How to protect yourself from Phishing

ARE you sure that message from your bank was really from your bank or that phone call about an investment opportunity was from a genuine company?

The reality is that you have probably been targeted with one of the various forms of phishing attacks that have become commonplace in recent times.

Our headlines have been dominated by the hacking of large organisations like the HSE or Facebook, where the associated costs can run into the millions.

We hear less about the attacks against the general public. A Cork woman was recently conned out of €14,000 after receiving a message claiming to be from her bank and inadvertently handed over her most sensitive banking details to cyber criminals. She is not alone as fraudsters find more and more imaginative ways to exploit people.

Cybercriminals prey on a general lack of awareness of how these attacks work.

However, with the right know-how you can be armed with the knowledge to protect yourself against these scams.

What is Phishing?

Phishing is a technique used by cyber criminals to trick you into doing something that they want.

They will lure you with a bait that could be anything from a mystery prize that you have won, a package for collection or an urgent message from a financial institution you are familiar with. Once you are hooked, the attackers will usually try to acquire some important data from you like your username and password or your banking or credit card details.

Phishing takes place over email but you can also be targeted with Text message/SMS Phishing (Smishing) or phone call based voice phishing (Vishing). The medium may differ, but the goal is always the same to steal from you or the organisation you work for.

There are so many examples of these attacks however criminals will usually try to use popular banks asking you to urgently update your details to prevent a loss of service or you may get an email claiming to be from a platform like NetFlix asking you to update your credit card payment information.

How to identify a phishing attack

There are common traits that you can look out for to help you distinguish between scams and genuine attempts to contact you.

1. Is the contact expected or is it coming out of the blue? You may be asked to do something that is unusual like log in because your account is frozen or to verify a recent credit card transaction.

2. Is there some urgency associated with the request? Will your account get locked, or will your computer be damaged by a virus unless you take immediate action?

3. Where is this message coming from? Is it a known email address or phone number? Check the sender details and verify it is coming from a trustworthy source. Closely inspect the web address, is it coming from Netflix.com or Netf1ix.com. Attackers are good at purchasing web addresses that look very similar to the real thing.

4. Is the grammar correct and is the tone of the message what you would expect? If the language seems awkward or has some obvious mistakes this should be an immediate red flag.

5. Are you being asked to click on a link or download an attachment? If the request comes by email hover your mouse over the link or if you are checking the email on your phone press down on the link to see where it is really going to take you. If the link is in a text message inspect the link to see is it really going to a website that you know and trust.

6. If the message has brought you to a website and you have been asked to enter your username and password, you should closely inspect the website address and if you have any doubt do not log in.

How can I confirm if the message is

legitimate?

There are several ways you can verify if the message is real.

1. Go direct. If the message is claiming to be from your bank or another service, log on using the website you always use, do not use the link in the message you received.

2. Pick up the phone and verify the details of the message using a phone number you know and trust. Do not use the contact details contained in the message.

3. Phishing is usually a shot in the dark from the cyber criminals where they will send thousands of messages in the hope that someone will take the bait. However, they can also use targeted “Spear Phishing” attacks where the attackers will use some personal information they have gathered on you. If you believe they have some of your sensitive personal information you should contact the institute they are masquerading as and the Gardai.

4. If you are confident the message is a phishing attempt, you can mark it as spam or junk if it is an email or block the sender or callers’ number if you received a text or call.

5. If you believe you may have already entered your credentials as a result of a phishing attack you should change your password immediately and notify the service that may have been impacted.

Cyber criminals are always looking for new ways to target people and it is impossible to predict what they will do next. With attack techniques getting more convincing you should always carry a healthy level of scepticism with you knowing that you will probably be targeted at some point in the future. Remember if in doubt, check it out!

ABOUT THE AUTHOR

John-Ross Hunt is a Product Manager with Cyber Security leaders Trend Micro. He specializes in the area of enterprise security awareness training with the product Phish Insight

Tomorrow: How strong is your password?