What is Phishing?

So what is phishing? and why should you be bothered?

Phishing is the tactic used by hackers to get you to take a piece of bait. Once you take that tiny bit of bait, your open up your world to them. Next steps are generally raiding your online bank accounts, or encrypting all your data and holding you to ransom.

How does phishing work?

There are two main ways

Scenario 1

  1. The hacker sends you an email.
  2. The email is crafted to look like it has come from a legitimate company (let’s say, your bank)
  3. It contains a link that it wants you to click, and lots of urgent and really important statements about why you should click it (e.g. “Account suspension: in order to ensure your account is not deactivated click here and follow out instructions
  4. You click the link
  5. It takes you to a website which looks and feels like the real site (e.g. you bank) – but it’s not, it is owned by the hacker
  6. It presents you with a logon page
  7. You enter your user id, password, and potentially a whole bunch of other security related information.
  8. The website displays some kind of thank you message and asks you to log back in. The fake website then redirects you to the real website, where you can log in as normal, and everything appears as it should.

Step 7 is where the fraudster has captured your logon details. He is now free to log into your online banking and try to steal your money. Banks set up additional controls to mitigate this, such as delivering a one time passcode to your telephone, or using a card reader that you need to enter a number into. Hackers are really clever, and can still get around those controls in some cases. So save yourself the hassle and DON’T CLICK LINKS IN EMAILS!

Scenario 2

1. You receive an email that has an attachment (e.g. an invoice that needs paying, a speeding ticket, a court order, or something else worrying)
2. You open the attachment to find out what it is
3. Game over.

Game over? but all you did was open the attachment.

Well, sometimes that is all you need to do. These attachments contain malicious code which is designed to exploit weaknesses in your computer. Every bit of software has some kind of security flaw, and once you work out how to manipulate it, you can take over someone’s PC. I mean, literally remote control it from the other side of the world, or watch exactly what you are doing online at this very moment. Every mouse movement, every key stroke.

From this point, the hacker can take full advantage of your PC and your online life,

so, DON’T OPEN ATTACHMENTS IN EMAILS!

But my friends and family send me links and attachments?

OK, so it isn’t quite black and white, you really have to apply some logic to assess the risk, but stop and think.

  • Do you know the sender?
  • Are you expecting the email?
  • Where is the link taking you? Type the web address of your bank in manually, rather than clicking a spoofed link.
  • Does the email appear “URGENT!”
  • Does it have a strange subject?
  • Does it have legitimate contact details?
  • Is the email addressed “Dear Customer” or some other generic salutation?

 

Leave a Reply

Your email address will not be published. Required fields are marked *