Why is phishing still the most common cyber-attack?

What is phishing?

Phishing.org defines phishing as “A cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”

This is a very common and highly effective way of getting sensitive information. Emails containing links to malicious websites are the most common attack method. The email may contain links to what appears to be the correct websites but are really spoof sites that look similar if not exactly like the real ones. Once on the site, it asks for your login and/or other personal information. Once that information is received by the spoof site, it’s logged or sent for the attacker to access.

Why the name?

The term phishing is a homophone of fishing because the concept is similar fishing in a lake or stream in that the entity dangles something in front of the end user in an attempt for them to take the bait.

So why is it still the most common?

The short answer is that it’s still a very effective method of cyber-attack. All the attacker needs to do is convince you that you are on the real website, safe and sound. It’s only afterward, that you realize the error, if you ever do. A large number of accounts have been compromised by phishing attacks, ranging from social media to financial accounts. While it’s getting better with most people being more cautious of suspicious emails and websites, it’s still one of the most effective and common methods of cyber attack.

Bleeping Computer has an article on this subject and the recent frequency of phishing. It goes on to say that Microsoft Office 365 accounts are the most popular phishing targets as of late. The reason given was so that after gaining someone’s login, the attacker could launch further attacks on others in the organization.

How do you avoid phishing?

Watch for illegitimate links. Pay special attention to that URL before clicking on it. If you position your mouse over a link and leave it there without moving for about a second, the full link will appear. If you are expecting to be led to facebook.com make sure it shows something like https://www.facebook.com and not something like https://abc123.faceb00k.com. Another thing to watch for is slightly misspelled domains such as bankfoamerica.com. It might lead you to a site that appears to be totally on the level. A better alternative is to open your browser and go directly to the site, log in, and then from there, check your account or the site for updates on the “issue”. More often than not, if the original email or message was legit, the site will have it easy to find on the site.

Secondly, don’t get roped into a sense of false urgency. Many times the email or pop-up tries to scare you into quickly logging in, threatening consequences such as permanently locking you out or shutting you down if you don’t do so immediately! These tactics are there to try and force you into outrunning your common sense and handing over your information before your suspicion catches up. For a more in-depth post on how to avoid getting phished, check out our post “Don’t Get Phished!”.

Overall, nothing beats good common sense. If you feel something isn’t right, contact the institution and have your credentials changed. At SandStorm IT, our team has come across these schemes many times and knows how to deal with this. Still not sure about that email or pop-up message? Feel free to contact us. The last thing you want to do is compromise your personal information.