How to be Covi-PHISHed safe - Learn to avoid the PHISHing hooks

I have coined this term “Covi-PHISHed” as this pandemic has impacted us greatly and any topic of discussion without the spice of COVID19, it just tastes bland :)

On a serious note, during this pandemic time, we are experiencing an unprecedented rise in Phishing attacks (350% increase), especially affecting those who use to shy away from using the internet, are now forced to do their daily chores online.

Ref: Phishing attacks increase 350% amid covid19 quarantine

Introduction to Phishing - What is Phishing?

In layman's terms, just think of the sport of angling as an analogy. In the ocean of cyberspace, there are a lot of scammers using different types of hooks "luring-emails, SMS, Phone Call, Promotional Offer, Service Update", to fish for our "passwords, personal or financial data".

Usually, most vulnerable are those who have little to no background of this scam and this blog is an effort to educate in a way so that a common person can identify and mitigate the Phishing threat effectively.

Types of Phishing

Now let's imagine, how the scammers think and what methods they use to initiate phishing scam. In cyberspace, there are different types of phishing techniques employed by attackers such as:        

• Mass E-mail Campaign - Attackers have vast amount of e-mail address, telephone number or our social media identity information·        
• Spear Phishing - Attacker disguise as a known or a trusted sender·        
• Whaling - Attacker phishing high-value targets such as CEOs
• Pharming – An attack where a request for a website (usually an e-commerce site) is re-directed to a fake site that resembles the original site.
• Vishing/voice Phishing – A human-based attack where the attacker extracts information while speaking over the phone or leveraging IP-based voice messaging services (VoIP)
• Smishing – A human-based attack where the attacker extracts information using text messages

Attacker’s Medium of Distribution

It is very common to identify all those mediums through which an attacker can approach us. We just have to pay a little attention, they are all around us, such as

• Games
• News and Weather updates
• Social Media
• Ecommerce
• Email
• Sport Apps
• Messaging
• Dating sites

Or any other activity that we indulge regularly, the attacker’s goal is clear, to reach us by “hook” or by crook. 

Understand the severity of Phishing attack

Imagine the impact it can have on one's life if his/her social media, bank or credit card information is being used by an unknown person sitting thousands of miles away in a remote location. Scary, isn't it !!!!

Reputational Damage / Intellectual Property Loss

Whether it being a person or a corporate entity, we all are at risk of reputational damage in case the sensitive information is leaked. In a corporate world, brands are built on trust, any internal embarrassing communication which becomes public via phishing attack via successful phishing attack is enough to tarnish the brand.

Intellectual property can be trade secrets, costly research, customer list, formulas and recipes can all be compromised by phishing and cost millions of dollars in loss to businesses. 

How to Dissect Phishing Attack

I will be going to use two examples, which are very common methods employed by the attackers.

1) E-mail

As E-mail is now part of our daily routine, we tend to overlook minute details which can not only cost us financially but also impact our reputation.

Below are the guidelines to follow when you receive an e-mail to detect the RED FLAGS and mark them as phishing e-mails, I have used “COLES” phishing email that lures the customer to click on a malicious link in exchange of something valuable. 

Similarly, scammers impersonating as government agencies, following are some examples which are all SCAM e-mails

2) SMS

Just like scam E-mail, SMS scams are on the rise as well. Following are some classic examples that we all can relate as we have received such scam SMS once in our life if not recently

Fake Economic Support Payment Text

Fake myGov Text



If you didn’t pay attention to these fake text messages, the links will take you the to the fake websites which look identical to the real website where you enter your login credentials or personal information that will be recorded by the scammers in the background. 

What should I do?

Don’t panic, it’s tricky if you do not have a technical background, but not impossible to avoid these persistent attacks. Following are a few actions that you might take to avoid being scammed

1)     Do not open an attachment or click links if the email is not relevant, no matter how tempting the email subject or the content is

2)     Even if the email subject suggests that it is from your known contact, double-check the email addresses and their domain

3)     If you really want to open the email because you cannot resist, then double-check and verify the legitimacy by copying the link you received in the email and paste it in the following online tools

• VIRUS TOTAL
• PHISH TANK
• CHECK PHISH
• URL SCAN

4)     Subscribe to government SCAM alert for an up to date ongoing scams

• GOVT SCAM ALERT

5)     Report scam to the government website

• REPORT A SCAM

Summary

Scammers are going nowhere, we have to learn to co-exist with them and the best way to protect yourself and your loved ones, is to gain basic expertise, especially when we are interacting online on a daily basis without an option to remain disconnected.

There are further technical details that could have been part of this article which looks at E-mail headers to identify further details, however, it is beyond the scope of this article and can be shared in further details in my upcoming posts.

Stay tuned for more, Stay Safe and Safe Browsing!!!!

References

• AUS GOV SCAM WATCH
• VIRUS TOTAL
• PHISH TANK
• CHECK PHISH
• URL SCAN
• PC MAG
• Abobe Phishing Image

 Note: This Tutorial is for informational purposes only and I have no responsibility if anyone uses it for any illegal purposes