To Click or Not to Click: That is the Question
We are in the 2nd week of 18th Cybersecurity Awareness Month – October 2021.
The National Cyber Security Alliance and the U.S. Department of Homeland Security (DHS), launched Cybersecurity Awareness Month in October 2004. This annual drive is intended to educate the public about the importance of being cyber safe and cyber secured. In last 17 years it has spread across the world and has become a global movement.
Last week’s focus was on general cyber hygiene, to keep our information safe. Own our role in cybersecurity by creating strong passwords with multi-factor authentication, backing up data, and updating software. Do Your Part. Be Cyber Smart!
Week 2 is about – Fighting the Phish! Why about phishing and no other types of cyber-attacks? It is because phishing attacks and scams have flourished in the pandemic period and account for more than 80% of reported security incidents worldwide. The human psychology of knowing the latest updates on every information related COVID-19 became a bait that attackers exploited. Cyber Criminals take advantage of national and global crises by creating scams to prey upon the generosity and confusion of the public. These scams aren’t just online–they are over the phone, through mailers, in-person, via email, text, and much more.
One thing is certain when it comes to cybercrime, email is the most effective way for criminals to deliver malware or scams to an unsuspecting victim. Increasingly, text-based threats are rising as more people do more on mobile devices.
This Cybersecurity Awareness Week will stress on being watchful of emails, text messages or chat boxes which you had receive from an unknown sender or someone you were not expecting. Be cautious, think before you click on any suspicious emails, links or attachments and make sure to report any suspicious emails, messages and or chats, to the concerned authorities if you can.
What is Phishing? Although there are multiple security measures to safeguard data in networked computers, still there is a weakest link – You, Me, Human beings. We as a user fall prey to some or the other offer and giveaway our valuable data to be used against us. Phishing is an attempt to trick a user into revealing their personal information. It is a cybercrime.
Phishing is same as Fishing, using a bait to catch a fish. A phisher uses a tempting bait in emails, links or attachments. The moment user clicks, the phisher will get access to user’s private information. Mostly, emails with links or attachments are used in phishing, but a new trend has started, to call the user, place a bait and gather required information. The phishers are targeting banking customers to collect internet banking credentials, mobile number and OTP to carry out fraudulent transaction.
What are the different types of phishing attacks? In a fight with fishers, one must be aware of different phishing techniques.
- Phishing Email: Phishing emails are intended to appear a genuine source, like customer support of an online shopping company, an Insurance company, Banks, Payment Wallets or any familiar company. Phishers hide their presence in small details such as their website address, an email attachment or link.
- Vishing: Vishing is short for voice phishing. It is a fraudulent practice of making phone calls or leaving voice messages claiming to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
- Smishing: It is a combination of phishing and SMS. It is a cyberattack that uses misleading text messages to deceive victims. The aim is to make you believe that a message has arrived from a trusted person or organization, and then convincing you to take action, which gives the attacker utilizable information, such as bank account login credentials or access to your mobile device.
- Website Link Manipulation: This includes a link to a popular website. This link takes victims to a tricked version of the popular website. Its design and looks are just like the real one. Once you are on the homepage of this tricked site it will prompt you to confirm or update their account credentials.
- Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems. Generally this occurs through the injection of unwanted or malicious code into ads.
- Spear Phishing: When phisher crafts a message to trick a specific individual, that’s called spear phishing. Phishers categorize their targets using information on various sites and use spoofed addresses to send emails that could reasonably look like they’re coming from co-workers. For example, the spear phisher targets someone in the accounts department and pretend to be the victim’s manager requesting a large bank transfer on short notice.
- Whaling: Whale phishing, or whaling, is like spear phishing that aims a very big fish, such as CEOs or Company Board Members. The phisher has to gather enough information to trick a CEO or Board Member and may take time, but it can have an astonishingly high payment.
- Clone Phishing: It is a type of phishing attack where the phisher copies a genuine email message that is sent from a trusted organization. The phisher then alters the email by replacing or adding a link that redirects to a malicious or fake website.
How do I Fight the Phish? If you are even a little bit suspicious of a text message or email–do not click. Immediately delete.
Action Tips:
- VERIFY TO CLARIFY: If you receive an email or text message requesting you to confirm or submit financial information, your login information, or any other sensitive personal information by clicking a link, DON’T. Immediately contact the organization (not via the contact information contained in the email) to verify the request. You can also visit the company’s legitimate website and log into your account to see if you have any messages or action items.
- WHEN IN DOUBT, THROW IT OUT: Links in email, tweets, texts, posts, social media messages and online advertising are an easy way for cyber criminals to get to you. Be CAUTIOUS of clicking on links or downloading anything that comes from a stranger or that you were not expecting. Essentially, don’t trust links.
- STRANGER DANGER: Remember what you learned about not accepting candy from strangers? Apply that to the online world as well. Do not click links in emails, text messages, chat boxes, etc. from people you do not know, and be suspicious of links sent from those you know as well.
- READ THE EMAIL OR TEXT CRITICALLY: Is the sender asking you to do something they wouldn’t normally ask you to do, such as bypass your company policy? Does it seem weird the credit card company is asking you to verify your credit card number or OTP? Are there misspelled words or unusual phrases? Is there a sense of urgency i.e. requesting you click now or act immediately? These are often context clues in the body of the email or text hinting that something is not right.
- UNSUBSCRIBE MIGHT SUBSCRIBE YOU TO A HACK: Sometimes the call to action in an email can trick you, such as “unsubscribe” or “reply to stop receiving these messages.” It is better to just delete the email or mark it as spam if it is spam.
Action Tricks:
- IN YOUR EMAIL ACCOUNT, CONFIGURE THE SETTINGS SO THEY DISPLAY THE SENDER’S EMAIL ADDRESS AND NOT JUST THEIR DISPLAY NAME: This will help you verify the sender’s email address is legitimate (for instance [email protected] (correct) vs. [email protected] (incorrect). Did you notice that one simple change from an o to a 0?
- PLUG-IN ASSISTANCE: There are some plug-ins you can use in your internet browser that will display a URL’s true path. You might consider enabling that security feature in your internet browser’s security settings.
- HOVER TO DISCOVER: You can put your cursor on top of the link (be careful not to click!). When you do that, the true path will appear. Does the destination of the link align with what you would think? If it doesn’t look legitimate, do not click. Immediately delete the email.
- WHAT ARE YOU HIDING? Often, hackers will use shortened URLS to make a malicious link appear safe to click. If you receive a short URL, there are free online tools where you can copy and paste the short URL into the tool and it’ll expose the true path. Be careful with this, though. You don’t want to accidentally click the URL. If you are afraid of copying and pasting, just delete the email or text message with the shortened URL and go to the company’s main site itself to access whatever deal or event you’re trying to access.
- HAVE ANTI-MALWARE AND ANTIVIRUS INSTALLED ON ALL OF YOUR DEVICES: You can even install it on your phone. This will add an extra layer of protection, though it won’t replace you needing to be cautious and vigilant.
To Click or Not to Click: I am sure that you have the ANSWER now!
Star Certification, a leading open-source and vendor neutral certification body, is proud to provide educational resources to help inform, educate, and empower individuals and organizations everywhere to own their role in protecting their part of cyberspace.
You may explore, Star Cyber Secure User (SCSU), a global awareness certification that will help you acquire fundamental understanding of various computer and network security threats such as malware, virus and backdoors, identity theft, phishing, scams, hacking attacks, credit card fraud, and social engineering, and protect your information assets in the constantly changing security environment.
Sources: Starcertification