Guides Phishing; avoiding the bait

Phishing. Vishing. Smishing. As if the crimes aren’t bad enough, they’ve also given rise to some of the ugliest words English has had to put up with. But call them what you like, they’re big business and they’re on the rise. The methods are clever, devious and, unfortunately, they work. But you can protect yourself and, let’s face it, the best way to fight back is to avoid falling into their traps.

Phishing has changed the world. Literally. It’s one of the reasons Donald Trump won the US Presidency. Why? Because the Chairman of Hillary Clinton’s campaign was phished.

John Podesta received one of those emails you’ve probably seen. This one said someone had tried to log onto his Gmail account and provided a link to reset his password. To be fair to Mr Podesta, he didn’t click on it straight away but eventually someone did. 

That link led to a page that looked like Google but actually belonged to what is belkieved to be a grouyp connected to the Russian government. By entering his credentials, they were being delivered to the attackers.

The full story is truly tragic but the upshot was that the entire contents of Mr Podesta’s Gmail account ended up on Wikileaks. Even worse, if Julian Assange is to be believed, the attackers needn’t even have bothered to go phishing because Mr Podesta’s password was…password. And he had emailed himself passwords for other accounts so Gmail gave the attackers access to his iCloud storage and much else besides.

It’s an object lesson in everything you should NOT do. But let’s be honest, pretty well all of us have come close to falling for a phishing email and many of us will also have emailed a password to ourselves. So we shouldn’t throw too many stones at Mr Podesta, not least because phishing emails are getting more and more devious and it’s terribly easy to fall for them.

So what should you do? Well, the best thing is to get the basics right. Have a look at our cybersecurity and password guides. Above all, don’t reuse passwords so even if someone does attack you successfully, the damage will be limited to one account. And once you’ve done the basics, try to get into the heads of the criminals.

Phishing emails follow common patterns; the execution may change but they have to get you to do something and so they’ll try to make the email interesting or important. In marketing-speak, this is called a call to action. So the first defence is to do nothing. That includes not clicking on a photo that has been embedded in a message. (It’s possible to be infected by simply opening an email but this isn’t common.)

Do be sceptical though and stay up to date. Attackers are constantly improving their methods. One example is especially devious because it relies on attacking you through your own contacts. In itself that isn’t new, but this version is particularly clever. For example, when it gets access to someone’s Gmail, the first thing it does is find contacts, copy a real document, create an icon for it and email that to you. It comes from someone you know, it contains a PDF icon and even technology professionals have come close to being fooled. If you click on the icon, it opens what looks like the real Gmail sign-in page. In reality it’s an offline page and if you fill in your credentials, it will send them to the attacker. And then the cycle begins again.

So, if in doubt, don’t click! That unpaid parking ticket, the tax rebate, the photo from your friend. Just ignore them. If you’re concerned you might have a parking ticket, then look up a phone number and give them a call. But don’t use the number on the email because it’s either made up or it’s been stolen.

What about links to webpages? Yup. They’re also dangerous. If you want the details, then we have a guide that explains exactly how these work and what they can do but the bottom line for phishing emails is that you need to be cautious about them. Hover over them so you can see where the link actually wants to take you and read from the end. That URL might begin http://signon.google.com but that’s irrelevant if there are more full stops in the address. And be particularly cautious about shortened URLs like those from Bitly (that was what the attackers used against John Podesta).

And Vishing and Smishing? Vishing is just phishing over the phone and smishing is phishing with SMS. They’re both horribly effective, particularly fake text messages and service alerts. Again, be sceptical. If you receive one, the first thing to do is ignore it! The second thing is to look at what it says. If it’s a shortened link, e.g. bitly or such like, just delete it. If it’s a service alert asking for a verification code then don’t on any account reply because it definitely means someone is attacking you.

All this might sound paranoid but these scams have ended up costing people life-changing amounts of money – and they’ve helped change the course of history. So being a little bit paranoid is probably a pretty good idea..

Address

124 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217