Everything you Need to Know about Phishing
Considering we now spend more and more time online, it’s only natural that we’ve digitised almost every aspect of our daily lives. But in doing so, we may have opened ourselves up to a new and dangerous form of attack.
Ever since we began using the internet, we have faced the risk of malicious activity. Fortunately, we’ve developed powerful tools to combat cyber-attacks and advanced email security services. Sophisticated anti-virus and firewall software is continually developed and improved to ensure that it is becoming more difficult for malicious entities to compromise private and public computer systems. But there is one form of attack that is difficult to spot – the technique known as ‘phishing’.
What is phishing?
Phishing can be used to steal data and otherwise compromise a system by exploiting the weakest element in that system; the user. It is known as a ‘social engineering’ attack and relies on the susceptibility of an end-user to compromise their security or that of their organisation. Rather than investing time and resources in traditional hacking, it is far more effective to gain access to a system through the activity or access privileges of an authorised user.
Predominantly, phishing occurs when an authorised user is tricked or coerced into opening an infected file or is duped into entering their security information into a form or web page disguised to look like it’s from a legitimate entity. Once the security information has been captured it can be used to compromise a system or may be sold to a third party.
Email is one of the most predominant avenues through which phishing scams operate. Scam emails, designed to appear as if they are from banks, financial services or other businesses, are mass-distributed in order to target as many people as possible. These phishing emails will often suggest that a user’s security information needs to be updated or that there is an issue with their account that requires immediate login. Links within the email will then direct a user to a fake page designed to capture their information. Alternatively, the email may direct the user to the real website but use malicious script to capture their information.
What is ‘spear phishing’?
Email phishing scams cast a wide net by targeting huge numbers of people, relying on the pure weight of numbers to guarantee success. Spear phishing, by comparison, is highly targeted to a specific person or business. An attacker may research employees of a specific business, requesting that they log into a spoofed (false) version of a familiar internal site or shared area. This login information is then captured, giving the attacker access to secure parts of the organisation’s network.
Why is phishing dangerous?
Phishing is dangerous because it is able to bypass many of our other ways of protecting against malicious attacks by tricking users into providing their information freely by deception. Like all cyber-attacks, it is able to cause huge financial damage to both individuals and businesses.
One of the key tools in the fight against phishing is two-factor authentication or 2FA. 2FA requires all logins to a system to be confirmed by an additional layer of verification, usually via a separate authentication app on a smartphone or via text message. These are much harder to compromise as they require a separate device that an attacker would not have access to.
There are two ways to protect against phishing. One is technological, the other is educational. By adhering to strict password management policies, we can reduce the impact of attacks. Perhaps most important of all, we must train ourselves to recognise the techniques used by phishing attacks so that we are much less likely to be compromised in the first place.