Why Phishing Attacks are So Dangerous

There are various factors that contribute to the risks associated with phishing attacks. One of the biggest contributors: the very low barrier to entry that a phishing scam requires of the person conducting it.

Picture a hacker for a moment. What do you see?

If you’re anything like the average user, you mind jumps to the imagery that pop culture has cultivated. A dark room, awash in a pale blue-white glow from an array of monitors, with someone hunched over a keyboard, fingers elegantly typing with the confidence of a concert pianist. While this picture has long been accepted by audiences as the way that a hacker looks, it is a fabrication.

A lot of real-life hacking has pivoted to rely on psychology more than computer sciences and programming. Instead of manipulating code, a hacker focuses on manipulating the user. Why pick a lock if you can fool someone into handing over their keys?

Unfortunately, phishing attacks are as effective as they are simple. Most users just don’t know what to look for to tell a legitimate email or website from a fraudulent one. Most aren’t even anticipating that they’ll be targeted at all.

As a result, the scenario plays out like this: a hacker sends out an email that looks as though it is from a popular bank. To the untrained eye, it seems to be legitimate, and it may have even fooled the filters the user has set up to organize their emails. This is precisely how phishing attacks work—by getting the user to believe that the email is legitimate and having them play right into the attacker’s hands as a result.

Whether the phishing email links to a malicious website or carries a malicious attachment, they are not to be taken lightly.

How to Spot a Phishing Attempt

While we aren’t trying to inspire paranoia, any email you receive could be a phishing email, which means you need to consider each one you receive. Make sure you follow the next few steps to prevent yourself from being taken advantage of.

Check the tone. Is the email you’ve received trying to elicit an extreme emotion from you? Is it blatantly urgent, asking information about an account of yours without any reason to, or simply making a truly unbelievable offer? Attackers will often shape their phishing messages to instigate an emotional response. Stay rational.

Check any links before clicking. It is startling how much trust people will put in a link. Hackers have numerous ways to hide the actual destination of a link, many of which indicate that the link is faked… although you need to know what to look for. Let’s consider PayPal for a moment.

A legitimate PayPal link would direct to paypal-dot-com. However, if you were to add something—anything—between “paypal” and “dot-com”, the link would obviously go somewhere else. There are various other rules to keep in mind, too. For instance, the “dot-com” in the domain should be the last dot-anything and should be immediately followed by a forward slash (/).

Here’s a brief list of safe examples, and some unsafe and suspicious examples:

  • paypal.com - Safe
  • paypal.com/activatecard - Safe
  • business.paypal.com - Safe
  • business.paypal.com/retail - Safe
  • paypal.com.activatecard.net - Suspicious! (See the dot immediately after PayPal’s domain name?)
  • paypal.com.activatecard.net/secure - Suspicious!
  • paypal.com/activatecard/tinyurl.com/retail - Suspicious! (Don’t trust any dots after the domain!)

Check the email in the header. The top of the email will contain the address that the email was sent from, which can give you a few hints as to how legitimate the email is. Think about it—it isn’t likely that PayPal’s email address would be paypal@gmail-dot-com, is it? Just to be safe, do a quick online search for any addresses you’re unsure about.

Check any attachments. Or, more accurately, ask yourself if there should be an attachment in the email, or any links, for that matter. It is very common for email-based threats to come in as an infected attachment, or as a link to a website that automatically installs whatever the attackers want. Don’t click it if you can help it.

Check password alerts for legitimacy. One common use for phishing emails is to steal a user’s credentials. Posing as a password alert, the email will provide a link for the user to reset their password, delivering it directly to the attacker. Navigate to the account yourself, rather than using the link, just to be safe.

If this makes it sound like you can’t really trust any of the emails you receive, it’s because you can’t, to a point. For email (and any other form of communication, for that matter) to remain useful to businesses, they must be used securely. A good spam-blocker doesn’t hurt, either.

Our IT professionals have considerable experience in attending to your business’ security, including that of your emails. To learn more about what we have to offer, give SRS Networks a call at 831-758-3636.

Tags: ,