Phishing: All You Need To Know

Photo by Kasia Derenda on Unsplash

It’s cybersecurity awareness month again and this time I’ll make it a series of some sort. I will be answering all the questions I got asked on the last radio show I was invited to speak on cybersecurity. I hope you enjoy it!

What is cybersecurity?

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at assessing, changing, or destroying sensitive information; extorting money from users via ransomware; or interrupting normal business processes.

A. Can you please explain to us what phishing is, what the most common signs of a phishing email or link are, and how can individuals differentiate them from legitimate ones?

Phishing is the most popular example of social engineering attacks. It is the practice of sending fraudulent communications that appear to come from a legitimate and reputable source, usually through email and text messaging. The attacker’s goal is to steal money, gain access to sensitive data and login information, or to install malware on the victim’s device.

Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Can lead to identity theft.

How to identify fake emails

• Say they’ve noticed suspicious activity or log-in attempts on your account
• Claim there’s a problem with your account or payment information
• Say you need to confirm or update personal information urgently
• Include a fake invoice
• Ask you to click on a link to make a payment
• Claim you’re eligible to sign up for a government refund or won a trip, won a huge sum of money even though you know you didn’t apply for any such thing. This includes jobs too.

Practical tips on recognizing and avoiding email scams(phishing)

• Always hover your cursor on a link to see where it is going to redirect you before you click. It’s wise not to click on untrusted links or copy and check on virus total, URLscan.io, ANY.RUN, Hybrid-Analysis etc.
• Don’t be in a hurry to respond to such emails because they always have an urgency about them that makes you hurriedly do what they want without thinking. Always take a moment to think before taking any action.
• Look closely at sender emails as they usually have fake domains.
• There’s usually a lot of grammatical errors and spelling mistakes.

B. How have phishing tactics evolved over the years, and what emerging threats should we be wary of?

Phishing tactics have evolved significantly over the years, becoming more sophisticated and diversified to better deceive and compromise targets. Some of the key developments in phishing tactics include:

1. Spear Phishing: Instead of sending generic phishing emails to a wide audience, attackers now conduct extensive research to craft highly personalized messages. These messages often appear to come from trusted sources and exploit personal information about the target to increase the likelihood of success. This information is easily found on Twitter (X app) where people ask questions that can be your security question. Example Mothers maiden name, first pet, favorite food or first country you went to etc. Desist from answering these personal questions especially on the internet.
2. Whaling: Whaling attacks target high-profile individuals within an organization, such as CEOs and executives. Attackers aim to deceive these individuals into revealing sensitive information or performing actions that can compromise the entire organization.
3. Clone Phishing: Attackers create near-identical replicas of legitimate emails, then replace links or attachments with malicious content. This tactic capitalizes on trust in previously received emails.
4. Vishing (Voice Phishing): While email-based phishing remains prevalent, attackers have extended their reach to phone calls. They use social engineering to manipulate victims into revealing sensitive information over the phone, often by impersonating trusted entities or government agencies and even relatives.
5. Credential Harvesting: Phishing attacks have increasingly focused on stealing login credentials. Attackers create fake login pages for popular websites, often banking or email platforms, to harvest usernames and passwords.

Emerging threats to be wary of in the evolving landscape of phishing include:

1. Deepfake Technology: With the advancement of deepfake technology, attackers can create highly convincing audio or video recordings of individuals, making it more challenging to identify fake communications. Examples include the Obama and Morgan Freeman impersonations. If you’re a K drama fan watch Celebrity
2. Credential Stuffing: Attackers leverage large databases of stolen usernames and passwords to gain unauthorized access to various online accounts, banking on the fact that many people reuse the same credentials across multiple services. This is why you’re strongly advised to not reuse previous passwords across your accounts.
3. AI-Generated Phishing Content: AI can be used to generate phishing emails and messages at scale, making it easier for attackers to launch widespread campaigns with highly convincing content.
4. Zero-Click Attacks: These attacks can exploit vulnerabilities without any action on the victim’s part, often targeting flaws in email clients or messaging apps.

Fallen for a Phish?

If you accidentally provide information to a phishing scam, act fast:

1. Change your passwords.
2. Notify your bank or relevant authorities.
3. Monitor your accounts for suspicious activity.

To defend against these evolving threats, individuals and organizations must prioritize cybersecurity awareness, employ robust email filtering and authentication protocols, and stay updated on the latest phishing tactics and defense strategies. Regular training and the use of multi-factor authentication (MFA) can also significantly enhance protection against phishing attacks. Stay sharp, trust your instincts, and always double-check everything!

You can learn more by watching this playlist on my youtube channel and reading this article I wrote last year. Remember, there will always be phishing hooks with bait, but I’m hoping this article arms you with knowledge to not take the bait!

Until next time, find me where the good guys are!