Fingers dancing over a keyboard, racing against the clock. The pallid glow of the monitor, illuminating a tense but confident face in the darkness of the server room. A dozen monitors, a tangle of wires, the endless flickering of activity LEDs, and the telltale scrolling text output indicating something important is happening.
Hacking in the movies is often portrayed as a solo affair held almost exclusively behind a powerful rig, fighting through firewalls and breaking into remote systems.
However, the reality is far more mundane. A lot of hacking actually takes place through social connections, often through email or over the phone. This form of hacking is called social engineering, and it involves exploiting the greatest weakness of any secure computer system—the fallible, gullible human.
Social engineering aims to deceive unsuspecting humans, who have access to a target system, and manipulate them into revealing sensitive information.
One of the principal forms of social engineering is phishing, a technique that has been around since practically the dawn of the Internet.
What Is Phishing?
Phishing is the use of fake emails, texts, websites, and other electronic communications that are disguised as being legitimate and official, in order to get sensitive information.
A user who comes across a phishing attack, for example, a fake website, may think that they’re at the official website of a service provider, and may enter their username and password into a login field. These fields won’t direct information to the provider, but rather to the hacker.
Phishing has been around since the 90s, famously on the AOL community, but similar attacks had been carried out in the 80s. This article aims to answer the questions: How does phishing work, and how can you avoid it?
What Are The Types Of Phishing
There are several methods employed by hackers to get target information. Let’s look at some Phishing examples.
What is a phishing attack? The phishing email is one of the most common examples that you’ll encounter. Email phishing involves sending mass emails that look like automated emails from an official source.
One of the most popular phishing email examples is the “Password reset” email, which implores the target to change their password for a certain account, and directs them to a link for doing that. The link, of course, leads to a fraudulent website, and entering one’s password there will compromise it.
Spear Phishing attacks are highly targeted, centered on an individual or an organization. These attacks often use the target’s personal information, so as to lull them into a false sense of security that the phishing attack actually comes from a trusted source.
For example, you might receive an email that presumably comes from your aunt. The aunt says that her two children (who are named correctly in the email) need help with a class project and she sends you a link to complete a survey for them. You oblige, but when you click on the link, you’re faced with a Facebook login screen. You input your login details, and…just like that, the hacker has your information.
In reality, your aunt’s name, as well as the name of her children, her email address and even her style of writing can all be taken from publicly available social media information. Spear phishers can exploit this and deceive users quite easily.
One of the most basic tools in the phishing arsenal, link manipulation involves using fraudulent links that are either similar to a real domain, or have been disguised to mask the real link destination.
Some kinds of link manipulation involve creating anchor text that looks like a URL, but actually leads somewhere else. For example, this link looks like it goes to Google: https://www.google.com But it actually heads somewhere else entirely.
Another form of link manipulation uses typos of the real URL, or versions with different top-level domains.
How To Prevent Phishing
Phishing exploits a target’s lack of attention to detail, and being swayed by the illusion of safety. Safeguarding yourself against phishing attacks involves stepping up your cautiousness.
Always Check On Links You’re Clicking
Before you enter a password into a presumably safe login screen, always check the URL, and whether it’s secured via HTTPS with an SSL certificate. A green checkbox will indicate this in many browsers. This way you can avoid phishing websites.
Verify Contact Information
If you’re asked to contact a company via email or phone, always double-check the number and address provided. Look for a company’s official site or social media page and use what’s listed there.
Be warned that hackers are now exploiting SEO techniques to get fraudulent contact information at the top rankings of search engine results pages.
Never Download Attachments From Unknown Sources
This advice has been thrown around ever since email became popular, and it holds true until today. Avoid opening attachments if you don’t know where they came from. Use a virus scanner on each attachment you receive even if you know the source, as well. You should learn from our Facebook phishing email example and be vigilant about any attachments.
Turn On Two-Factor Authentication
Even if hackers are able to secure your information, they won’t be able to do anything if you have a secure 2FA method like a phone app or a trusted hardware key. Make sure all of your accounts use two-factor authentication whenever possible.
Phishing can happen to anyone, whether through a mass email designed to cast a wide net and hope some schmuck takes the bait, or a targeted approach that exploits knowledge about a specific individual.
The best way to avoid phishing is through constant vigilance when it comes to any form of electronic communication. Keeping this up will ensure that your finances, identity, and communications are safe from the many malicious attackers out there!