Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.
It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.
Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information, or install malware on the victim’s machine.
Three Stages Of a Phishing Attack
Step 1: The Information (Bait)
The first of the three steps of a phishing attack is preparing the bait. This involves finding out details about the target. It can be as simple as knowing that they use a particular service or work at a particular business. If a service leaks a list of just email addresses of its users, criminals will be able to know all the owners of those email addresses. They will use that service and can target them with emails that pretend to be from that service.
In more sophisticated spear phishing attacks, cyber criminals can harvest details from your social media profiles in order to build a highly customized spear phishing message that is highly likely to convince you of its genuineness.
Step 2: The Promise (Hook)
Once the attacker has acquired the necessary information to use as bait, they then need to lay out the hook. To actually make the target perform an action, the attacker needs to promise something or scare them into action.
In many scams the hook involves making the target believe that one of their accounts have been compromised. This creates a sense of urgency and making the target act quickly, perhaps without thinking. The attacker can then redirect the target to follow a link to a page where they can harvest the victim’s details.
Step 3: The Attack (Catch)
The third phase of phishing is the actual attack. The cyber criminal sends out the email, and prepares for the prey to fall for the bait.
What the attacker’s next action will be will depend on the nature of the scam. For example, if they used a landing page to gain the victim’s email password, they can then log in to the victim’s email account in order to harvest more information and start sending further phishing emails to the victim’s contacts.
Ways to Prevent Phishing Attacks
Don’t give your information to an unsecured site
If the URL of the website doesn’t start with “https” do not enter any sensitive information or download files.
Know what a phishing scam looks like
There are many sites online that will keep you informed of the latest phishing attacks and their key identifiers. The earlier you find out about the latest attack methods and share them with your users through regular security awareness training, the more likely you are to avoid a potential attack.
Firewalls are an effective way to prevent external attacks, acting as a shield between your computer and an attacker.
Don’t give out important information unless you must
As a general rule of thumb, unless you 100% trust the site you are on, you should not willingly give out your card information.
Need domains and hosting, Internet connection, Web solutions? Feel free to contact us anytime. Give us a call or drop us an email.