Phishing has become one of the most common risks of the internet, with even tech-savvy and cautious users falling victim. Being phished might lead to the theft of personal details like your social security number or banking passwords — and it can also put your business at risk as well.
So how does phishing work? Most commonly, users receive a “spoofed” email that appears to come from a legitimate website they frequently have online dealings with, like their bank, credit card company, or ISP, or in some cases even their employer. The one thing these spoofed sites have in common is they require the user to have a personal ID or account. The phishing email informs the user their account is somehow at risk — that they may need a security update, or to reset their password.
The phishing email may also direct you to a spoofed website or pop-up window which looks exactly like the real site, but has been set up for the sole purpose of stealing personal information. Unaware that the site isn’t real, unsuspecting users are fooled into handing over credit card numbers, passwords, or other details.
According to the Anti-Phishing Working Group (APGW), the number of phishing attacks occurring every day are staggering. According to APWG’s most recent annual Global Phishing Survey, in 2014 there were 123,972 unique phishing attacks worldwide. Companies are under constant attack, receiving 1,000 or more phishing attempts per month. The speed with which phishing attacks are mitigated is up as well, which means they’re not being shut down during those critical first few hours of an attack.
Scam artists will use familiar brands, high profile names, identifiable logos, and more to make their messages look legitimate, but there are a few ways to spot a phishing attempt. According to the U.S. Security and Exchange Commission, common phishing tactics include:
- Using the name of a real company, as well as the company’s signature look and feel
- Making the email appear to come from an actual employee, using the names of real people working for the company
- Using spoofed URLs that “look right”
- Creating a sense of urgency to cause a fear reaction from the recipient
How to protect yourself
Never respond to emails that request personal financial information
Banks or e-commerce companies generally personalize emails, while phishers do not. Phishers often include false but sensational messages, (e.g., "Urgent - your account details may have been stolen") in order to get an immediate reaction. Reputable companies don't ask their customers for passwords or account details in an email. Even if you think the email may be legitimate, don't respond. Contact the company by phone or by visiting their website. Pick up the phone and speak to a real person, or type the URL in yourself by hand rather than clicking a link in a suspicious email.
Visit bank websites by typing the URL into the address bar
Phishers often use links within emails to direct their victims to a spoofed site, usually to a similar address such as mybankonline.com instead of mybank.com. When clicked on, the URL shown in the address bar may look genuine, but there are several ways it can be faked, taking you to the spoofed site. If you suspect an email from your bank or online company is false, do not follow any links embedded within it.
Be cautious about opening attachments and downloading files from emails, no matter who they are from
Sophos uses Sender Policy Framework (SPF). This is an anti-forgery solution which involves publishing a list detailing which servers are allowed to send Sophos emails.
Keep a regular check on your accounts
Regularly log into your online accounts and check your statements. If you see any suspicious transactions, report them to your bank or credit card provider.
Check the website you are visiting is secure
Before submitting your bank details or other sensitive information, there are a couple of checks you can do to help ensure the site uses encryption to protect your personal data.
- Check the web address in the address bar. If the website you are visiting is on a secure server it should start with "https://" ("s" for security) rather than the usual "http://."
- Also look for a lock icon on the browser's status bar. You can check the level of encryption, expressed in bits, by hovering over the icon with your cursor.
- Note that the fact that the website is using encryption doesn't necessarily mean that the website is legitimate. It only tells you that data is being sent in encrypted form.
Be cautious with emails and personal data
Most banks have a security page on their website with information on carrying out safe transactions, as well as the usual advice relating to personal data.
Avoid opening or replying to spam emails, as this will give the sender confirmation they have reached a live address. Use common sense when reading emails. If something seems implausible or too good to be true, then it probably is.
- Never let anyone know your PINS or passwords
- Do not write them down
- Do not use the same password for all your online accounts
Keep your computer secure
Some phishing emails or other spam may contain software that can record information on your internet activities (spyware) or open a 'backdoor' to allow hackers access to your computer (Trojans). Installing antivirus software and keeping it up to date will help detect and disable malicious software, while using anti-spam software will stop phishing emails from reaching you.
It is also important, particularly for users with a broadband connection, to install a firewall. This will help keep the information on your computer secure while blocking communication from unwanted sources. Make sure you keep up to date and download the latest security patches for your browser. If you don't have any patches installed, visit your browser's website, for example users of Internet Explorer should go to the Microsoft website.
Always report suspicious activity
If you receive a “phishy” email, report it to the company right away. Also consider reporting it to the FBI Internet Fraud Complaint Center.
If you think you’ve been the victim of identity theft, the FTC provides information on how you can limit the damage.