As mentioned in Phishing Part 1: On the Lookout, phishing attacks have been around for years, but today’s cyber-criminals are adept at using them in an ever-increasing variety of ways to get what they want. According to the most recent FBI figures, phishing and its variants was the third most popular cybercrime type in 2017, representing nearly $30 million in victim losses.
The bad guys want your personal information to commit ID theft, or else they need you to click on a malicious link/open a malware-laden attachment to hijack your bank account, lock your PC with ransomware, bombard your screen with ads and more. So how do you fight back?
The answer lies in a combination of technology and user awareness. There are tools you can use to filter a great volume of phishing attempts, but a few will always sneak through, and it only takes one misplaced click to land yourself in trouble. That’s why the frontline in the war on phishing messages ultimately lies with improved user awareness.
Don’t get caught out
So, what should users look out for? As we’ve seen, phishing messages come in a variety of flavours, but here’s a typical email scam Trend Micro has highlighted in its News Center, in this case purporting to come from the IRS:
Tell-tale signs of a scam:
1) From field: is the ‘sender’s’ email address familiar? Does it look made up? Is it consistent with the purported sender of the email? Does it appear different if you hover over it with your cursor? All of these could indicate a phishing attempt.
2) To field: If the sender addresses you generically as ‘user’ or ‘customer’ or ‘recipients,’ in this case, this should be a warning sign.
3) Date and time: Was it sent at an unusual time; that is, not during normal ‘business’ hours?
4) Subject line: Phishing emails often try to create a sense of urgency to hurry you into making a rash decision. Words like “urgent,” “immediate” and “important” are not uncommon.
5) Body: The content of the message often contains spelling and grammatical mistakes and continues with the sense of urgency to get you to click without thinking.
6) Link/attachment: Phishing emails will try to trick you into clicking on one of these, as with ‘Update Now,’ either to begin a covert malware download or to take you to a legitimate-looking phishing site to fill in your details.
How do I stay safe?
Bearing the above in mind, here are a few things you can do to avoid being scammed:
- Learn to recognize all the tell-tale signs of a phishing message. Avoid clicking on any links or opening attachments from unsolicited emails.
- If you need to double-check, contact the company that supposedly ‘sent’ you the email to see if it’s genuine or not, or go directly to the website (e.g., online banking) to log-in. Again, do not use the links provided to go there.
- Your default attitude when you’re online should be “suspicious.”
- To learn more about phishing, you can also go to Phishing.org. The site provides a wealth of more information on the types of phishing you may encounter, what you can do to prevent being taken in, and includes further resources for study.
What anti-phishing tools can you use?
As mentioned, security technology is also your friend when it comes to fighting the phishers. Here are some options:
- Trend Micro’s Fraud Buster is a free tool that you can use to submit suspicious emails and text messages for us to check. Using advanced machine learning systems and Trend Micro’s extensive database, Fraud Buster gives definitive ratings to questionable messages.
- Trend Micro Security and Mobile Security help to protect users from phishing attacks. They offer protection against spam emails, malicious links and files, ransomware, banking Trojans, coin-mining malware, and much more — all the kinds of threats associated with phishing. In a four-part series previously posted here on Simply Security, we’ve also provided more information on how to customise your settings for enhanced phishing protection in Trend Micro Security.
We’re all exposed to phishing attacks on a near-daily basis, whether at work, out and about, or at home. But armed with an understanding of what to look out for and the right tools in place, you can keep your data under lock and key, and your identity and finances safe from harm.