A few weeks ago, our Director of Business Development received an email from our President and COO. The sender asked if he was going to be in office. When he replied yes, the sender asked him to send a wire transfer to an unknown recipient. Our Director of Business Development suspected phishing. He did a quick check of the sender’s original credentials, and found that it was an impersonator who disguised their name and email address on Gmail to show as our COO. He replied, “Of course! I need a name, number, and address to report you to the cops :)”. The sender never responded.
The troubling realization is that phishing is no longer the “Nigerian Prince” email scam that it was back in the days when the term was initially coined. Phishing, which was coined in the 1990s by well-known hacker, Khan C Smith, describes the attempt to obtain personal information, such as usernames, passwords, and credit card details, by disguising as a trusted entity through electronic means. The old arguments of “Hackers can never create a web site that looks legitimate” or “I’m on the internet enough to tell if web sites are fake” are no longer valid with the exponential improvements in hacker technology.
Chainanalysis, a firm that provides anti-money laundering software, found that cryptocurrency phishing has attributed to $225 million in losses this year. Bloomberg Technology claims that 1 out of 10 people are susceptible of being a victim of theft. It appears that modern phishing and its highly targeted cousin, spear phishing, are still highly effective in generating large amounts of money for cybercriminals.
A UC Berkeley study, Why Phishing Works, found that everyone, regardless of their age, education levels, gender, and computer, is equally susceptible to phishing. Even more, it was discovered that well made fraudulent web sites fooled 90% of participants. Most participants ignored obvious tell-tale signs that a web site is dangerous or fake.
So what can we do to better guard ourselves against phishing? TitanFile has prepared a list of five things you can do to combat phishing in the modern age.
Know the signs that prove authenticity
In Why Phishing Works, 22 participants were shown 20 different web sites, and had the task of determining which sites were authentic and why. Participants that reaped the most successful scores checked for security indicators, content, domain name, address, HTTPS, padlock icon, and certificates (e.g. SSL). These security indicators also included appropriate logos, contact information, and updated copyright information. Conversely, participants that used only logos and contact information as authentication scored the lowest.
Do your research on webpages that request payment
It never hurts to do a quick Google search on a webpage in question. Phishing webpages can easily link their an image of their “certificate” or their logo to the authentic source and create a false sense of authentication to the viewer. As Google typically has a good algorithm in place to weed out phishing web sites, Googling for the real website of a reputable entity will most likely lead you to an authentic source. Looking at a fully authentic web site beside their page in question, or searching for its real URL would give a better idea of whether or not the webpage you are on is authentic.
Have multiple passwords (despite how difficult it is to remember)
This is difficult for most people because it is hard to remember multiple passwords at once and most people assume that usernames and passwords are useless to hackers. However, if you use the same password for all your accounts, this will give hackers the ability to hack into any of your accounts that hold personal information. This could include your work account, your bank account, or your email. To keep track of all your passwords, keep them in a notebook or on your phone. Remember to change your password every 3-4 months for accounts with the most sensitive information, and create passwords that are effective and hard to guess.
Use more than one form of communication
If you receive an email from your bank or your boss that requests urgent action, such as sending money or authenticating your credentials in a provided link, simply call them to confirm. These emails attempt to create a sense of urgency to provoke the recipient to act quickly. Therefore, recipients neglect to do a thorough check of the message received. Although email addresses and links within an email can easily be masked by hackers to display a different address, your bank or your boss’ number will most likely be authentic. So slow down, call in and confirm.
Type in URLs manually
The English language and the alphabet we used are not universal. Therefore, hackers can manipulate how a URL is displayed in your browser to look like the authentic page using different letters, such as with Unicode domains. Web developer, Xudong Zheng, created a proof of concept web page (https://www.xn--80ak6aa92e.com). When loaded, this page displayed as ‘apple.com’, showing exactly how hackers are able to do the same. Although the current version of Chrome now displays the correct URL, older versions of the browser or other browsers may not do the same. This is why it is important to type in URLs to important websites manually.