November 2020

AccuroEMR

What is Phishing?

phish·ing /ˈfiSHiNG/

noun

  1. The fraudulent practice of sending messages purporting to be from a reputable source in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
  2. Something you can protect yourself from by clicking below.

Have you ever gone fishing? It’s a pretty simple process: bait a hook, offer it to fish in the vicinity, and wait for one of them to bite. Phishing in the digital world works exactly the same way, except you’re the fish, the hook is an email or direct message, and the bait is a link or attachment meant to trick you into revealing your personal information or giving the sender access to your computer. Luckily, if you know what to watch for, you can send the phisher home empty-handed.

Types of phishing attacks

Like any good fisherman, cyber attackers know that the wider they throw the net, the likelier they are to catch something, so phishing takes more than one form. These are some of the most common types to watch out for:

Email phishing

This is one of the most widely used methods. An attacker registers a fake domain that’s meant to look like a legitimate organization and then sends out thousands of requests from it. They may also use the organization’s name in the email address, such as scotiabank@domainregistrar.com, in hopes that the recipient’s inbox lists the sender as ‘Scotiabank’.

Spear phishing

This is also a form of email phishing, but the sender targets a specific person after collecting some basic information: their name, employer, job title, work email address, and specific information about their duties. The attacker then sends an email that sounds convincing enough to gain the recipient’s trust.

Whaling

As the name suggests, this type of attack aims for the big fish: senior executives with access to highly sensitive information. Whaling attacks are more subtle and of a much higher quality, sometimes even using logos and contact information of real organizations. The goal may be to compromise an executive directly, or to impersonate an executive to get information from less-senior employees.

Smishing and vishing

These are variations on the theme, using text messages (smishing) or phone calls (vishing) instead of email messages. The sender may claim to be from a law enforcement, government, or financial institution and will often try to persuade or frighten the target into giving up sensitive information.

Signs and signals

It’s easy to skim over a message and assume you know the source, but protecting your information can be as easy as paying attention to details. Here are some signs and signals that a message might be phishy:

  • A generic greeting: Watch for salutations like “Dear Customer.” The real organizations you deal with likely know your name
  • “Official” emails with typos, or received from personal addresses: Watch for spelling and grammar mistakes, and email addresses ending in @gmail.com, @yahoo.com, or @hotmail.com
  • Emails that sound urgent: Watch for messages asking you to do something immediately – especially if it includes a threat (“Respond now or your credit card will be cancelled”)
  • Emails asking you to take risks: Watch for messages pressuring you to bypass security procedures. These could be from a cyber attacker pretending to be your supervisor or coworker

Be careful, stay safe

There will always be dangers, but these best practices will serve you well:

  • Be suspicious of emails that seem a bit off
  • Instead of clicking a link, go to the source website directly
  • Only open attachments you were expecting, even if you have anti-virus software

Remember, playing it smart is always your best defense.