What is phishing? How to prevent Phishing attacks effectively
Phishing is a dangerous form of cyberattack that can cause damage to individuals, organizations, or businesses. Let's find out what is a Phishing Attack ? Some ways to identify and prevent Phishing attacks through fake websites effectively.
1. What is Phishing?
Phishing is a type of cyber attack that an attacker falsifies as a reputable unit to trick users into giving them personal information.
Typically, hackers will impersonate a bank, an online transaction site, an electronic wallet, a credit card company to trick users into sharing sensitive information such as login accounts and passwords, Transaction passwords, credit cards and other valuable information.
This attack is usually done by hackers via email and text message. Users who open the email and click on the fake link will be asked to login. If "hooked", hackers will get information immediately.
Phishing methods known for the first time in 1987. The origin of the word Phishing is a combination of two words: fishing for information (the information) and phreaking (scams use someone else's phone to premium ). Due to the similarity between "fishing" and "user information", the term Phishing was coined.
2. Phishing attack methods
There are many techniques that hackers use to perform a Phishing attack.
2.1 Fake email
One of the basic techniques in phishing attacks is email spoofing . Hackers will send email to users in the name of a reputable unit / organization, enticing users to click on the link to a fake website and "hooked".
The fake emails are very similar to the genuine ones, with only a few minor details, making many users confused and fall victim to the attack.
To make email content as authentic as possible, an attacker always tries to "disguise" with several factors:
Insert the official Logo of the organization to increase reliability
Design pop-up windows exactly the same as the original (both in color, font, ...)
Using fake link technology (link) to trick users (Example: text is jayki.com.vn but when clicking again navigate to jayki.com.vn )
Use the brand image of organizations in fake emails to increase credibility.
2.2 Fake the Website
In essence, phishing websites in Phishing attacks is just a fake landing page, not the entire website. The fake page is usually the login page to steal victim information. Website faking technique has some of the following characteristics:
Design to 99% similar to the original website
The link (url) is only different from 1 character. For example: reddit.com (real) vs redit.com (fake); google.com vs gugle.com ; microsoft.com vs mircosoft.com or verify-microsoft.com .
There are always messages that encourage users to enter personal information into the website (call-to-action).
2.3 Pass the Phishing filters
Currently, email service providers like Google or Microsoft have spam / phishing filters to protect users. However, these filters work by checking text in the email to detect whether the email is phishing or not. Understanding this, the attackers have improved Phishing attack campaigns to a new level. They often use photos or videos to convey fraudulent messages instead of text as before. Users should be absolutely wary of this content.
3. How to prevent Phishing
3.1 For individuals
To avoid hackers use phishing attacks to scam the Internet, collect your personal data, sensitive information. Please note the following:
Beware of emails that tend to prompt you to enter sensitive information. Regardless of how appealing the call is, it should be carefully examined. For example, when you have just purchased online, suddenly there is an email from the bank to offer you a refund, just enter the card information used to pay. Believe it ?!
Do not click on any links sent via email if you are not 100% sure.
Never send confidential information via email.
Do not respond to fraudulent messages. Fraudsters often send you phone numbers so you can call them for business purposes. They use Voice over Internet Protocol technology. With this technology, their calls can never be traced.
Use Firewalls and antivirus software. Remember to always update to the latest version of these software.
3.2 For organizations and businesses
Training for employees to increase their knowledge about using the internet safely. Regularly organize training sessions and drills of fake situations
Use G-suite services for businesses, should not use the free Gmail service because it is easy to be fake.
Implement SPAM filter to prevent spam and phishing
Always update software and applications to avoid security holes that can be exploited by an attacker.
Proactively secure sensitive and important information. See more Information security solutions for businesses .
4. How to identify a phishing email
Here are some common phrases if you receive an email or message that is a scam
"Verify your account" / "Verify your account" - Legitimate websites will never ask you to send your password, account name or any other personal information from you via email.
"If you do not respond within 48 hours, your account will be deactivated." / "If you don't respond within 48 hours, your account will be closed." - This is a message that transmits a message It is urgent for you to answer immediately without thinking
"Dear Valued Customer." / "Dear customers" - Messages from phishing emails are often sent in large quantities and usually will not contain your first and last name.
"Click on the link below to access your account" / "Click the link below to gain access to your account." - HTML messages may contain links or forms that you can enter. Fill in the information as if the form was on a website. Such links may contain all or part of the information of actual companies and often "masked", meaning the links you see do not take you to the website you think, otherwise it will Take you to fraudulent websites.
5. Useful tools to help prevent Phishing:
SpoofGuard : is a browser plugin compatible with Microsoft Internet Explorer. SpoofGuard places a "warning" on the browser toolbar. It will turn from green to red if you accidentally visit a Phishing fake website. If you try to enter sensitive information into a form from a fake page, SpoofGuard will save your data and alert you.
Anti-phishing Domain Advisor: essentially a toolbar (toolbar) to alert phishing websites, based on Panda Security company data.
Netcraft Anti-phishing Extension : Netcraft is a reputable provider of security services including many services. Among them, Netcraft's anti-Phishing extension is highly rated with many smart alert features.