“A single spear-phishing email carrying a slightly altered malware can bypass multi-million-dollar enterprise security solutions if an adversary deceives a cyber-hygienically apathetic employee into opening the attachment or clicking a malicious link and thereby compromising the entire network.”
― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology
What convinces you to open an email and download an attachment? Do you give a second thought before clicking an attachment? Are you sure that an email that seems to come from a valid source is not a trap?
These are a few questions you need to ask yourself, to stay safe from the undercover phishing attacks. Businesses and individuals are often targeted by the hackers, who send malicious malware through emails, these emails might look very authentic on the surface but, once you click on them, the real attack begins.
Once you enter the email, you will be asked to click on a link, that looks very legit and will ask for your personal details. If you provide your info here, then you are trapped.
What is phishing?
Phishing is an attack where sensitive information of the user is stolen, using the medium of emails, social media, phone calls or any other communication methods.
What are the types of phishing attacks?
Phishing attacks can be of various types:
- Email Phishing -The most common medium of emails.
- Spear Phishing – This type of attack is directed towards a specific group or type of people. As the term suggests, this type of attack selects its victim with a spear. For example, if you receive an email from a brand, you recently shopped from then, you are bound to click on it, thinking it is a valid link. So, this type of selective technique is known as spear phishing.
- Whaling – Whaling as the name suggests, are big attacks that selectively target the big bulls of the business industry.
- Smishing – Here, the mode of attack is through text messages or SMS. A link is sent to the victim via an SMS, the moment you click on the link, your device is hijacked. For instance, you might receive an SMS from your bank, stating that your account has been blocked and you need to click on a link to raise a unblock request. The moment you click on the link, it will redirect you to a page that looks like your bank’s logging page, now if you go ahead and enter your credentials, you are in trouble.
Now that we know the types are cyber-attack, let’s see how we can bypass these attacks and remain safe.
1. The email is from a public email domain.
Let’s understand this with an example. Harry was applying for an offshore job opportunity; he receives a mail from an organisation with an attached offer letter. The company name was valid, the offer letter was sent on the company’s letterhead, the salary package offered was very handsome and it almost seemed like a dream come true opportunity.
The company requested harry to contact a visa company (mentioned in the letter) and pay the visa charges, which would be refunded on joining. Harry seemed convinced until he noticed that the email has arrived from a public email domain.
This is where Harry grew suspicious, he found the real email id of the company and wrote directly to them, attaching the offer letter with the mail. Within a few days, the company responded verifying that the offer letter was fake, and the offer was sent by cybercriminals who wanted to rob some easy money.
The moral of the story is – ‘Never respond directly to company emails, send from a public email domain.’
2. Misspelt company name
IBM and IBN can many times go unnoticed. So, check the domain name carefully, before taking any action. A misspelt company name or domain could be an indication of a phishing scam. Hackers can register domain names with very little modifications, a letter here and there and a new similar-looking domain is created. Thus, be aware of what you receive.
3. Badly written emails
Here, you need to read between the lines. The language of a brand is always sophisticated, clear and very attractive, but if you receive a mail from a company, then the first thing you must do is read the mail carefully.
Does it sound like a brand speaking, are there errors in grammar, spelling or sentence formation? Does it talk sense or is just wanting you to click on a link or download an attachment.
These fine clues are hidden within the email, you need to identify them and tell the hackers to go take a walk.
The Bottom line:
Hackers are smart but not attack till date was such that could not have been avoided. Behind every attack, there is a percentage of error that can defeat the attack. Thus, educate yourself and others about how we can identify the risk and stay alert. Precaution is better than cure when it comes to cyber-attack.