An average internet user probably doesn’t give much thought to the dangers lurking in the cyberspace. Think about it: are you even slightly concerned about your private information when you scroll down your news feed and snoop around to see what your friends are doing? Or when you open emails or operate in Google docs?
We got used to surfing the web carelessly, no matter what our online activities consist of. Whether you like reading thought-provoking articles, enjoying beautiful images and videos, learning new things, socializing, or you use your internet connection for communication and work purposes – the odds are you feel safe and sound while you mind your own business.
But what happens when we stumble upon the stories about the unfortunate cases of online frauds and various types of cyber-crimes?
We tend to sympathize with victims, yet still treat these offenses as exceptions. We always believe it’s something that can happen to others, not to us.
However, cyber-crimes have become more sophisticated and harder to detect, making all of us internet lovers vulnerable. From domain hijacking, computer system attacks, identity thefts, social engineering to credit card frauds, malware distribution, and misuses of personal information – there are definitely many faces to modern age crimes and more often than not, they tend to overlap. Among all of them, phishing remains one of the greatest dangers.
Simply put, phishing is an attempt of getting sensitive personal information such as login credentials, passwords, account information, etc. – for malicious purposes. The attacker misrepresents himself as a trustworthy person or organization known to the victim so to obtain the mentioned information usually through simple email communication. The act of phishing makes people voluntarily give out their personal info without knowing what hit them, which makes it one of the sneakiest crimes out there.
Today, phishing has various forms and you’d be surprised to learn the crime has actually been here for a while, almost since the very moment World Wide Web became publicly available. But it wasn’t until the early 2000’ that people became fully aware of it.
Recognizing Phishing Attempts
Phishing attacks have become so sophisticated that it seems only those really detail-oriented or extremely cautious are able to avoid them. The interface for leaving log-in details is completely the same as the one users are used to.
Here’s a fresh example of this: in May 2017, there was a massive phishing attack targeting Gmail users.
The worm came to the user’s inbox posing as a trustworthy contact and asked to take a look of the Google doc attached. When users clicked on the link, they were redirected to an authentic-looking Google security page. That is where the personal information were collected: to proceed, users have been asked to log in and give permission to the fake app. The only thing that gave scammers away in this case is the email address of the main recipient (firstname.lastname@example.org), while victims’ addresses were in the CC field.
Want another recent example? Phishers are all about using the already-established trust relationships. July of 2017 was marked by a remarkable Facebook scam. Nobody saw it coming. Hackers broke into Facebook accounts, lock the true owner out, and then used their profiles to perform a scam. They contacted people from the friends list saying they received a grant through an agent, but they have to pay for a small upfront fee. Users got easily tricked as they were served with a detailed story by someone whom they had trust in. Before they realized it, their money was gone.
Here are some of the most advanced phishing techniques to beware of:
- Spear phishing: In the past, phishing emails have been massively sent out to a large number of email address. Today, scammers have narrowed down their targets and devoted more attention to details, making the email more believable.
- Session hijacking: Scammers are capable of stealing information in a simple hacking procedure by intercepting sensitive information and then abusing them for illegal practices. This is why you should never ever trust any e-commerce site that doesn’t have SSL certificate (detectable with https in the URL and a small lock symbol or the word “secure” before the URL).
- Content injection: This is a sneaky technique where phishers hack a certain site and insert their content somewhere in the middle of genuine article. There is always a malicious link in their chunk of text, and when users click on it – they are redirected to a website that seems legit, but requires personal information to enter.
- Search engine phishing: Phishers use search engines to redirect users to e-commerce sites with great offers and deals. If users choose to purchase something, they get redirected again to a fake payment gateway where scammers collect personal information.
- Ransomware: Ransomware is malware that gets installed on victim’s PC usually after the victim is convinced it’s nothing more than some sort of standard procedure. Phishers have become really good at social engineering, so users are usually not that suspicious. They do as they are instructed: most frequently they click on a certain link that releases malware, denying them access to their files or wholesome device – until they pay ransom.
We all know better than clicking on fishy emails, but what if there’s nothing fishy about them? If these attacks got so sneaky even tech nerds fail to detect them – how can mortals like us stay safe online? There are certain ways you can protect yourself.
Tips for Avoiding Phishing Scams
The number one advice anyone with half a brain could give you is to always think twice before clicking. In almost every case, phishing relies on emotions and extremely convincing texts. You should never click on links you get in random emails, no matter how interesting the copy surrounding it is. Keep in mind that phishers are extremely good marketers. Always hover over the link to see its destination and never leave trusted information easily. If you’re a Gmail user, click on the “Report Phishing” button to support the efforts of Google staff and keep the internet safe.
It’s always advisable to stay informed about the latest phishing scams. As we said, they constantly evolve and the techniques are getting harder to detect, which is why you need to keep up.
Using an updated antivirus software and firewall will keep your PC protected. Firewalls keep intruders out, so make sure you have one for your desktop and one for the network. The combination of the two provides the optimal level of security. Antivirus software ensures every downloaded file is free from viruses so your system stays safeguarded.
If you think only hackers have evolved, you’re terribly wrong. The systems of protection are also getting better, so now you can install an anti-phishing toolbar that instantly scans and checks the websites you visit, and compares them to the list of phishing sites. These toolbars alert you in case of dangers and there are free versions.
Ultimately, the best way to fight phishing is to prepare for the worst. This means having a proper backup system in case you do get caught up in a scam. Here’s what you can do:
- Take advantage of the multi-factor authentication option to secure your online accounts
- Use passwords that are random and complex (not your birthday or your pet’s name)
- Have a backup email address and keep your eyes open in case you get notified about some possible unauthorized access to your account (Gmail notifies you by sending an email about someone accessing your email account from an unknown device)
So, when it comes to phishing, it’s not just about prevention, but about being wise enough to have a backup plan.
History of Phishing
Believe it or not, the practice of phishing dates back to 1995. During those days, America Online was an early internet pioneer providing various services, including dial-up internet. So, even in times when we all got annoyed by the struggling sounds of internet connection being established – there were hackers who weren’t stopped by the incredibly slow internet speed in accomplishing what they wanted.
First attacks were focused on stealing sensitive information. With personal information, it was easy to set up new AOL account and then use it for spamming other users without leaving easily detectable trace. During this time, hackers also used algorithms for creating random credit card numbers. The lucky hits (i.e. getting the real, existing credit card number via the algorithm) were fairly rare. But once scammers did manage to hit the bullseye – the financial damages for the victims were severe. These malicious activities were put to their end by the AOL as the company managed to create better security measures.
But this was not the end of phishing, of course.
It just pushed hackers to become more creative and develop new techniques. This is when they started abusing AOL instant messenger and emails. Users would typically receive an email in which someone who introduced himself as an official AOL staff member, requested their personal information for the purpose of verification or confirming their billing information. There was really nothing that suspicious about it, so a vast majority of people provided their passwords or other types of information.
To make things worse, hackers made tons of AIM accounts (presence computer program and instant messaging program designed by AOL), upon which the company had no legal power because of the way Terms of Service were defined. All they could do is to warn people to be cautious.
The basic essence of phishing remained the same throughout the years. But the thing that has changed is the prize hackers chase. Money has always been in their focus. It wasn’t long before they realized the potential behind online payment systems. Phishers were most successful around 2004, when popup windows were used to acquire personal information. Some use the same technique even today. However, the shift of focus to bigger players such as banking sites is something that made phishing extremely profitable.
Fast Forward to 2017
According to the latest report by the Phishlabs, overall phishing volume in the second quarter of 2017 was 41% higher compared to the first quarter. The volume of attacks targeting SaaS platforms has increased a stunning 104% from one quarter to another, while those targeting social networks increased 70%. Five most frequently attacked industries include finances, web and online services, payment services, cloud storage or file hosting, and e-commerce.
All the stats point to the same conclusion: phishing is on the rise.
The worst part is that hackers now truly invest in their “businesses” and so they choose to purchase SSL certificates. This way, they camouflage themselves among other secure and trustworthy websites, making it harder than ever for users to detect them. The mentioned report claims there has been a rise in numbers of this sites and they are to be held responsible for 13% of the phishing attacks.
In addition to this threat, hackers have targeted mobile users by creating believable URLs. They use hyphens to make the URL length bigger, while masking the true destination of the URL on its end. The victim doesn’t see the end of it because it isn’t visible in the URL bar in the mobile view, and is redirected to a site that looks legit, while it’s indeed a phishing one.
Some companies that manage domain names fight to keep their domains clean of spam, phishing, and other scams. They have established secure systems and defined abuse policies in order to suspend spammy domains and prevent scammers from achieving their goals. We at domain.me take online scams seriously and we are doing our best to keep the internet safe with our Domain Abuse Policy by suspending .ME domains that show suspicious behaviour. Since January 2017 up until the publication of this article, we have suspended a total number of 292 .ME domains that attempted malicious phishing attacks.
As for the domains phishers most frequently use, .com remains the most popular choice, followed by .net, .org, .br, and .in.
Surfing across the web has become a part of our everyday lives. It’s fun and engaging, and it fits our overall shift towards the digital world. However, staying safe and secure online should be your number one priority. This doesn’t mean you should get paranoid about every single detail, but double-checking before clicking and listening to your gut can go a long way.