The ABC of Cybersecurity: P is for Phishing

Your online accounts are part of your digital identity. They”re used to store your conversations, money, search history or those cat pictures you bookmarked to enjoy later. They are precious not only to you, but also to the bad guys trying to snatch them from under your feet keys.

In broad terms, phishing is a form of fraud in which a third party attempts to trick you into divulging sensitive information by impersonating a trustworthy entity. Usually, phishing is carried out via e-mail or instant messaging applications, but phishing links can be snuck into messages posted on social networks, bulletin boards and so on.

How does phishing work?

A classic phishing scam starts with an e-mail purportedly from your bank, your e-mail service provider or another entity you have signed up with. These messages usually require that you follow a link to validate some personal information; failure to comply will lead to account suspension or termination. To gain credibility, a phishing message usually includes logos and visual identities ripped off from the impersonated entity.

Instead of taking you to the bank”s webpage, though, he link points to the fraudster”s website. Anything you fill in will be sent to the attacker and used to illegally access the account. Once the account is compromised, the attacker can abuse it in various ways, depending on what type of account that is. In the case of an e-banking website, a hacker could make payments or transfer money from the user”s account; an e-mail account can be used to gain access to private conversations or to send spam to other users and so on.

How to identify a phishing message just by visually inspecting it?

As you encounter more and more phishing messages, you will learn to identify them with just a quick look. Usually, these messages are rife with spelling errors. This mostly happens because the attacker is not a native English speaker. The message is also impersonal. It often starts with “Dear user” rather than your username or full name. Unlike legit messages from the service provider, phishing messages don”t mention your full name or user name. They are designed to trick every recipient, not just you and the attackers do not know who you are – they just hope you have an account on the respective service.

The link you are supposed to follow is also different from the URL you enter in your browser when you access the respective service. Often the URL starts with an IP address.

How do you protect yourself against phishing?

Anti-phishing defenses are layered mechanisms. The first line of defense is the spam filter – a solution that is usually integrated with your anti-virus product and that filters junk e-mail from legit messages. A good antispam filter blocks the phishing attempt in its early stage, so you don’t even see the lure that is being thrown at you.

A second layer of defense is the anti-phishing or anti-fraud module – another component of the anti-virus that analyzes the web page you land on and determines whether it has been designed to steal your data. Even if you have fallen for the scam and opened the phishing message, the anti-phishing module should prevent you from filling in the form with your sensitive information (credit card number, expiration date, CVV or PIN number, among others).

Last, but not least, setting up two-factor authentication for the accounts that support it ensures that, even if somebody gets your login credentials, they couldn”t log in without a secondary password sent by the service on your mobile device or token. We have a great tutorial on how to set up two-factor authentication for the most popular web services here.