Online Scams and Phishing Attacks

The Trusting User Vs Phishing Attacks

One of the issues we may face when browsing online is related to the element of trust. Can we really be sure that people are who they say they are?

Phishing attacks have surged with COVID-19 related scams. Cyber criminals are sending over emails which might encourage you to donate to a cause or claim to have found a ‘cure’ to the virus. This might tempt you into wanting to find out more. Ultimately, they are attempting to trick individuals into providing sensitive information such as credit card details and login credentials.

What exactly is a phishing attack?

The word phishing comes from the idea of trying to ‘fish’ information from you. Think of this as a scam which could occur over telephone, text message and email. For the purpose of this blog, I will focus on email scenarios. They usually start with a hacker pretending to be a trusted entity (such as your bank) that sends over an email. An attachment or link will also be included within the email.

Scenario: An email from your ‘Bank’ stating that Your account has been compromised and you are required to login to verify your identity. Over and above this, a link is provided to login and ‘change your password’

What happens if I click on the link?

You could be transferred to a fake page which pretends to be the legitimate website. You might think that this is the correct website but in actual fact it is a malicious page created by the hacker.

A form is then provided which requires you to enter your old and new password. Upon entering these details the hacker is then able to obtain such sensitive information (assuming in the process full control of the website).

Ways to respond if you’ve already clicked / submitted details

First of all, do not panic! There is a lot you can do to limit the harm done. I will discuss some of these techniques below:

Changing the password – As obvious as this sounds, if you’ve already provided sensitive information such as your password, the first thing that you need to do is change it immediately. This could also force the hacker out of your account.

Contacting the organisation & reporting the crime – For instance, if you’ve been tricked into providing banking details, contact your bank and let them know. When contacting the legitimate organisation, it’s important to call them directly and not use the contact details that were provided in the email.

Notifying your contacts – We are all human and we all make mistakes. What is important is to learn from your mistake and try not to repeat it. At this point inform your contacts, friends or followers to help prevent them from potentially falling for the same scam and ultimately getting hacked.

Antivirus (AV) Scan – If you have an AV, run a full scan. When navigating to the malicious website, an attachment could potentially be downloaded (such as a document or an executable file). This could also be included within the phishing email itself. It is important not to open or run such files. An antivirus software could help identify and remove the potential virus from your device. Do not worry if you’ve never heard of the term ‘antivirus’. I’ll explain more about this in one of my next blogs.

Main traits in phishing emails

Email address [1] – It is important to identify the ‘From’ email address and verify that there are no weird alterations (such as numbers or letters) . In the example above, one can clearly see that there is no reference to an apple email domain (I have only shown a snippet of the email). This is not exactly a foolproof method as there could be scenarios where organisations could use unique or different domains to send over an email. However, it still serves as a good indication.

Hover over the URL link [2] – Phishing emails will usually include a clickable link which might appear to be legitimate. When you hover over a link with your mouse, a small pop-up window will appear towards the bottom of your screen which will identify where you will be redirected to. It is important to simply hover over and not click on the link. On a mobile device, hold down on the link until a pop-up will appear which identifies the true location. . As could be seen above, hovering over the ‘appleid’ link on my computer identifies where you will be redirected to, towards the bottom left of the screen (I have only shown a snippet of the link). Once again, this makes no reference to an Apple website.

Sense of Urgency [3] – By not allowing you to process what is happening, you are less likely to realize that something may be ‘off’ such as a misspelling or an incorrect logo. This could be done by stating that “your password is going to expire” or “your account is going to be deleted”.

In the phishing example above, notice how it warns you that you must verify your identity before 24 hours pass or your account will be disabled permanently. This urgent and threatening message will probably panic you to act faster and make mistakes. The link within the email might also seem legitimate even though it wont be the case. As already discussed, clicking on it is not be the best of ideas.

Misspelled word in URL link / email – Poor grammar and spelling are potential signs that this email is a scam. There are different opinions why this might be the case. From the hackers perspective, sending out a bunch of malicious emails is the easy part. Getting a response with sensitive information is the struggle. Therefore, it can be beneficial to send a badly-drafted email on the basis that people who respond are more likely to ignore these clues and also be phished. This could be identified as a filtering system to target the most gullible. Whatever the view, any form of grammatical errors or spelling mistakes are possible indicators that this might be a phishing email.

If there is something else that you would like discuss further, please feel free to reach out!