Phishing attacks are a common problem that poses a great risk to individuals and organizations.
Phishing emails are used in advanced attacks, according to Gartner, a global research and consulting firm that provides information, advice, and tools for leaders in IT, finance, HR, customer service and support, communication, legal and compliance, marketing, sales, and supply chain.
Phishing attacks are simple and the employees can be easily manipulated.
Below, we’ve listed 12 things employees should know about phishing attacks.
1. What is Phishing Attack?
The phishing attack is a vector of cybercriminals mainly used for information/identity theft, and they aim to obtain personal and sensitive information by manipulating users. It is a kind of social engineering attack that is usually initiated by email. In many cases, cybercriminals send a message titled “Password Change” to a fake email to relevant users, then redirect users to a fake website and they can steal users’ information.
Sometimes cybercriminals launch phishing attacks to gather information from the target organization through complex and successful fake emails. Cybercriminals specifically target financial institutions, as the human element is the weakest link in the security chain, as more than 75% of the successful cyber-attacks are caused by human error.
2. Phishing E-mails Use Titles Containing Urgency or Threat in Subject Line
Often, in order to make the e-mail come from a reliable source and to persuade the target, the attacker’s email as an important notification, critical update, deceptive topic, or urgent alert. The subject line can consist of numeric characters or various letters to bypass spam filters.
Sometimes people are deceived that sexually explicit e-mails will be sent as sexually explicit pictures or videos against family, friends, or social network contacts unless they are paid.
However, with aggressive, threatening, or urgent emails that require quick action, they should be considered as a possible scam.
Cybercriminals often obtain confidential information using fear and panic of targets.
Often, threats and urgent messages, such as “change your password quickly” that appear to come from a legitimate company, are a sign of phishing attacks, which is why you do not respond to suspicious e-mails requesting personal information or appear to come from a real source and request you to act quickly.
We recommend that you do not open e-mails. Cybercriminals can hack other people’s email accounts and send fake emails using their identity and try to steal your personal information. Attackers use every possible way to respond.
Emails that look like most emergencies are sent by attackers to encourage target people to click on the embedded link in the email.
Below are the subject lines to be cautious:
- Urgent Action Required
- Your account will be disabled
- Emergency Password Change
- Urgent Password Control Required
3. Attackers Send Email from Fake Addresses
When you receive an email, you will see a sender’s name in the message, but this name may be fake. Criminals have been emulating e-mail addresses for a long time, and these messages may appear as if they came from friends, trusted sources, or even from their own company.
Sending emails using real email addresses is easy because it is surprisingly easy to find the tools needed to emulate email addresses on the internet. All an attacker needs is an SMTP server (a server that can send e-mail) and suitable e-mail software.
Identity fraud is most effective on a mobile device because the sender’s email address has been narrowed and most mobile users do not try to open the sender’s name in detail to examine their email address.
The most common type of identity fraud is a display name fraud. For example, criminals use a real-looking email name, such as [email protected], to deceive their target, but the actual email comes from [email protected]
4. Phishing Attacks Can Always Occur
It is possible to reduce the risk of phishing attacks by carefully checking your emails and looking for phishing scam signs. Also, it is important to be careful while browsing the internet and see the signs of these attacks.
Watch out for emails requesting confidential or login information. Legitimate institutions, such as financial institutions, never request sensitive information by email.
Never click on links, download files, or open files in email, including on social media, even if they come from a known, trusted source. Call the sender and verify the e-mail before doing anything on the e-mail.
Never click on the links in the e-mail without making sure that they are correct. If necessary, type the relevant URL into the address bar in the browser and check if it is correct.
5. Browse Secure Web Addresses Only
Many web browsers today already contain security features to help you stay safe online. Utilities in these browsers can block annoying pop-ups, send follow-up requests to websites, disable unsafe Flash content, stop malicious downloads, and which sites to your webcam, microphone, etc. can check that it can access.
Check your privacy settings in the following ways.
- Chrome: Settings> Advanced> Privacy and Security
- Edge: Settings> Advanced Settings
- Firefox: Options> Privacy & Security
- Safari: Preferences> Security and Preferences> Privacy
Visit web addresses starting with HTTPS. HTTP (Hyper-Text Transfer Protocol) is the basic protocol for sending data between your web browser and the websites you visit. And HTTPS is only a secure version of it. (“S” means “safe” only.) It is often used for online banking and shopping because it encrypts your communication to prevent criminals from stealing sensitive information such as your credit card numbers and passwords.
Check the HTTPS and green padlock icon on your browser’s navigation bar. If you do not see this, you should never send sensitive information, such as credit card information, if the site you are on does not use a reliable SSL digital certificate.
In addition, you should never use the public Wi-Fi hotspot for important transactions such as banking, shopping, or entering personal information, instead, you should use your mobile connection to avoid phishing attacks.
6. Pay Attention to Fake Emails
Cybercriminals often make mistakes when writing professional emails. Therefore, phishing emails can often contain a large number of grammatical errors, word errors.
Read your e-mail carefully and examine the content for grammatical errors against the phishing attack.
In addition, e-mail content can be attractive words that can engage the user to direct the user to click the fake link in the e-mail content. If you suspect content, delete it.
7. Fishing Attack Now More Personal
Customized phishing attacks or target-oriented phishing attacks (Spear Phishing) have proven to be more effective.
Cybercriminals follow and use social media posts to create customized emails that are more likely to open targets.
Sometimes they do long research on their goals. They use social engineering techniques by combining technical and psychological factors.
Cybercriminals targeting a particular individual can easily bypass spam detection systems with these techniques.
8. Cyber Attackers Use Real Brands
Cybercriminals mimic the original website of a legitimate brand using an associated domain or web page design on an original website.
The link to the fake website is often sent to destinations by email or sometimes by text message.
The e-mail may also contain legal company logos. The fake website often contains a fake form to obtain users’ credentials, payment details, or other sensitive data.
9. Abbreviated Links
Cybercriminals often use shortened links to suggest you click on a legitimate/reliable link, but you may be mistakenly directed to a fake web address. To see if you really are posted on the right website, try clicking on the link for a while before clicking your mouse to see the real URL.
If you click on the fake link, you can be redirected to the fake website asking for your credentials such as name, surname, email address, and passwords. You can also download malicious software from this page that can put your entire system into the hands of cybercriminals.
10. Phishing URL Addresses Can Be in a File Attachment
Phishing emails mostly contain a fake link, but to bypass fake email protection technologies, attackers can send fake URLs via the PDF or Word document. Note also the links in such files.
11. Pop-up Notifications / Alerts
Attackers can trap you with a fake pop-up/window on your computer screen that looks as if it comes from your operating system or our antivirus software.
They also use the logos of legitimate brands to make this fake window look real. With this method, they can fool you and steal your sensitive data.
12. Typographical Errors
Brands are very serious about email. In legitimate messages/emails, there are usually no major spelling mistakes or bad language skills.
Read your e-mails carefully and report anything that seems suspicious to the person or unit.