In this article I want to explain you what exactly “phishing” is and how you can recognize a phishing attempt. Even if this way of attacks is very old, it is still a big problem, as still a lot of people go into the attackers trap. I hope this article will be able to help some of you, and maybe it will also open the eyes of some lazy people.
What Is Phishing?
As phishing, the act of attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in in fake emails of other electronic ways of communications. The most common kind of phishing mails are fake emails from banks, payment processors, social media sites or IT administrators.
Phishing mail often attempt to redirect users to fake websites which look like the real one and often have a similar domain name. There the user is requested to enter his login details and other personal data. The entered data will be submitted to the attacker and he will be able to login into the real account of the attacked person.
There are several types of phishing attempt, not only the above mentioned one:
Phishing: Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
Spear Phishing: Phishing attempts directed at specific individuals or companies have been termed spearphishing. Attackers may gather personal information about their target to increase their probability of success.
Clone Phishing: A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a re-send of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
Whaling: Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.
How To Recognize A Phishing Attempt
Usually a phishing mail first tries to make the user panic or make him feel uncertain. In order to do this the attacker uses topics like a blocked account or a needed verification. Then he will most likely tell you that you have to act fast and click on some link, where you will be able to solve the problem after you entered your login details.
The following advices are supposed to support you detecting phishing attempts:
Check if the content of the message fits to your situation. If a full mailbox is mentioned, check if it is full. If a blocked account is mentioned, check your account by entering the website address manually.
Check the website address. Sometimes the address looks very similar but has misspellings. This is a clear indicator for a phishing attempt.
In case of a payment processor or bank you should check if the extended validation is there and if it displays the right data (the green bar in your browser). Of course not every website has this.
Check the text of the email for misspellings.
No bank or payment processor will ever call you “dear customer”. If the mail does not contain your name, delete it!
No legit company will ever ask you for pin codes or other personal data by email. If it is done, delete it!
In case you went into the trap it is still not too late. Change your account login details immediately, thus, the attacker can not get in as he has your old data.
Use an email address you do not use for anything else for all financial purposes.
Of course there is still a small number of attackers which are pretty clever and do perfect fakes which you can maybe not identify. But still you should be able to identify 95% of all phishing attempts by following these advices.