Detecting and guarding against phishing attempts

Jeff Hurmuses, Area Vice President and Managing Director, APAC, Malwarebytes | Oct. 30, 2017
Here are some ways to better detect and prevent oneself from being a victim of phishing attacks.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

detecting phishing attempts
Credit: Storyblocks 

Long gone are the days where phishing attacks were blatantly obvious fakes pretending to be from Nigerian princes. Modern-day phishing campaigns are decidedly more sophisticated, incorporating stealthy techniques that trick their targets into believing that phishing emails are wholly legitimate.  

Phishing attacks aim to collect personal data-including login credentials, credit card numbers, social security numbers and bank account numbers-for fraudulent purposes. In Singapore, there has been recent phishing scams purporting to be from enterprises such as Singapore Post and Singapore Airlines. But while phishing attacks are most commonly delivered as an email communication that spoofs a known enterprise, it can also appear to come from individuals, including bosses and acquaintances.

These emails always contain a link that sends users to a decent impersonation of a valid website where credentials will be collected and sent to the attacker, instead of the supposedly trusted source. From there, the attacker can exploit credentials to commit crimes such as identity theft, draining bank accounts, or selling personal information on the black market.

While the phishing email is the most basic and common phishing attack, there are other attack forms that are directed towards a more targeted group. For instance, spear phishing involves crafting a believable email to extort information (or money) from a specific person or organisation. Whaling, a specific form of spear phishing, is directed towards executives or other high-profile targets within a government or business such as a CEO, senator, or someone who has access to financial assets. Meanwhile, smishing or SMS phishing involves SMS text messaging on mobile devices. A similar technique, vishing, is voice phishing conducted over the phone.

There truly are a lot of "phish" in the sea. Phishers today are also known to create malicious websites with attractive offers, which are indexed by search engines. Known as search engine phishing, this form of phishing attack extorts the personal information of those who have stumbled across malicious sites through their online searches.

On the other hand, content-injection phishing, a form of content spoofing, involves inserting malicious code or misleading content into legitimate websites that instruct users to enter their credentials or personal information.

Some common phishing attacks can easily escape users' notice, too. Phishers sometimes position themselves between people and websites such as social networking sites or online banks, to extract information as it's being entered by the users. Man-in-the-middle phishing, as this attack is more commonly known, is more difficult to detect as attackers continue to pass on users' information (after collecting it) to avoid disrupting transactions. Users should also guard against pharming, or DNS-based phishing, which involves modifying or tampering a system's host files or domain name system to redirect requests for URLs to a fake site. As a result, users have no idea that the website they are entering their personal details into is fake.

For all its sophistication, phishing relies on one of the most basic human foibles: trust. Hence, it is important to remain skeptical upon receiving any form of digital communication, whether email, text, or even social media messages.

Here are some ways to better detect and prevent oneself from being a victim of phishing attacks.


Spotting malicious websites

Users should check the website design and formatting. Malicious sites typically have pixelated logos, buttons that differ from the company's usual colors, weird paragraph breaks, or extra spaces between words.

Filing out forms with personal information on websites without SSL certificates renders users vulnerable to cybercriminals, too. Hence, users should always check if the URL in the address bar contains the "https" abbreviation and a lock icon before giving their personal data.


Detecting email scams

Phishing emails usually sound desperate: They coerce people into clicking links or downloading attachments immediately by instilling fear. These emails sometimes claim that the subject in question risks having his account closed or compromised.

When in doubt, hover over the URL found in the email: If the URL displayed differs from what is shown in the email, there is a good chance that the user will be redirected to a malicious site.

Users should also be wary of emails containing attachments from unknown and unexpected sources. It is better not to open these attachments as they might contain malware that could easily infect one's system.

One can sometimes easily spot an email scam by carefully observing the message header. More often than not, the sender's email address looks pretty dubious: It imitates a legitimate email address, especially one from a business, but with slight variations.


Sloppy content

Malicious emails or sites often have badly written and amateur content. There are a lot of grammatical errors and awkward sentence structures that seemingly sound as if a computer program or someone whose second language is English wrote them.


Filling forms

One should be wary of emails, text content, or voicemails that requests him to update or fill in personal information. He should be extra cautious, especially if the digital communication came from a bank or statutory board such as the IRAS. One should also be skeptical of communication requesting for his credentials.


Taking other precautions

One should install and regularly update firewalls and anti-malware software on their computer. He should also refrain from using public computers, especially when making online banking transactions and regularly update one's passwords.

When in doubt, contact the organisation in question to check if the suspicious communication is from them. One should also check his bank statements regularly for unauthorised transactions.


Reporting attacks

Although instinctively ignoring or deleting suspicious emails seems like the easy way out, employees working for organisations should report them to the IT team: After all, the IT team could better advise employees on the next steps. Employees should likewise report suspected phishing attempts to the person or organisation being imitated. They should then delete the suspected emails and empty their trash bin immediately after reporting the suspected phishing activity.

By following these simple tips, one won't have to worry about falling for phishing attacks hook, line and sinker.