The most dangerous part of a phishing attack is the belief that it can’t happen to you. Getting scammed on the Internet always feels like something that will happen to someone else. Surely you’re not the type that would fall for the old trick about the son of the deposed king of Nigeria wanting to wire you $7 million but first he needs your credit card. Those scams are for the people who have never been on the Internet or who are senior citizens who mostly use a computer to email pictures of the grandkids to their friends.
The truth of the matter is that phishing is one of the most sophisticated forms of scams on the Internet and there are millions of attempts made every day. This blog will break down the anatomy of a phishing attack and how to be on the lookout for one so that you are not the next victim.
What is a Phishing Attack?
Phishing attacks occur when a message is sent to a potential victim disguised as something it’s not. There are four intentions for sending such a message: Click a link that will take the user to a malicious website; open a document that will be a cover-up for launching some sort of malware onto your computer; installing software onto your device; or entering your user name and password into a website made up to look like one that you trust.
Phishing attacks exist for the purpose of getting people to lower guard on letting malicious apps onto their devices or to give up personal information which will be used to abuse your financial capabilities.
Phishing for passwords is also called credential harvesting. They are often constructed to look like messages in your email from sites you trust such as your bank. When you click the link, you will be sent to a website that can be a clone of your bank’s website, but when you enter your account information, it is sent to the phishing attack’s host instead.
Spear-Phishing attempts to get people to follow a link usually promising something exciting like a video or scandalous photos at the other end. It might even look highly personalized, like a message from someone you know saying they’ve attached photos of their children and all you have to do is click the attached file.
The file is usually a cover for some sort of malware to be installed on your computer. When you click to open the file, it signals the malware to activate as well.
Protection Against Phishing Attacks
There are multiple best practices to stay safe against phishing attacks. Practicing these will help you avoid them.
First, use a password manager with auto-fill. Your computer won’t be fooled by phony websites wanting your bank username and password, and if it doesn’t auto-populate these fields on a site, you can deduce it’s a phony one.
Update: 31st July 2020: I’ve recently swapped from Keeper Password Manager to LastPass Password Manager as Keeper was a bit pricey for my needs and LastPass offers a free version with some great features.
Secondly, if you’re not using a password manager, make sure you generate secure passwords. You can use a service like an online random password generator which will generate truly random passwords – the problem with this is that you can’t really remember them which isn’t great if you need to set a master password on something. If you want a secure but memorable password, you can try a service such as Password Meter which allows you to generate strong passwords from easy to remember “words”.
Thirdly, verify any suspicious emails with their senders. If your boss has sent you an email claiming that this is the most crazy video game ever and the attachment is a PDF, best to call him and ask if it’s really from him. If not, it means his system is infested with some sort of malware.
Finally, always run a strong anti malware software such as Total AV to fight back against phishing attacks. Smart anti malware solutions will sniff out suspicious files, emails, and links, even if you accidentally click one without thinking. They’ll usually give you a warning sign that something is amiss and strongly urge you to back away from whatever it is to avoid having your system or information compromised.