap.
• Whaling Similar to spear phishing, it targets a senior-level or important individual from a company to steal information and in most cases ask them to transfer large sums of money.
• Smishing Also known as SMS phishing. Instead of using email to get personal data, phishers attack their victims on their mobile phones by sending text messages.
• Vishing Sometimes referred to as Voice Phishing, attackers use phone calls to manipulate and convince their victim to give up private information.

Real Case

Let’s imagine how would phishing work in a real situation. Let’s say you have been recently hired to be a community manager as part of the Public Relations Department of Facebook. After a certain time, one day you wake up not knowing that hackers targeted Facebook and breached its security system. In the process, hackers manage to stole almost the totality of Facebook’s employee’s credentials related to their work account and personal account. Unfortunately for you, you are one of these people.

In this case, hackers then now have the email address you use for your Instagram personal account. It is at this point that they decide to target you to get the missing information which is your Instagram account password. To do this, they send you an email posing as “Instagram” telling you that someone is trying to access your account without your permission, and must log in at once to change your personal details to prevent it.

Randomly, you open your mail at 1.00 a.m. while watching Stranger Things season 4 finale. So, more focused on what’s happening to Eleven and her friends you don’t pay enough attention to the content of the email, and immediately click on the link provided to change your details. Not aware that this link takes you to a fake Instagram website, you are then asked to type in your credentials (email and password) for your Instagram account. With no hesitation at all, you follow the instructions, voluntarily giving away your credentials, or more specifically your password for hackers to gain access to your Instagram account.

Obviously, it’s not easy for everyone to identify when an email is a scam or fake at first sight, or when a text message is a fraud. It makes it even more difficult if the person being attacked is caught off guard or under stress. But, what would have happened if you had put more attention to the email?

Surely, you would’ve seen some subtle signs enough to tell if a source is reliable or not. These are some red flags to watch out for in case you think you are being targeted:

• Sense of urgency The first and probably the most effective way to trigger someone to share private information. The email you might have received has been written in such ways to awaken emotions in you like a sense of fear, curiosity, or urgency making you act fast without thinking to manipulate you to click a link or open suspicious content.
• Unusual request and timing If you get an email from Instagram customer support at 3 a.m. in the morning announcing you have won 5,000 $ worth of purchases and should log in to your account immediately to claim it is a big red flag!
• Message style Take a closer look and check for any obvious spelling and grammar errors. Mails sent from relevant organizations will always ensure any emails sent out are free from spelling and grammar mistakes.
• Hyperlinks / Attachments Phishing emails posing as Google or Twitch will commonly contain a malicious link or a suspicious attachment. Links will take the victim to a fake domain to get their credentials such as their mail address and password while attachments could infect computers with malware to steal their credentials.

This last example about links and domains is the one you should be paying more attention to whenever you get this kind of suspicious email. If we take the same example I mentioned before the sender’s email address supposedly coming from Instagram won’t even match the one Instagram officially use to contact its users but instead will be something like: instagramnoreply@cbcscouting.com

More importantly, if you look closely at the masked link by hovering over it you will also notice that the domain is somehow strange. An example of it can be like the one you can see: http://xyz.instgrm.com/support (a is missing)

How to avoid Phishing?

If a phishing attack is not prevented in time, victims can be affected heavily. As a result, in case a target is a single person this can lead to a financial loss like fraudulent charges, loss of important files or other documents in their device, fake social media posts, and ransomware. Similarly, if an organization or a business has been compromised some of its consequences may be the exposure of personal information about staff and customers, future damage to the employer’s reputation, a company’s value decrease, and ransomware.

Avoiding these situations is important. At this point, many of you may be asking: but, how? To this, there is no easy answer, but surely you can take some precautions to avoid being scammed. You can start by using security technologies to fight fishing such as multi-factor authentication or two-factor authentication. 2FA will be an effective way in securing your device from phishing.

As we mentioned in our previous article, Two-Factor Authentication (2FA) provides your accounts with an extra security layer. What does that mean you say? Mind that, 2FA is a security system that requires a second piece of evidence or token before granting access to your account. This second piece of evidence or token may ask you about “something you know”, “something you have”( a phone), or “something you are” (Face ID or Touch ID). If you have enabled the 2FA feature in your accounts like Twitch or Crypto.com before logging out, the next time you log in, these accounts will ask you to enter your email and password, and once done will ask you to enter the second piece of evidence. Under any possible phishing attack, phishers will have it difficult to gain access to your account for a simple reason. Even if they have your email and password, and try to log in, they will quickly be facing a big challenge which is entering your 2FA token. Since 2FA is something that is unique and only belongs to you, phishers will be pulling their hair out before there’s a chance they can possibly get it.

Authenticator App is a great 2FA tool to secure your accounts. Not only it generates and keeps your codes, based on a Time-Based one Time password (TOTP), but also recently included another great feature. Authenticator possesses to its advantage the possibility of backing up, restoring, and synchronizing all your data with its “Sync & Backup” option that will come in handy whenever you lose or switch to a new device. As for the new feature, Authenticator has added a Browser Extension to minimize phishing attacks. The Browser’s auto-fill built alerts the user of suspicious domains when it’s completely different from the ones associated with your account.

To give you a practical example, once Browser Extension has been enabled you will see the Authenticator App icon in the top left or right corner of your Menu bar. Upon entering your credentials in your accounts like Facebook or Instagram, these will then ask you to enter your codes, at this point you can prompt Authenticator App to auto-fill your codes by just clicking on it! Et voilà! You’re back in! Worst case scenario, if the website is designed by phishing attackers whenever trying to auto-fill your code it will warn you that the domain is not the same, and so not to be relied on.

Final Thoughts

All in all, in situations in which you think your account is compromised, think before acting and avoid getting yourself in trouble. Remember that any renowned website will never ask easily for credentials or sensitive information online. Be sure to never let your guard down and always keep your accounts secured.

• Published: 05 Jun 2023

• Updated: 16 Mar 2024