Online security: Phishing Prevention 4 (1)

Online security Phishing Prevention

By on Sat Feb 26 in Phishing, security


Introduction

In recent years we hear more and more about cyber attacks and scams carried out through the Internet. One of the main methods used by cybercriminals is phishing. To understand how to protect yourself from phishing, we must first understand exactly what phishing is.

What is phishing

Phishing is a particular type of computer attack, based on social engineering, which has the ultimate goal of stealing user data, such as credit card numbers or bank access credentials. The attack is usually perpetrated by sending a message, either via email or via SMS (this type of attack is called smishing), whose sender appears to be a trusted entity.

The attacker then, disguised as a trusted entity, tricks the victim into opening an email, instant message, or text message and making them voluntarily enter some sensitive and personal data such as PIN, credit card number, personal details, and so on.

A recent example of phishing from Italy

The Ministry of Health published a post via Facebook on January 28, 2022 warning people about fake emails that have started circulating, in which the sender pretended to be the Ministry of Health. Here is the link to the post: https://www.facebook.com/MinisteroSalute/posts/2033412060169940

Scary, isn’t it? So, let’s see how to protect yourself from phishing.

How to detect phishing emails

So, how to protect yourself from phishing? Until a few years ago, a phishing message was fairly easy to identify: the message was usually misspelled, vague, or just didn’t make sense; in addition, the sender was clearly unknown and couldn’t be who he or she claimed to be. Over time, however, cyber “scammers” have refined their techniques, and unfortunately these days it can be difficult to spot a phishing message. This means that we have to keep our eyes open and be even more vigilant compared to the past.

Let’s look at a few points that, if detected, will make us instantly identify a phishing message.

Check the sender

One common example: if you receive a message on behalf of your bank asking you to confirm credentials for security reasons, simply don’t do it! It’s a scam. All banks have warnings on their websites about this technique. Also, if you are not 100% sure about the authenticity of the sender, do always check the source email address: this is a good way to avoid hassle later on. The domain (the part of the email address after the @) must be exactly the same as the one of the entity being shown as the sender: even a single different character is a red flag! For example, [email protected] is different from [email protected] or [email protected] (did you notice the “k” and the “i”?). If you are using a mobile device, tap details on the sender’s displayed name.

Check the message

Often, phishing messages are not addressed directly to the actual recipient, but rather contain generic “Dear customer”, “Sir”. If you have subscribed to some newsletter, or are waiting for a package, real senders will certainly address their message by calling you by name, or username.

The urgency of the message

Often, in a phishing message, the recipient is asked to do something as soon as possible. I receive daily phishing: emails asking me to enter some kind of personal data because a phantom package I’m supposed to receive is waiting somewhere. Wait… but I am not t waiting for any package!!! Another very typical request by scammers is to change your password as soon as possible because otherwise some accounts will be permanently suspended. What to do then? Simply ignore the message, and report it by marking it as phishing (a feature provided by major e-mail providers).

The language

The language used is not always entirely correct, although the authors are currently much more careful than they used to be. The message is often questionable, and the reason why the requested action is supposed to be performed can be a bit odd. If in doubt, do not respond to the suspicious message, rather contact the real entity through their website or official contact channels, and ask for verification.

Links

A link might seem legitimate, but it could lead to a malicious website. Before clicking on something, always check where you are being directed to. On desktop PC, most browsers (IE, Chrome, Firefox) and Outlook will show the link overlay in the lower-left corner of the screen. On mobile, it’s more difficult and risky: you need to carefully press and hold the link, then take other steps. If you simply tap on it, it will redirect you immediately! So, the advice is to wait and verify such suspicious emails through a desktop.

Questions

Phishing emails often ask for personal details like passwords. Don’t fall for it! Legitimate companies will never, ever ask for sensitive information via email.

Online security Phishing Prevention
Online security Phishing Prevention: how to protect yourself from phishing

How to protect yourself from phishing, then?

Let’s figure out how to protect yourself from phishing. First, use common sense! Do you have an account with SoAndSo bank? If not, then the message is certainly phishing. Are you waiting for a parcel? No? Then it’s useless to even open the message, it’s surely phishing! In general, if you are unsure, contact directly the organization or company through their official contacts: you can simply use Google to find them.

Additionally, there are some tools and actions that can help you, such as:

  • Install a good antivirus and firewall on your computer, activate and update them regularly.
  • Do not use public networks or shared computers for financial transactions or for transferring other sensitive information.
  • Do not download software or files from questionable or unknown sources.
  • Never use public WiFi networks. Opt for a personal hotspot or secure network instead. If you are not familiar with these options, you can ask your internet / phone provider to add and activate them to your device (usually these options are not expensive)
  • Set up a strict spam filter so to dramatically decrease the number of unwanted email.

Difference between spam and phishing

We have seen above what phishing is, now let’s see what spam is.

Spam consists of unsolicited emails, instant messages, or social media messages. These messages, usually unsolicited advertising sent to a very large number of users via email, can be harmful if you open or respond to them, but luckily are fairly easy to spot. Think of the classic email message that sponsors an online shop of Viagra and Cialis. Spam clogs the usual communication channels and generates a considerable volume of traffic. In addition, spam can also be an instrument of fraud: it proposes improbable financial projects, tries to make-believe in a fabulous money win or in a big inheritance (for example the famous “Nigerian” scam). Reporting a spam message to your mail provider helps them to prevent new incoming spam.

Password and brute force attack

Many cybercriminals use applications to generate thousands of passwords in a handful of seconds, with which they attempt to breach systems (a website, email, and so on). These are referred to as brute-force attacks. The simpler your passwords are, the faster cybercriminals will get them. That’s why every password should be strong, which means it should meet the following requirements:

  • Must contain at least 8 characters.
  • Must not be predictable (do not use simple words or names).
  • It should consist of several characters, upper and lower case, letters, and numbers. The longer the password, the fewer special characters should be used.

A password like “password123” is certainly easier to be caught by attacking software compared to a password like “j%T{1%PeXt<gIa-“, which contains: lowercase letters, uppercase letters, digits, and symbols, all very random.

The good news is, it takes very little to protect yourself and not get your account hacked. You can find online very good password generators such as 1Password Generator. Are you afraid not to remember such long and complex passwords? No worries, you can combine the generator with a password manager with a few clicks. A password manager is an app that stores login details (web addresses, usernames, and passwords). It can be installed on PCs, smartphones, and as a browser extension. For example, Bitwarden is a free and open-source password management service that stores sensitive information in an encrypted vault and you will log in to the desired website, app, or any other online service through this vault.

Two-factor authentication

In recent years, on websites and apps, you’re seeing more and more of a mechanism called two-factor authentications. This involves entering a second code or using your fingerprint to access a service in addition to your username and password. There are many reliable apps you can choose to enable two-way authentication, such as Google Authenticator, Microsoft Authenticator, or Authy.

In conclusion: protect yourself!

So, how to protect yourself from phishing? To a large extent, digital security and privacy are in the hands of the users themselves. You can stay in control by staying vigilant, choosing passwords efficiently, and always double-checking before clicking on any link or answering any email.

To recap:

  • Always be vigilant against phishing emails. Check the sender’s email address and never disclose personal information via email
  • Lock your digital door with strong, unique passwords
  • Use a password manager
  • Use two-factor authentication if possible
  • Instead of public Wi-Fi networks, use the cellular data network

Questions or concerns? Write to me through my contact page.