Don't Take the Bait: Tips for Spotting and Avoiding Phishing Scams
What is Phishing? Phishing is a Social Engineering attack that usually utilizes messages designed to trick people into revealing confidential information or installing malicious software on their devices. In general, Social Engineering attacks target our social behavior and attempt to take advantage of our nature.
Why is it called Phishing? As in Fishing, an attacker throws the bait (e.g., you won $1,000) and awaits any unsuspecting victim to get hooked (e.g., click a link). Attackers send thousands of Phishing messages, mostly to random, and often computer-generated email addresses.
WRITTEN BY SAMER AOUDI
EDITED BY EZOZA SUPIKHODJAEVA
What are the types of Phishing? Phishing may be categorized by the targeting type or the message type. Here some examples:
Spear-Phishing: While Phishing is often untargeted, sometimes the attacker targets a specific organization (as in, they select the target); this is called Spear-Phishing.
Whaling: As the name suggests, in this type of Phishing the attacker aims for bigger targets such as celebrities, politicians, CEOs, etc.
Smishing (SMS Phishing): While Phishing is done mostly via email messages, recently, attackers started to use SMS, WhatsApp, Telegram, and other messaging services to launch Phishing attacks.
How does a Phishing message look like? The anatomy of a typical Phishing message is two parts: a message (e.g., your account will be closed) and a call for action (e.g., click here)
The Message: A Phishing message may utilize a variety of Social Engineering techniques such as: Urgency. Threats. Money.
Call for Action: The attacker would want us to do something based on the message. Actions include: Click a button or link. Open an attachment. Call a number.
How do we detect Phishing messages? With some awareness, Phishing messages are relatively easy to spot. Here are few tips:
Urgency: Attackers would urge us to act immediately.
Threats: If we don't act, something bad will happen (e.g. parcel will be returned; account will be closed; sensitive photos will be released).
Money: An attacker's favorite is preying on people's need for money. After all, who wouldn't want to believe they won a handsome sum? As a rule of thumb, if you haven't participated in something that would result in a winning (e.g. bought a lottery ticket), you will NOT win!
Unknown Senders: When you get an email from somebody you don't recognize, be suspicious.
Mismatched Email Domains: Check the email address of the sender. If the domain mismatches the claimed sender (e.g., your bank), there is almost 100% chance it's Phishing. Even a small organization can afford their own email domain (e.g., user@domain.com).
Bad Grammars: Attackers don't bother check the language for spelling and grammar mistakes. When the message is poorly written, be suspicious.
Generic Greetings: ttackers don't know you. You are simply a random email address or phone number they got somewhere. Thus, they use generic greetings such as: Dear Customer.
Links and Attachments: If you are not expecting a file or document, be suspicious. Always check the address of the link before you click. Better yet, enter the the website address yourself, or Google the organization (e.g., your bank) in case you don't know the address, to access their website.