Following on from Dave Moore’s meticulously assembled winners’ map last week, we’ve got a guest blog from Dominic Canty, otherwise known as Metrosey. We’ve all received phishing emails, whether we’ve realised it or not. Dominic’s wise words will help you identify them and avoid getting fooled. Thanks Dominic!
With cyber-attacks ever-increasing and more people, and businesses, becoming victim to such attacks, I’d like to provide some quick cybersecurity tips to fellow users. The easiest and most likely attack a cyber-criminal will do at this time of the year is known as social engineering. This is where a cyber-criminal will attempt to disguise themselves as a trusted source, say a bank, business, friend, or family member, to carry out their malicious intent. This includes phishing, vishing, smishing, etc. I’ll provide a quick summary of each throughout the week in the comments section(s), but I’ll focus on phishing in this article.
Phishing represents an attack through E-Mail, where the disguised cyber-criminal will send out thousands of E-Mails to potential victims. They will get E-Mail addresses from database leaks, business security breaches, locations where you can buy user data and guessing simple addresses like ‘Richard146@hotmail.com’. The cyber-criminal will make an E-Mail that looks like a trusted source, for example, they might use ‘xyz@rnicrosoft,com’, etc. Now, some of you may think “well I’ll notice that it’s easy”, this isn’t always the case (I could provide reasons why if requested).
What do they want from me?
It varies depending on how the attack is setup. Some examples include money, your personal data, implementation of malware, implementation of backdoors (backdoors are holes that make it easier to infect your computer in the future), reputation damage, reduced productivity, company information, extortion, etc.
One quick figure “IC3 report also noted that there were 26,379 victims (businesses) of phishing/vishing/smishing/pharming in 2018, accounting for $48,241,748 in losses.” – ICE3 (FBI Internet Crime Complaint Center) Annual Report 2018.
What can I do?
Whenever you get an E-Mail, click on the sender’s name and view the official E-Mail address (the one with the @ sign, not just the name of the contact). Make sure the whole E-Mail address is correct and not suspicious, for example, an official E-Mail address could look like (these are examples only) ‘firstname.lastname@example.org’ or ‘email@example.com’ whereas a malicious one could look like ‘firstname.lastname@example.org’ or ‘customerservice@nätionwide,co,uk’. This is dubbed spoofing. Other examples could be even more complex to distinguish, especially if there is dirt on the screen or the screen is not bright enough. Following on from this, the domain (anything after the @ sign, such as ‘email@example.com’ or ‘firstname.lastname@example.org’) should be using the official website name or something related to it. If you find the domain is ‘email@example.com’ or ‘HSBC@gmail.com’, etc, this would be fake. No reputable, high-valued business would be using a ‘@hotmail’, ‘@gmail’, etc domain.
Next, make sure what they are asking is not suspicious. Perhaps this E-Mail wants you to download something, reset your password, change personal details, reset your account due to a recent security breach they had, etc. All these could be ways to trick the potential victim into clicking on a link or attachment they provide. Therefore, whenever you obtain such an E-Mail, ask yourself “did I request this”. If you did not request it, either automatically delete it or contact the business (find their E-Mail address through their website) and ask if they sent out E-Mails regarding the specific situation.
Thirdly, read the E-Mail that was sent to you, if you notice spelling or grammar mistakes, this is another key sign that it’s malicious.
Fourthly, there are anti-phishing packages that help but these are mainly for business employees (largely due to cost). However, anti-virus packages normally include some form of anti-phishing protection. Furthermore, there are better E-Mail platforms that have enhanced phishing protection. Just remember though, no matter the protection, there is always a risk, and where there is a risk, there is potential.
Lastly, the cyber-criminal could use an E-Mail similar to a friend/family member of yours, pleading for help (financial, private information, etc) and/or sending you so-called holiday pictures as an attachment. Whenever you are suspicious of this action, please either delete the E-Mail and/or attempt to contact the person by their official phone number in your phone contact list or on social media. Do not contact them by the same E-Mail address. Moreover, the cyber-criminal may have gained access to a friend/family member’s official E-Mail. In this event, do the same steps (delete the E-Mail and/or contact them).
That’s it for now, again, I can provide more information if required in the comments. Any feedback would be great and will be noted for further information guides. When I have the time, I’ll do other guides in the future such as the top security methods to stay safe online (smaller ones). Thank you for reading and have a wonderful week.