Tips and Tricks

The ABC of Cybersecurity: P is for Phishing

Your online accounts are part of your digital identity. They’re used to store your conversations, money, search history or those cat pictures you bookmarked to enjoy later. They are precious not only to you, but also to the bad guys trying to snatch them from under your feet keys.

In broad terms, phishing is a form of fraud in which a third party attempts to trick you into divulging sensitive information by impersonating a trustworthy entity. Usually, phishing is carried out via e-mail or instant messaging applications, but phishing links can be snuck into messages posted on social networks, bulletin boards and so on.

How does phishing work?

A classic phishing scam starts with an e-mail purportedly from your bank, your e-mail service provider or another entity you have signed up with. These messages usually require that you follow a link to validate some personal information; failure to comply will lead to account suspension or termination. To gain credibility, a phishing message usually includes logos and visual identities ripped off from the impersonated entity.

Instead of taking you to the bank’s webpage, though, he link points to the fraudster’s website. Anything you fill in will be sent to the attacker and used to illegally access the account. Once the account is compromised, the attacker can abuse it in various ways, depending on what type of account that is. In the case of an e-banking website, a hacker could make payments or transfer money from the user’s account; an e-mail account can be used to gain access to private conversations or to send spam to other users and so on.

How to identify a phishing message just by visually inspecting it?

As you encounter more and more phishing messages, you will learn to identify them with just a quick look. Usually, these messages are rife with spelling errors. This mostly happens because the attacker is not a native English speaker. The message is also impersonal. It often starts with “Dear user” rather than your username or full name. Unlike legit messages from the service provider, phishing messages don’t mention your full name or user name. They are designed to trick every recipient, not just you and the attackers do not know who you are – they just hope you have an account on the respective service.

The link you are supposed to follow is also different from the URL you enter in your browser when you access the respective service. Often the URL starts with an IP address.

How do you protect yourself against phishing?

Anti-phishing defenses are layered mechanisms. The first line of defense is the spam filter – a solution that is usually integrated with your anti-virus product and that filters junk e-mail from legit messages. A good antispam filter blocks the phishing attempt in its early stage, so you don’t even see the lure that is being thrown at you.

A second layer of defense is the anti-phishing or anti-fraud module – another component of the anti-virus that analyzes the web page you land on and determines whether it has been designed to steal your data. Even if you have fallen for the scam and opened the phishing message, the anti-phishing module should prevent you from filling in the form with your sensitive information (credit card number, expiration date, CVV or PIN number, among others).

Last, but not least, setting up two-factor authentication for the accounts that support it ensures that, even if somebody gets your login credentials, they couldn’t log in without a secondary password sent by the service on your mobile device or token. We have a great tutorial on how to set up two-factor authentication for the most popular web services here.

About the author


The meaning of Bitdefender’s mascot, the Dacian Draco, an ancient symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.” Like our mascot, we are committed to using Bitdefender Labs, our world-class research team, to vigilantly find and eradicate threats for our customers, and to use our platform for the larger good.

1 Comment

Click here to post a comment
  • Phishing is one of the common attacks which take place every day. Mostly everyone has and still get attacked by this. The most common way is through email, that’s one of the easiest way for attackers to fool people. The worst thing is that people even become victim of these messages, and sometimes they even have to deal with the consequence which is quite damaging financially as well as in other things.

    Users are mostly visiting the websites, where they give out their personal details such as their email address, which led to these type of things. As you discussed, it’s in our hand to avoid these type of scenarios, so only managing updated anti-virus won’t favor. But, users have to learn about basics of online security and also to avoid clicking on any mail or link which can be pretty dangerous later on.

    Attackers are so smart that they send email which looks exactly legit. So, it’s better to lookout from whom the mail has, to search for the email address which is used to send a mail. If it’s legit, there will be some existence of it on internet which can be found out. Lastly, the links given in the mail always differ little bit, so it’s best to not give out any information about ourselves.