Hi there! So you would like to know more about phishing e-mail attacks in other words fake e-mails, you are in the right place.
We, as Well Home Loans are all about educating our customers, whether it is financial topics, mortgage terminology or Internet security we are dedicated to inform our customers and add value to community.
What is Phishing Attacks?
Phishing attacks, in simple words, are e-mails targeted to individuals in order to gain access to their personal information. The information the attackers might be after can be, usernames, passwords, personal information such as date of birth, address and etc.
The most common methodology attackers use for these attacks are to impersonate an actual legal body or a company and either refer the victims to their fake website or even worse make them install a malware on their computer.
Why your Antivirus/Antimalware software alone can’t protect you?
E-mail is one of the oldest Internet protocols out there and some of the exploitations available to cybercriminals are related to its age. It wasn’t designed having security in mind however, software we have today in both e-mails servers and clients are smart enough to filter out most of the maliciously intended messages.
Although we have these sophisticated security solutions in place, it’s not so easy to filter out phishing e-mails. One of the reasons for this is, phishing e-mails can blend in as a legitimate, benign e-mails due to the nature of how they work. They don’t carry a malicious payload that can be directly scanned by security software. Instead they either inject the malicious payload into a regular attachment such as a document file or they will ask the victim to click to a link that will trigger the download of malware.
Don’t get me wrong, I’m fully advocating for everybody to use an antimalware solution, especially one that is scanning your mailbox against phishing and other type of malicious e-mails, however being an educated user is the most important aspect in order to keep yourself safe from ‘social engineering’ attacks. That is why large organizations train their employees on a regular basis in order to protect their IT assets, they don’t even trust on their expensive security software alone when it comes to social engineering attacks and you shouldn’t as well.
What are some tell signs of a Phishing E-mail?
Attackers don’t have to adhere to a certain structure, however there are some common points you can check to see if an e-mail is sent out from a legitimate source.
- Sender Address: Always check for ‘From’ field of an e-mail address. Although this can be spoofed, you might be able to catch some of the phishing e-mails sent just by evaluating the domain name (the part that comes after the @ sign) of the sender address.
- Spelling: The messages generated may contain spelling and or grammar mistakes. This is due to them being generated via automated software rather than written by a person.
- Call to Action: It is common for these messages to invite the recipient for some sort of action. This might be, paying your bill, viewing your invoice, updating your password or something similar that would create a sense of urgency, aiming to get pass the scepticism you might have to the content in front of the you.
- Threats: The messages may contain a threat that would imply negative affects if you fail not to comply with their call to action. Threat can be anything from account suspension to penalty fines and can vary depending on the type of message you have been sent.
- Hyperlinks: Hyperlink is the technical term for a piece of text having an action bound to it that takes you to a web page upon mouse click.
Most of the e-mail clients allows you to view the link when you hover over the text.
It is best to analyze the linked URL to see:
- If the domain name matches the real domain name of the institution they claim to be. Be real careful because attackers usually try to get a real close domain name to the actual one.
- If the link starts with a ‘HTTPS://’. If you have been sent a request for something that requires privacy and security that web page should be SSL encrypted therefore should start with ‘HTTPS://’
- However having HTTPS in front of it alone is not enough to identify authenticity of a website. Make sure the SSL certificate can state the institution’s correct legal name. Certificate Authorities conduct series of identification challenges before processing these SSL certificate requests, hence an attacker can’t obtain this certificate to use on their fake website.
- Attachments: Be careful about is attachments. Companies and institutions almost never will send you private information such as invoices as a direct e-mail attachment. This would be a huge risk for them because they would be trusting another party other than their own to secure their and practically their customer’s data.
Common practice would be to take you to their website and allow you to view the document once you can authenticate in other words prove your identity. Keep in mind that, this is also how attackers might get access to your username and password, so it’s very important that you visually analyze the website they referred you to.
- Check its address and SSL certificate for authenticity: As a rule of thumb, do not trust any attachment you receive that claims to have private information. Especially executable files, however lately cyber criminals was able to inject malicious code inside regular Microsoft office documents and PDF files so you are never %100 safe unless you really trust the sender.
Further actions you can take to protect yourself for phishing attacks?
Unfortunately there is no end all be all solution to protect yourself from cybercriminals. They will always come up with new strategies and we as online service providers and you as an online service consumer would always have to keep ourselves up to date as possible in terms of knowledge.
However, there are dedicated Australian government websites that are regularly updated to inform Australian people from such attacks and security outbreaks in various types of technologies. You may join to their e-mail alert list as well to receive weekly digests and urgent notifications upon a detection of a new attack type.
ScamWatch – https://www.scamwatch.gov.au
Backed by Australian Competition and Consumer Commission (ACCC) this websites goal is to educate Australian businesses and consumers against scammers and provide guidance on securing themselves against such scams. Make sure you subscribe to their e-mail alerts for receiving regular updates and stay ahead of the hackers.
Stay Smart Online – https://www.staysmartonline.gov.au
Stay Smart Online program is similar to ScamWatch however its covering a broader range of attacks. On top of scammers, stay smart would also send you notifications on various types of IT security exploits that have been discovered. It’s being managed by Cyber Crime and Security Branch, Attorney-General’s Department and provides valuable information to Australian people in terms of the digital security.
Here is a summary of actions you have to take in order to increase your chances against malicious e-mails:
1 – Have a reliable antimalware solution that receives regular updates and provides security against phishing e-mails.
2 – Learn common tell signs of scam e-mails, so you are better prepared to identify them yourself.
3 – Subscribe to e-mail alert lists that can provide you up-to-date and reliable information on recent attack types and forms, you are on alert for those.
It all comes down to experience and knowledge
Hopefully, after reading this article you are now better informed of the evil minds behind the phishing attacks that are designed to get pass our software security mechanisms and targeting our human nature via something security experts calls ‘social engineering’.
As I’ve mentioned before, what you should aim is to develop a sceptical mindset and an intuition to detect malicious communication you may receive. How you build this is related to your knowledge and understanding of Internet and digital world in general, the more you know better you are prepared.