All-in-One Guide to Phishing Scams & Ways to Prevent Them

According to recent research conducted by a group of academics in Germany, there is not much that can be done do to prevent the spreading of malware through malicious links in sent in emails to users, mainly referred to as phishing scams. Traditionally, phishing refers to a process where targeted businesses are contacted through email or on the phone, to lure users into providing sensitive information, detail such as bank details, password information etc. This information can then be used to commit various crimes such as identity theft, financial gain or, just as important, Business Email Compromise. The people who do the phishing can hide under a mask of legitimacy by imitating a company’s website, employee, user or some such other official, and will try and trick you into providing the information needed to potentially withdraw money or impersonate you.

With the Internet these days, phishing scams are now much more prevalent, and can easily be sent as spam links. For example, you could receive an email or a message on your social media account or business email claiming to provide you with an offer or promotion and all you have to do is click on the link. As soon as you click this type of link, malware could infect your computer or mobile device and could obtain sensitive information, often without you realising.

The Curiosity of Clicking on the Link for a User can be somewhat Overwhelming

An average business receives hundreds, if not thousands, of emails every day, and the majority of the time a large proportion of those emails will be SPAM or UCE (Unsolicited Commercial Email). The overwhelming reason of clicking a link is purely human curiosity, and there is very little that can be done about it aside from constant, ongoing, education. To question every mail or link, we have to develop a hyper-sensitive security mindset. Most of the victims think that it is safe to click a spammed link, as their browser or antivirus software will protect them, while others are genuinely not aware of its infected nature. You can educate and alert your staff to avoid clicking on links that look suspicious, but is this a reliable approach?  There is a high probability that some legitimate emails will go unanswered, and the number of false positives will grow. Digital signing of genuine emails can make them look less malicious or non trustworthy, also expecting that your staff members may eventually make an error in judgement will help you build a trusting relationship with your employees.

History and Evolution of Phishing

Phishing scams don’t have a long history. They were first reported in late 1995 and did not realistically become common until ten years later. These scams have been a serious issue for business, and personally, since day one. A basic knowledge of this type of fraud and its origin will help businesses and organisations to better arm themselves and prepare against these scams and malware.

America Online Origins

AOL was America’s first source of internet access, where millions of users logged on each day. Its growing popularity soon attracted scammers who used the platform to communicate with other hackers around the world. Initially, these phishers gave life to their attacks by using algorithms to generate random credit card numbers. Though there were a few lucky hits, they did enough financial damage to many individuals and companies. The stolen credit card information was then used to create new AOL accounts, which further spammed other users for a wide variety of other things. In 1995, AOL introduced new security features that prevent use of randomly generated credit card numbers.

The First Phishing Attack

After the random credit card number scam, the racket was shut down, phishers went on to become more creative and looked to create new scamming skill sets. They used AOL messenger and email systems to send other users a message posing as AOL employees and instructed them to click on a link to confirm their account and billing information. This was one of the first kind of cyber crimes, and no one really suspected a thing until it was too late. Eventually, AOL was compelled to include warning on their emails and instant messenger clients to keep people from revealing sensitive information.

Evolution of Phishing Attacks

The basis of Phishing is still the same as it was back in the days of AOL. Today, phishers have diverted their attention to online payment systems that are now a central part of our everyday online experience. In late 2003, after a failed attack on E-Gold in June 2001, phishers registered for spoofed domains that duplicated legitimate sites like PayPal and eBay and distributed forged emails to PayPal customers. These emails took the customers to other phony websites where they were required to provide their credit card information. By late 2004, phishing attacks were on a new high and phishers were now attacking banking sites and their clients.

Since 2004, new and sophisticated methods have been deployed for online payment systems and the concept has proved to be quite useful.

10 Most Common Phishing Techniques 

After learning about the history of phishing, it is essential for a business to know the most common methods used for scamming. With the advancement in technology, the phishing techniques are also evolving, and you need to gain more and more information about these scams to stay one step ahead.

1. Email Spam - Phishing with emails is the most popular form of a phishing scam and every day millions of spammed emails are sent to businesses worldwide. Some may include an urgent note requesting a business to update their credit card information or change details, while others may urge you to verify your account by clicking on a mail.
2. “Man-in-the-Middle” Technique - In this method, when a transaction is made online between a legitimate website and business, the phisher tracks the details of the deal and gathers the information without the user ever knowing it. Here the hacker positions themselves right in middle of the original website and the phishing system listening to the conversation between them.
3. Instant Messengers - Fake phishing websites are created, and the links are distributed on instant messaging apps or sites. The phony websites are made very close to original sites, and the user gets tricked into providing personal information on the page.
4. Link Exploitation - Original website links are manipulated to direct the user to a phisher website. These deceptive links will have the same spelling as that of the original site, but will have a different internal link.
5. Trojan Hackers - These cyber criminals hack into your accounts and collect personal credentials, and then sell them to the phishers.
6. Reconfigure Settings - Phishers will send web address similar to a reliable site, and will notify the user about a requirement to reconfigure settings of the computer.
7. Session Sniffing - A web session control mechanism is used to steal information from a business website, where the phisher intercepts sensitive information from the Web server.
8. Key Loggers Malware - This type of virus records the inputs on the keyboard, and this information is then used by the phishers to decipher passwords and steal banking information.
9. Content Manipulation - In this technique, a hacker will subtly alter the content of a legitimate website and trick visitors to go outside the original site and provide personal information.
10. Virus Attacks - A spam email will contain a link that potentially houses malware, which can automatically download to your computer once the link is clicked.  Others contain word or excel documents which prompt you to activate active content / macros where behind the scenes malicious activity will then take place

How to Report a Phishing Attack

With the increase in awareness levels about phishing scams, more and more businesses and users can now detect phishing emails, which might contain bad grammar or spelling mistakes. One may also doubt the legitimacy of the link if credit card information is requested at the very beginning of the email. In case, you’re lucky enough to call out a phony email instead of becoming its victim; the question remains, what should you do next? Here are some best courses of actions you can take in case of phishing scams identification.

• Report in the UK – ActionFraud - ActionFraud is the UK’s national fraud and cyber crime reporting centre.
  URL: https://www.actionfraud.police.uk/
• Report on U.S. Government Operated Website - Though there is not much that you can do legally about phishing attacks on the Internet, you can still report the spammed links to the official U.S. operated website, where experts will examine your case.
  URL: https://www.us-cert.gov/nav/report_phishing.html

• Report on Anti-Phishing Working Group (APWG) - This is a welfare website that is dedicated to detecting and preventing phishing scams. The site contains a text box where you can copy and paste the contents of any email you find suspicious, including the subject and experts will examine any inconsistency in the links.
  URL: https://antiphishing.org/report-phishing/

Browser Safety Options

If Chrome or Firefox are your primary browsers (latest versions), you already have a decent level of protection against phishing scams. These two are equipped with necessary features like Safe Browsing and other safety download options, which give you basic protection again phishers. You can also install add-ons on your browser like add blockers, to safeguard your Internet surfing experience even further.

You should never rely solely on anti-phishing software and be aware of what you’re clicking online, to stay one step ahead of these cyber criminals. 

Tried Tested Ways to Avoid Becoming a Victim of Phishing Scam

Nobody like their identity stolen and their bank accounts hacked, and in business terms this equates to a potential data breach.  Check out the best ways to avoid a phishing scam:

1. Stay Informed About Phishing Techniques - With the evolution of Internet, the phishers are also modifying and improving their ways to scam users. Staying on top of these scams is essential for businesses to avoid falling into the preying net of the fisher. Keep reading the latest news and learn more about their sneaky ways, to beat these cyber criminals at their own game. Join our relevant groups to stay up to date - LinkedIn and Facebook
2. Stay Away From Clicking Unknown Links - Often the curiosity to know more makes us the victim of phishing scams, but try to fight this human tendency and avoid clicking on random links and emails. Only use trusted and renowned websites, and hover over a hyperlink to see its internal link and only then perform the action of clicking once you are certain. Some upstream filtering providers provide a service to check all links - for example Mimecast.
3. Install Anti-Phishing Toolbar - Most of the Internet Browsers come with customisation options, which will allow you to add toolbars and run quick checks on sites that you will be visiting. These toolbars will block pop-ups and will alert you in situations when you stumble upon a malicious site. Often in business this has to be facilitated by group policy or your IT Department.
4. Keep a Close Tab on Your Business Online Accounts - Even, when you don’t need to visit your online accounts that often, it is advisable to keep a check on them regularly. Visit them and see if any suspicious activities are going on in your account; if so, immediately take action. Also change your passwords regularly (with complexity).
5. Install the Latest Versions of Browser - Often in business, this will be facilitated by your IT Department or representative. Browsers are constantly updated to protect against the latest threats. It is essential to keep your browser updated, as hackers will inevitably discover that your version is updated and could exploit it.
6. Block Pop-Ups - Almost never trust the information displayed on a pop-up. Almost ninety percent of them are either phishing scams or hacker’s attempt to enter your system. Most modern browsers are equipped with this functionality - make good use of it. You can always allow by exception those sites you wish to allow to pop up
7. Never Share Personal Information - Sharing personal information on the Internet is never a safe option. If you have doubts about a particular website’s legitimacy, then research the sites validity before committing.
8. Install Antivirus Software - Basic, but a lot of systems still dont have it. There are many reasons to use anti-virus software and phishing scams are the most important of them all. They guard against loopholes that hackers tend to slip-in, which are often left out by ordinary toolbars. It may provide additional protection against  scams that have not yet been discovered.

A lot of the above comes down to consistent, continual, progressive education for your users and employees. There are, of course, products, services and solutions to assist with the protection of your business and Intellectual Property.

To discuss, comment in the box below or drop me an email directly at [email protected].

Join us @ The Security Intelligence Community