Do you know? Sometimes we ourselves unknowingly hand over our account credentials to hackers.
It is popularly known as phishing. Fraudsters and cyber security criminals send fake emails a.k.ka baits that look identical to mails that you get from employers, banks, insurance companies or your near and dear. They trick you into providing your username or password or both with which they crack your account.
There are ten ways how hackers deploy phishing to steal your account details.
- Facebook phishing – Works by redirecting the victim to a fake page that resembles Facebook login. Upon entry the victim’s credentials is recorded by the hacker.
- Keylogging – A spyware program that is installed in the victim’s computer that record and relays all keyboard strokes back to the hacker’s server or system
- Stealers – Stealing credentials from cookies left uncleared. Quitting websites without proper log outs can also lead to password and username stealing.
- Session Hijacking – Just like hijacking a plane, the hacker hijacks an insecure connection to gather information being exchanged.
- Sidejacking or Firesheep – Sidejacking is almost the same as session hijacking, the only difference being that it is more targeted towards insecure wifi users.
- Mobile phone hacking – Apps from unknown sources, inherent security loopholes and user induced security weaknesses all lead to mobile phone hacking.
- USB hacking – USB devices or thumb drives carrying password and data extractor programs are inserted into computers that are not monitored.
- Man In the Middle Attacks – Hacker silently listens to data communication between server and client system by placing himself between both the end points.
- Botnets – A collection of virus programs or affected systems that flood server systems with several HTTP requests causing it to crash or compromise security mechanisms.
- DNS Spoofing – Faking a website page and redirecting a user in the same network to the fake page to steal credentials.
How To Detect A Phishing Attack?
Detecting a phishing attack is easily said than done. A phishing quiz by Intel found that 97% security experts fail at identifying phishing mails from genuine mails. The struggle to identify a fake or phishing mail from a genuine is real. And, it is getting difficult with every passing day as hackers are deploying advanced social engineering tactics that confuse users and convince them to part with sensitive information.
But, there are some certain characteristics that you can observe to spot a phishing mail or website from the real ones.
#1 A Misspelt Website
This is such a no-brainer, but, we fail to observe it often. No genuine website will ever misspell its words. Even if there is a mistake, the domain will not work at all. A misspelt website can be guaranteed to be one that is set up for phishing.
Secondly, the URL could also be wrong, or a bogus one. Seeing the name of the website in the URL is simply not enough. You will also have to ensure that url begins with a HTTPS (which is mostly seen if that website/webpage is secured with SSL such as Comodo SSL certificates). Anything else is probably fake and set up for phishing.
#2 Asks For Funds Transfer Or User Credentials
On December 12th 2017, Mount Pleasant – a major city in North Carolina was hit a phishing attack. It happened because of an employee being tricked by a phishing mail to divulge sensitive information.
Thousands of such phishing attacks are being launched on naive employees all around the world. These emails carry messages from their superiors or are written like their superiors themselves asking to ‘immediately transfer’ certain amount of money to a generic bank account. In some cases, the employees are asked to share the account details as the sender has lost it.
A wise way to dodge this threat would be to ring up the sender directly and clarify whether such a mail was really sent asking for the sensitive information.
#3 The Mail Carries Several Links
If you ever receive an email that carries several links, most of them without a ‘HTTPS’ prefix, be careful not to click them. Emails are perhaps the most popularly resorted messengers of phishing attacks. Since nobody can spare a day without checking their emails, the spread and damage of phishing mails is also widespread.
If you are receiving the mail from a known person, cross-check whether it is really their email by checking the email address. And if that email carries any URL, ensure it begins with HTTPS or not.
#4 Skip Using Public Net
The lure of the free Internet could be strong. But, remember, it could lead you to losing all your data and also your bank balance. Public wifis and networks are seldom secured. They are soft targets for hackers to deploy side jacking or firesheeping attacks.
It is exactly for the same reason that security experts recommend not using public networks. Next time skip using the free wifi as the cafe, metro station or anywhere it could be unsafe.
#5 Install Anti-phishing Tools
There are tools available in the market for free and for a price that help prevent phishing attacks. The HTTPS everywhere chrome plugin is one such tool that automatically switches thousands of websites to the encrypted mode. There are several such tools for Mozilla Firefox and other browsers that help you stay secure.
That brings us to the close of how to identify fake or phishing websites and how to protect yourself from them. While there are tools to help you, it is also advised that you take personal care not to share passwords, not to click on any unsolicited mails or never to visit doubtful looking websites. As the old adage goes, a stitch in time save nine. Save yourself from the trouble of being locked out of your data by ensuring these safety mechanisms.