The Internet is a network of computers filled with valuable data, so there are many security mechanisms in place to protect that data.
But there's a weakest link: the human. If the user freely gives away their personal data or access to their computer, it's much harder for security mechanisms to protect their data and devices.
A phishing attack is an attempt to trick a user into divulging their private information.
An example attack
A phishing attack typically starts with an email that claims to be from a legitimate website, like a banking website or online store:
The goal of the email is to obtain private data from the user, so it either asks the recipient to reply with personal information or it links to a website that looks remarkably like the original site:
If the user is convinced and enters private details on the site, that data is now in the hands of the attacker! If the user filled in login details, they can then use those credentials to log in to the real website, or if the user provided credit card details, they can use the credit card to make purchases anywhere.
Signs of a phishing attack
Fortunately, there are some tell-tale signs of phishing scams.
Suspicious email address
Phishing emails will often come from addresses at domains that don't belong to the legitimate company.
Conversely, a legitimate email address is not a guarantee that an email is 100% safe. Attackers might have figured out a way to spoof the legitimate email address or hacked their way into control over the actual email.
Phishing emails will often link to a website with a URL that looks legitimate but is actually a website controlled by the attacker.
Attackers use a variety of strategies to make tempting URLs:
- Misspellings of the original URL or company name. For example, "goggle.com" instead of "google.com".
- A spelling that uses similar looking characters from other alphabets. For example, "wikipediа.org" versus "wikipedia.org". The "e" and the "a" are actually different characters in those two domains.
- Subdomains that look like the domain name. For example, "paypal.accounts.com" instead of "accounts.paypal.com". PayPal owns the second domain, but they have no control over the first.
- A different top level domain (TLD). For example, "paypal.io" versus "paypal.com". Popular companies try to buy their domain with the most common TLDs, such as ".net", ".com", and ".org", but there are hundreds of TLDs out there.
Even if an attacker hasn't found a similar looking URL to host their malicious webpage, they can still try to disguise the URL in the HTML.
Consider this very legitimate looking text:
Visit www.paypal.com to change your password.
Now try clicking the link. You didn't land on PayPal, did you? That's because the text of a link isn't the same as the destination of the link.
Here's what the HTML looks like:
Visit <a href="https://www.khanacademy.org/computer-programming/this-isnt-the-right-page/5778954880073728">www.paypal.com</a> to change your password.
An attacker might disguise links in that way in an email message or a webpage. Whenever you click a dubious link, it's important to check the URL in the browser bar to see where your browser actually landed.
Non-secured HTTP connections
Any website that is asking you for sensitive information should be using HTTPS to encrypt the data sent over the Internet.
Phishing websites don't always go through the extra effort to use HTTPS.
However, according to a report, more than two-thirds of all phishing websites used HTTPS in 2019, so a secured URL does not necessarily equate to a legitimate URL.
Requests for sensitive information
Phishing emails will often ask you to either reply with personal information or fill out a form on a website. Most legitimate companies do not need you to verify personal information after the original account creation.
Urgency and scare tactics
Phishing emails use psychological manipulation to lower our guard and get us to respond quickly without thinking through the consequences.
Handling a phishing attack
Every phishing scam will vary in its sophistication, so some emails may be very obviously fake while other emails can be incredibly convincing.
If you ever suspect an email is a phishing attack, do not click on any links or download any attached files.
Find another way to contact the supposed sender to see if the email is legit. If the email's from a company, you can search online for their phone number. If it's from a friend or colleague, you can message them or give them a call.
There's a new type of phishing that's even more popular and dangerous: spear-phishing. Instead of sending a similar email to many users, a spear phisher will research a user and send an email specifically targeting them.
Spear phishing attacks often target people within a organization, with the goal of gaining access to the organization's data.
One of my colleagues received this spear phishing email that claimed to be from Sal Khan himself:
Fortunately, it was obviously a spear phishing email from the sender's email address.
But not all spear phishing attempts are so obvious and not all targets are so vigilant. If just one person in an organization accidentally reveals their credentials or downloads malware onto their work computer, an attacker can potentially breach their entire company database. That's not just one person's data, that's thousands or millions of people's data. 😬
Want to join the conversation?
- At the bottom of the article it says
"🔍 Can you spot a phishing scam? Test your skills with this Phishing Quiz from Google."
the link takes me to
Is this a trick question? Does google actually own "withgoogle.com"?(20 votes)
- You can trust the link. One way to check is to visit the site, click the "lock" icon and check the certificate before proceeding. It's from Google and verified.(11 votes)
- I must be blind because I cannot see a difference. Pls help
(A spelling that uses similar looking characters from other alphabets. For example, "wikipediа.org" versus "wikipedia.org". The "e" and the "a" are actually different characters in those two domains.)(8 votes)
- In the first "wikipedia.org", all the letters, except the "a" are Latin small letters. The "a" is a Cyrillic small letter. You can't really tell this just by looking at the characters (which is why it is so hard to catch).(13 votes)
- Why do phishing attacks start with emails and not texts? Is it easier to get emails than phone numbers?(3 votes)
- Technically, went it is done over a phone call or voice message, it is referred to as "vishing" (voice phishing). When it is done over a text message, it is called "smishing" (sms phishing).(5 votes)
- Do some websites/companies take measures against phishing attacks?
There used to be a scam call claiming to be from the IRS, but people knew it was fake because the IRS doesn't make calls. What are some other ways to prevent phishing?(2 votes)
- There is almost nothing a website/company can do to prevent a phishing attack. A professional attacker will design their own login pages that look similar to those of the actual website. When you enter your information that information will be sent to two places, the actual website and the man in the middle (the attacker). You will then be redirected to the actual website and you wont be able to know if you were phished until the hacker has gained access into your account.
To prevent a phishing attack I recommend that if you receive an email from Instagram, FaceBook, or any other website go to the actual website and check. Do not click on any link or enter your information directly from the email unless you are 100% sure that the email sent is not a phishing attack.(1 vote)
- How did u make the fake link? It says it is PayPal but it didn’t bring me there. 🤔(2 votes)
- You can make something called a "anchor tag" in code which makes text blue and gives it a link, however, you can make the text itself say anything you want.
So you could have some text that says "accounts.google.com/login" but the link in the anchor tag will actually bring you to "info-snatcher.net" which could be a website that looks identical to the google account login.(3 votes)
- Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware.(2 votes)
- What if I'm on a website and a pop up telling me that I have a virus suddenly appears, what would happen if I clicked on the link. Would they steal all my personal info? I'm a bit confused.(2 votes)
- I don't think it necessarily immediately steals your info, but it probably depends. Mostly, probably, it will only steal info you give it after clicking the link. (credit card number, login info, etc.) Something similar actually happened to me a couple days ago. If you'd like to know more about it, I'd be happy to share. :-D(1 vote)