Phishing Attacks like Phishing mails, calls, websites are planned to steal money or personal information.
Users without awareness or sometimes due to urgency, click on spam links and provide their confidential information like credit card no, bank detail, etc… and become a victim of a phishing attack. However, there are some signs of phishing attacks that can help you to identify such Phishing emails or websites.
Facts about Phishing Attacks :
- According to a Verizon report, 22% of breaches were reported for phishing scams, whereas 75% of organizations have faced phishing attack in 2020 year.
- According to Symantec 2019 report, PDFs and MS office files mainly were used in phishing emails due to their universally trusted factor.
- According to Google’s report, Google has marked 2,145,013 websites as phishing sites in the 2021 year that was 27% higher than the previous year.
10+ Ways to know Phishing Attacks
Spelling and Bad Grammar:
You cannot expect a good writing skill from phishers or attackers. If users find any email with bad grammar or spelling mistakes, then it might be a phishing alarm until and unless users have an ideal about the email source. That is why users should avoid such mail. However, corporate or professional companies do not send email with bad grammar and spelling mistakes.
Pay Attention to Sender:
Many phishers falsified the sender’s address. They forged a display name and email address. However, both the displayed name and sender address has no relevance. Cybercriminals are now smart enough to make people victim to phishing fraud. They use the famous brand name with an email address like [email protected]. If a reader ignores xyz.com, a reader will believe that the email is from a legitimate source.
Email Links as Phishing Attacks:
some emails contain links http://pleasehack.com to spam web pages, once user click on such links the software download process will start automatically in background without awareness of users. If a user finds any suspicious link, then he should avoid it as it may contain malicious software to steal user personal data residing on server or PC.
Threats as Phishing Attacks:
Phishers are now using some threat messages that spread havoc among users.
- Your security is compromised or
- You must respond received email to avoid closure of your account etc.
Such threat emails are false, and planned to take advantage of user’s innocence; such mails are called phishing emails that are designed to steal user secret data.
Do not respond to “URGENTLY”:
Many emails you receive want you to act quickly with a single mouse click. Many phishing emails have only coded links and clicking on such links may redirect to a fake web page or download a virus on your system. Such email may ask for personal information or money transactions. Such emails create a sense of urgency or fear. Such emails carry subject lines like “Subscription Expired”, “Account Suspended”, “Urgent Payment Required”. KnowBe4 has reported the most common subject lines in a phishing email, showing in the below image.
Do not Click on Attachment:
It can be dangerous if you click on an unknown attachment received in an email. Many email service providers like Gmail now scan attachments for viruses or malware before downloading the attachment. A malicious download can steal a password, damage a computer system, or spy on the system without your awareness. Before downloading the attachment, you should hover a mouse to check the actual link. Once you download a malicious attachment, it can be a payload that current antivirus programs cannot detect.
Do not Click on Links:
Before you click on a link received in the email, hover over it to check its original destination. If the display text is not matching alt text, you should leave it without clicking. Such malicious links may redirect you to malware sites. If the link seems legitimate or pointing to a real domain name, you should type that domain name manually in the browser instead of clicking on it.
Request Personal Information:
Any unknown email asking for personal information should be avoided as cybercriminals could illegally use your personal information. Moreover, phone numbers, bank details, addresses are critical and personal details, if exposed, can damage your social reputation and financial status. In previous phishing incidents, phishers ask for credit card CVV, log-in details, social security number, and other private details to put a user in danger. After getting such details, Phishers can withdraw money from a credit card or bank account without your awareness.
Check Signature to prevent Phishing Attacks:
Legitimate businesses have correct contact details in their signature, while phishing emails lack proper signature and contact details. If you observe an incomplete signature, it may be a spam email. Moreover, a signature should include only specific information that an email will not put your email in the Spam folder. If your email duly signed goes into spam, it means you have exceedingly input details as per spam email standards and policy.
Spoofing as Phishing Attacks:
Cybercriminals use spoofing techniques to imitate legitimate website by applying graphics and design, but they bring you to fraud websites to steal money or details. Cybercriminals also use web addresses, which looks like the actual name of the website address but it slightly changed like:
Phishing website: www.banknamecityname.com
Real website: www.bankname.com
Here is an interesting phishing email example by Wikipedia where they explained how someone sent mass emails to users on behalf of Wikipedia. Find the whole story here at Wikipedia.
Valid organizations use their own domain name in the email address, for example, [email protected]. Cybercriminals alter the original name in email addresses like [email protected]. Users should check the sender’s email address before reading the email. However, it is not a failsafe method as many small companies use third-party email providers. So, do not rely on only the name displayed in the email.
Legitimate business always uses the first and last name of a customer in a salutation part. Phishing emails often use generic salutations like “Dear Sir/Madam” or “Respected customer”. A user should read it carefully and should not react to such phishing emails. In advertising emails, phishers do not use greetings and directly place an image of ads that do not give you a clue about phishing emails. In this case, you should directly check the company’s website.
To make phishing successful, a single mistake is only needed. There is no foolproof system that controls phishing scams. However, organizations should give proper training on phishing techniques to all levels of employees. A single untrained employee is enough to make phishing successful nowadays. Organizations should provide adequate attention to employee’s interaction with the internet world because a silly mistake can ruin an organization’s prestige.
I hope it is now clear to you that phishing is a serious crime prepared to steal the money of innocent users. It is in our interest not to respond to any email, message, or website without reviewing their ownership. The best way to identify the authenticity of a website is to check the SSL certificate.
Prevention is our first security shield.