NEWS | Oct. 13, 2021

Cybersecurity Awareness Month: gone phishing

By Staff Sgt. Cryston Williams 422nd Communications Squadron

The digital world has become an important part of our lives. We pay bills, we stay connected with our friends and family, we shop.

All of this adds up to vast amounts of data moving around the internet, leaving our personal and financial information vulnerable to cybercrimes.

Now in its 18th year, Cybersecurity Awareness Month — previously known as National Cybersecurity Awareness Month — continues to raise awareness about the importance of cybersecurity across our nation, ensuring that all Americans have the resources they need to be safer and more secure online.

Phishing is an example of a highly effective form of cybercrime that enables criminals to deceive users and steal important data (Alkhalil, Z. (2021). The purpose of this article is to expose the reader to the many different forms of phishing and how to better protect yourself from these attacks.

Phishers conduct their attacks by using psychological manipulation to scare or trick individuals into disclosing personal information. Much like the wide variety of predators lurking in the ocean, Phishing attacks come in many forms. We will be sticking with the more common exploits people will see such as phishing E-mails, spoofed websites, phone phishing/smishing, and social media attacks.

Email Phishing
The phishing emails are the most common of the listed attacks and follow the basic formula listed below:

1. The phisher sets up a fraudulent email containing a link or an attachment (planning phase).

2. The phisher executes the attack by sending a phishing email to the potential victim using an appropriate medium (attack conducting phase).

3. The link (if clicked) directs the user to a fraudulent website, or to download malware in case of clicking the attachment (interaction phase).

4. The malicious website prompts users to provide confidential information or credentials, which are then collected by the attacker and used for fraudulent activities. (Valuables acquisition phase). (Alkhalil, Z. (2021)

A good example is the email phishing attack that happened to Sony employees on Nov. 24, 2014. These hackers posed as Sony employees and sent out a malicious link. This link was then passed around the company enabling the hackers to make off with hundreds of terabytes of company data, including movie files, financial records, and even customer data.

Website spoofing
Website spoofing can be as simple as the following: pay.pal.com/us/home versus the actual website paypal.com/us/home.

Did you catch the difference? Another difference to look for is the secure connection status, HTTPS vs the unsecured HTTP, next to the URL. These minuscule changes are what make it so easy to make mistakes, especially when we’re in a hurry. The longer users interact with the website, the more susceptible they become to disclosing personal data. 

Two easy rules to for detecting phishing are to ask yourself: “Did this try to get me to do something I wouldn’t normally do based on an emotional response?” and “Is this too good to be true?” If they are, use a different method to verify they are legitimate messages.

Phone games
The last form of phishing, sometimes called Smishing, uses spoofed messages on your cell phone. This type of attack via messaging has become more prevalent, especially since COVID-19.

Users are receiving convincing alert messages from their banks, healthcare providers and even shopping vendors which ask the victim to input their login credentials. Sometimes these links can also steal contact information, allowing the attacker to find further victims. 

What can we do
Phishing is something that will continue to happen as we become more reliant on technology. However, we can do our best to identify them and not fall for these sorts of attacks. The first thing is to be skeptical of unsolicited links.

A little skepticism goes a long way when it comes to unknown links. If it looks funny, ask questions and, especially if you are at work, report it.

The next step is to have good antivirus which is up-to-date so you’ll have some backup, just in case you click that link that was sent to you via text or email. The antivirus software will help identify and stop malicious activity.

The last thing we can do is use an anti-phishing toolbar extension. That’s an extension of antivirus that actively looks for phishing-specific content and weeds it out.

Phishing remains one of the major threats to individual data today. Remember, phishing plays on our emotions and inattention so, don’t get sucked into the hackers’ trap. Keep calm and be skeptical.

References
Alkhalil, Z. (2021). Phishing Attacks: A Recent Comprehensive Study and a New Anatomy. Frontiers. https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full#B98