There is a constant tug of war on the internet over your security, with developers creating security software, and cybercriminals finding ways around it. And while security software and browser features can protect you from many dangers, it is crucial to remember that software cannot always protect you from attacks aimed at exploiting the human rather than the machine. The most important thing is to be aware of threats, and know how to protect your computer and data. Foremost among the threats you face online is phishing.
What is phishing?
The term phishing sounds like fishing for a reason – cybercriminals, like anglers, use bait to catch victims. It’s a form of social engineering designed to steal sensitive information from unaware users. The most common form of phishing is a fake email or text that purports to be from a well-known bank, for example. Such a message often states that you should make an overdue payment immediately or must perform some other urgent action, and tells you to click on a link.
The link usually leads to an infected page or a form used to collect your sensitive information: not only your name and login credentials but also your credit card information – allowing them to steal funds from your account or use your card online. Phishers impersonate more companies each day, and their messages are becoming more and more creative, but the goal remains the same: to convince you to click on a link.
Why does phishing work?
Phishing messages are created to look like real messages from your bank or service provider, like a postal company to confirm your delivery address. While there is no shortage of messages that look suspicious at first glance, most are designed to look very professional and gain your trust.
Hackers impersonate companies that you are likely to have some connection with. The messages are designed to look trustworthy, but at the same time, they contain a nagging message designed to force you not to think too long about the actions you take.
- Your account has been compromised. Click our link to retain your account access.
- You are $0.74 in arrears, click here to make your payment.
- The courier has your package, click here to set the delivery time and address.
The link you click may take you to a site where your data will be phished, it may start downloading malware, or it might perform some other harmful action.
How can you distinguish a real link from phishing? There is no easy answer to this question because links can be manipulated. Even if a link claims to lead to https://www.opera.com, its destination address may be different, because text editors in messages allow the creation of hyperlinks leading to other pages. The link above actually leads to the Opera site, but in this case (https://www.opera.com), the link leads to the Google.com page. To check this, you can right-click on the link and then select Copy Link Address. When you paste the link into a text editor, you will see where the link really directs. Attackers may also use similar-looking letters from other alphabets to make fake links look authentic. If you suspect an email, it is worth typing the link out yourself.
However, this doesn’t protect you 100% from a cyber attack. Companies also use software to shorten links for social media (where character-limits matter). If you see a shortened link in an email or text message, for example via bit.ly – you should scrutinise the message itself.
Phishing imitates companies you know
Hackers don’t send fake offers or reminders from fictional companies. And sometimes the attack is preceded by research that identifies companies the victim does business with. For example, there was a case in which phishers impersonated Opera employees by sending emails to YouTubers offering collaboration with Opera GX. They initially built trust by sending a message that (apart from the suspicious email address) did not contain anything dangerous. It was later, after the user expressed interest in the offer, that the scammers sent a PDF file that contained a link potentially leading to malware.
Interestingly, these types of emails were sent to people that could be interested in collaborating with Opera GX. This type of carefully calculated activity is called spear-phishing because it is tailored to the actions and interests of a specific user in order to build trust faster. Therefore, even if you use the services of the company, or are planning to use their services in the near future, always check if the email actually comes from that company.
Now you are aware of what phishing is and how to distinguish it online. This is one of the steps to browsing the web safely. If you want to know more, be sure to check out our next article (Phishing – How to stay safe?) on how to effectively defend yourself from phishing online – not just by being vigilant yourself.