Phishing Safety Tips

A common, yet sometimes subtle, mistake is spelling errors. It might not be very obvious. It could just be one letter that one could easily overlook. For example, for a known brand like Netflix, an attacker could change it slightly by naming it Netlfix, which could easily be looked over, since it is "from" a trusted brand.

What to do: Ensure the accuracy of the brands you choose to follow. Make sure that spelling is the correct one from the established brand.

Urgency in tone is a common technique used in phishing. It means that the attacker will put pressure on a user by making the message sound urgent and that the user needed to take action right away. An example of this would be an attacker sending a message to a user that states that their account will be suspended soon if they don't take action immediately.

What to do: Ensure that the sender of the message really is from the stated company/organization and ensure whether there really is action that needs to be taken. It is also important to stay calm even though the message might sound urgent, as there is a high chance of being phished.

A form of phishing is sending inaccurate links. These links, once clicked, will lead to a clone website that looks very similar to the main website, but this will allow the attacker to trick the user into thinking this is the original website, making the actions that the user meant to take on the original source, taken on the clone source, revealing information (e.g. enter Password or Username to a financial establishment).

What to do: A good way to see whether a link really is from the original source is by hovering over the link and verifying the integrity of the link. For example, https://www.google.com/ (Original) vs https//wwm.google.co/ (Clone). An online resource that allows a user to check the integrity of a link is Bitdefender Link Checker which checks for malware and phishing. It is good to be suspicious of unknown links and attachments.

Phishing attempts often request information that is personal or sensitive. The attacker asks information like UserID, Password, SSN, Bank Information, etc. This allows the attacker to recieve personal information from the user, that can then be used for other technology (or non-technology) attacks, like Identity Theft.

What to do: The user should not reveal ANY personal or sensitive information that can be used to identify oneself, unless it is authentically verified. Organizations, Companies, and officials usually know not to ask for revealing information, therefore any attempt requesting your personal information should be verified with high importance, and possibly reported so that other users will not be phished.

Unexpected attachments is another technique that attackers use to gain access to information or a system. Once these attachments are clicked, it could allow the attacker to install malware to your system, which then could lead to other attacks like ransomware or Denial-of-Service attacks. For example, an email from an attacker who imitates a bank and has an attachment that is supposedly for a reward opportunity, but if clicked, installs malware into the users system.

What to do: Refrain from clicking any attachments that have not been verified to be from the true source. There are online resources available now for attachments and files to be run through, to detect malware and tampering like Jotti and VirusTotal.