Phishing is a kind of social engineering attack. Often it is a low-tech attack as opposed to high-tech attacks like security system hacking or password hacking. These malicious attacks employ psychological tricks to lead users into divulging sensitive information or unknowingly providing security access. The most common form of social engineering is email phishing.
Steps perpetrators use:
1. Casting a wide net – They can easily do this by scouring the known internet realms for every bit of information and sends out millions of emails and just wait for the unwitting victim. Once the victim is hooked, they move on to the next step.
2. Baiting, manipulating potential victims and then initiating interaction with the user – Often the phisher will present an engaging story or hook that is irresistible to the target. Many diligent scammers will even research their victim’s backgrounds, likes, hobbies and tendencies to sweeten the deal. And the deal continually gets sweeter.
3. Manipulating the conversation to steer towards divulging sensitive information – The goal at this point is to get information that is usually not known to public. This can be bank account and password, credit card number, or corporate access information.
4. Execute the attack, and continue to siphon information – With the initial sensitive information gleaned, the phisher has access to even more data. They will use this for nefarious goals like transferring funds or installing malicious code on the victims’ machines. They may even target the network those machines are connected to.
5. Covering tracks, deleting all traces of malware – Like a cat burglar, the phishers meticulously eradicate all traces of their activities. The victims may not even find out they had been scammed long after the phisher has left the scene.
Be aware of the common types of social engineering
Email from a friend – A perpetrator may hack an email account of a friend, usually when they use one password for all online accounts. They then send an email containing a link to malware or an infected download
Email from a reputable source, commonly from banks – Request to verify your identity by clicking on a link. Usually accompanied by a warning if you do not act quickly. Eg account suspended. The criminals make use of victims’ gullibility and tendency to act before they think. Top tip is to always verify with the bank first before clicking.
Email for winning a prize – Eg: Lottery, contests, deceased family members’ inheritance. – The email will entail details for claiming a huge prize award from an unknown lottery or contest. Deceased unknown family members may also bestow a great inheritance via their fake lawyers
Pose as a company employee or contractor – The email may ask for information to projects or business activities.
Charity Donations – Urgent appeal for donations to their cause. Usually will cite current hot topics like natural disasters, political emergencies or humanitarian aid. The email will contain links and instructions to transfer funds to the purported charity.
Do the following to Avoid The Hook
Do not act hastily. No matter how urgent or compelling the story that is presented, slow down and research the facts. Check the email address, whether is contains any suspicious portions such as firstname.lastname@example.org
Never make the mistake of letting the email urgency to pull the wool over your eyes.
Do not click on links in the email. If possible navigate to the link yourself, from the purported reputable organisation’s website. Many times, you can check the actual URL by hovering over the email link.
Even if the email sender is a trusted person, check for unsolicited attachments and links. This is because email hijacking is common. A trusted contact’s email may have been hijacked and all emails in the contact list will be compromised. Check with your friend or colleague. If the email was not sent intentionally, advise to change email password and report to the company’s IT manager if possible.
Offers from a foreign country are DEFINITELY fake. Immediately delete any email about lottery, money from a distant relative, or request to transfer funds to the Nigerian prince.
Ignore any requests for personal information or passwords. Reputable companies will never email you for personal information or to verify your identity.
Configure your email filter settings to high. Just remember to periodically check your spam inbox for legitimate emails that accidentally happen to land there.
Ensure that your devices are updated regularly. Check that your antivirus software definitions are updated and set to auto-scan periodically. This will catch the most common malware that slips through your firewall or in case of accidental clicks on malicious links.
Follow us on LinkedIn for the latest happenings/updates.