Similar to real-life fishing, phishing scams aren’t always best when they rely on advanced tactics, but there are many new techniques motivated by social networks. So what is phishing, and what should you be wary of?
The Basics of Phishing
According to Microsoft’s Safety & Security Center, phishing can be summed up as:
“A type of online identity theft. It uses email and fraudulent websites that are designed to steal your personal data or information such as credit card numbers, passwords, account data, or other information”.
In other words, phishers are the Loki of the Internet. They’re tricksters. Often, the techniques used by phishers have absolutely nothing to do with exploiting zero-day threats. Instead, they exploit human psychology.
There is one point on which I disagree with Microsoft, however, and that’s their description of phishing as “a type of online identity theft”. This isn’t always the case. As I’ll explain in some examples of recent scams, phishing tactics are often used to simply harvest data or to trick people into purchasing a product.
Traditional Phishing
In many cases, Microsoft is correct. Many phishing attacks are attempts to steal personal information. Often, they do so using link manipulation and website forgery. The traditional example is an email that seems to come from a legitimate source, like your bank. It claims that there’s been some problem, or perhaps offers you a lower interest rate on a credit card. All you need to do is log in via the link in the email, which appears legitimate.
But it’s not. The link has been manipulated to look correct, but it actually redirects you to a forged website. Once you enter your login information, the phisher has it, and can use it to log in and use your account. Sometimes, the attack will go further and request you to fill in personal information like your social security number, credit card number, address, and so on. Identity theft is just a hop, skip and a jump away from there.
Traditional phishing can be combated by refusing to follow links in such emails. If you receive something from your bank that claims you need to log into your account, simply go to your bank’s website by entering the URL manually and then log in. In fact, some banks and other organizations no longer even send links to users precisely because doing so makes phishing attacks more effective, as users become confused about what is and is not legitimate.
You can also combat phishing using an Internet Security suite with anti-phishing features. These monitor your browser and look for signs that a website is a forgery. Extensions like Web of Trust can also be effective.
Phone Phishing
Within the last few years, phone phishing has become a popular tactic. I myself received a phone call last month claiming to be from the Federal Credit Union Administration, which said my debit card had been locked due to potential identity theft. All I had to do to rectify the situation was give them my debit card information so my account could be verified. Of course, it’s a total scam, and one that’s been going on for years. If you enter your information, it can easily be used for fraudulent purchases.
There’s no software solution to this particular threat, so you simply have to be skeptical. If you receive a call from an organization that wants personal information, call them back at a publicly listed number, rather than the one provided for you in the voicemail. Phone phishing also tends to give itself away by being vague – usually, it won’t claim to actually be from your credit card company or bank specifically, but something more general, such as the “Federal Credit Union Administration” call I received.
Social Network Phishing
The rise of social networks has given phishing new life. After all, social networks are all about sharing. It’s not at all unusual for a friend to post a link to a nifty article, so users are less likely to be skeptical, and more likely to click on a phishing link.
That’s the bad news. The good news is that phishing on social networks usually isn’t as severe. Usually, the deception will be something like the lottery winning scams, which are simply looking to harvest email addresses or send people to affiliate links. You might be annoyed by additional spam, but that’s it.
Still, some of these attacks can be fairly harmful. Banks have Twitter feeds and Facebook pages too, and fake ones can be used to try and lure users to forged websites, just like a bogus email. These accounts can be hacked, too. The Bank of Melbourne experienced this, although as is often the case with phishers, the messages sent by the compromised account weren’t of high enough quality to fool many people.
Phishing on social networks can be combated the same way as phishing through email. Security software and extensions can help. You can also use a link preview extension to see if an abbreviated link is sending you where it claims.
Conclusion
Phishing will always exist, because there will always be ways to trick people. It’s easy to look down upon the victims as being stupid, but often the people who fall for the tricks simply lack proper education about computers, or are in a situation that compromises their judgment (don’t check your email while drunk, or excessively tired).
In this case, knowledge is power. With skepticism and a few security tools, you can avoid phishing threats and shut down one of the most common methods of identity theft. Have you been a victim of phishing?