One of the most basic practices every cybersecurity guide will recommend is not to click on links and attachments contained in emails coming from unknown sources, and to think twice even if they come from seemingly trustworthy sources.
You think it’s unnecessary caution? Ask John Podesta, chairman of Hillary Clinton’s presidential elections campaign. This is exactly how he (or the operator of his email account) gave away his accounts credentials to hackers. The breach led to a series of damaging and embarrassing leaks which might have cost his boss her chance of becoming president.
What is phishing?
Podesta’s misfortune is just one of the countless successful phishing scams, a form of social engineering that involves sending deceptive emails designed to trick recipients into clicking on links that lead to a fraudulent website. The destination page usually mimics the login page of authentic website. But when the victims enter their credentials, instead of submitting them to a real website such as Gmail or Facebook, they’re in fact sending them to the servers of the attackers. What happens from there, you can guess.
Phishing emails might also contain attachments that will install malware or spyware on your computer.
And no, celebrities and politicians are not the only people who get targeted by phishing. Anyone with banking credentials, social media and email accounts, and any personal or corporate asset of value can become the target of a phishing scam.
What’s the difference between phishing and spear phishing?
Plain vanilla phishing involves sending general phishing emails to massive mailing lists, obtained from public sources or a major leak. For instance, the targets will receive an email that purportedly comes from their bank, warning them to confirm their identity and providing them with a link. Naturally, the site that the link leads to looks real but is fake. You know the rest.
Spear phishing is a targeted form of phishing, in which the attackers meticulously examine their target. Attackers sometimes spend weeks and months studying their victims’ social media accounts to understand their preferences, habits and relations. They then send tailored phishing messages that seem to come from a source that the victim knows personally. Their content is considerably more convincing than normal phishing emails. The Podesta episode was an example of spear phishing.
How damaging is phishing?
Security tools and firewalls protect against malware and other types of attacks that are of technical nature. Social engineering attacks aren’t as easy to block though because they rely on completely legitimate tools and invest in human error.
Thanks to Artificial Intelligence and threat intelligence sharing platforms, detecting normal phishing emails has become much easier in past years. Email services such as Gmail catch and block most phishing emails. A small number do get through though, so it doesn’t mean you’re fully immune. However, spear phishing attacks are much harder to spot and have a much bigger success rate.
A very considerable percentage of data breaches and other security incidents begin with a phishing scam. An unwary employee falls victim to the scheme and ends up giving attackers access to a company or organization’s network. In most cases, the victims don’t even realize they’ve stepped into a trap.
How to protect yourself against phishing scams
Your best defense against phishing and spear phishing attacks is caution and good judgement. So stick to the reminder that was brought up at the beginning of this article: Don’t click on links or open attachments unless you’re absolutely sure about their source.
How do you make sure the source an email is safe? Here are a few tips:
- If an email contains a request that arouses a sense of urgency and panic, the likeliness that it’s a phishing scam increases. If it’s coming from a trustworthy source, contact them through some other means (phone or alternate email) and confirm their request.
- Hover on links and check the domain of the website they point to. If it’s not an authentic website, don’t click on it (and by the way, google.com.something is not part of Google’s domain—ask Podesta). If it points to a link tracker, don’t click on it, or check the destination with a service such as GetLinkInfo before doing so.
- Make sure your antivirus, browser and operating system are up to date. This are your next best defenses in case you make a slip and mistakenly download and open an infected attachment or browse to a website that exploits a vulnerability in your browser.
- Use a password manager. Password managers don’t automatically fill your credentials if you browse to a phony website.
- Use two factor authentication on your sensitive accounts. In case you make the mistake of typing in your credentials in a phishing website, 2FA will prevent hackers from accessing your account. Podesta (sorry man, your story was just such a great study!) could’ve avoided the phishing scam if he had a physical key associated to his account.
So would you rather be phished with a spear or a net? I don’t like fish anyway, so I’m going to get me some beef.