What is a phishing attack, and how to guard yourself against it?

By: AiroAV (Airo Security)

February 11th, 2019

A few days ago, I got a surprising email from an unknown recipient, congratulating me that I’ve won an enormous money prize (13,000,000$, to be precise) in a lottery card. The end of the letter stated that in order to claim the prize, I have to reply with my bank account details. Well, I guess 13,000,000$ could help me pay off my student loans, but something in that message smelled a bit fishy, or should I say… phishy?  

Phishing is a malicious cyber-attack that attempts to get personal and sensitive data from users by pretending to be a trustworthy entity.  The attackers use common platforms to deceive the users into believing that by giving their details or clicking a link, they will earn some benefits or avoid getting in trouble. Phishing scammers use many different tactics to disguise themselves as someone or something else. For example, they impersonate popular websites, redirect to fake web pages, or send deceptive emails pretending to be sent from the recipient’s acquaintances or friends.

Lose your attention for just one second and your private data, such as credit card details, passwords, and personally identifiable information will be exposed to criminal attackers and will probably be misused for fraudulent activities. Like losing a huge amount of money by unauthorized purchases or money transfers, and even identity theft. The attackers may also use your sensitive information for blackmail or sell it to third parties. Many times, you will not even be aware of the fraud, until he sees the debts in his credit card. Or suddenly being spammed by many that you don’t know or even recall giving your details to.

There are a variety of phishing techniques out there, and these criminals keep getting more and more creative. But one common factor is necessary to distinguish phishing attacks from most other cyber-attacks: they are all mainly focused on and target the human factor.

Common techniques for phishing

1. Fake emails from popular websites or companies

The attackers send out a mass spoof mail, posing as a popular website or entity (such as a social network, online shopping website, bank, university or any company with clients or users). Targetting real users and non-users alike. This mail is usually an urgent warning about a security failure in the company’s servers, or an urgent request to renew an expired password within the next 24 hours. The provided spoof link redirects to an almost identical-to-the-original webpage, mimicking the exact design, font and logo of the real website. After logging in with their credentials, and choosing a new password, users are automatically redirected to an error page, asking them to try again later. Meanwhile, their login details have been sent to the attackers, who are now able to login to their real accounts. Gaining full access to all their data, photos, and having the user credentials to act “on their behalf” in different accounts.

In other cases, instead of a redirecting to a fake webpage, these spoof links will lead to an auto-download of a malicious software.

2. Impersonating popular websites

Another technique attackers may use for phishing, is creating an exact imitation of a familiar website on a slightly different domain. Taking advantage of common spelling mistakes made while typing the address of the desired web page in the address bar. For example, wallmart.com or wolmart.com instead of walmart.com. Protecting yourself from this kind of attack requires continuous attention to the address bar. One typo and you’ll be redirected to a fake version of your credit card company webpage. And let’s be honest here, the autocorrect feature made us so lazy that we barely bother to check if we spell the words we’re typing correctly, right? So be aware that if you do try to login with your credit number and password, you’ll hand over your most sensitive data directly to the attackers.

3. Attractive suggestions from an unfamiliar source

‘Congratulations! You won!’ If you visit your spam folder, you’ll probably see that phrase a lot. This method is the least sophisticated and very old-fashioned, but many people still fall into that trap: emails with an attractive suggestion or exciting announcement from an unfamiliar source. A cheerful notification about winning a lottery for example. A hot deal for real estate investment, or even a letter about the inheritance of millions of dollars from a mysterious uncle that recently passed away.

These manipulative emails make the recipient feel so lucky, that he doesn’t want to miss the rare opportunity. Therefore providing every detail the sender requests. Now I see what you’re thinking. ‘You got to be a real dummy to fall for this.’ But these phishing letters can look very credible and authentic. Let’s say the scammer used your real name, and an appropriate language, wouldn’t you hope somewhere in your heart this mail was real? After all, we all want to feel blessed from time to time.

How to guard yourself against phishing?

Here are some warning signs to be aware of:

1. Always check the URL of the webpage

If there’s a spelling mistake or any difference from the original domain:  you are on the wrong website. And here’s a little tip: before you click on a link from an unfamiliar source, hover over it to see where exactly it leads to. If you are not sure whether that’s the right address.

2. Watch out of redirections

Before giving any information or making a purchase, always recheck the URL to make sure you were not redirected to another fake webpage with a similar design.

3. Pay attention to visual mistakes

If the logo seems a bit different, the typical font has been changed or the quality of the photos is lower than usual, you have reason to be suspicious. Same for “winning” emails – if you see any spelling mistakes in the text, think again.

4. Error page after login

While getting an error page after you trying to log in doesn’t necessarily point to a phishing attempt, fake web pages are often using this technique. It should ring your alarm bells.

5. Exaggerated and generic wording

If the winning notification email you received is real, the sender would at least mention your name and not be satisfied with a generic hello. In addition: wrong details about you, too many exclamation marks, exaggerated rewards or anything that creates a sense of urgency are all major warning signs. If it’s too good to be true, it’s usually isn’t.

6. An email sent out of the blue

If you never participated in a lottery, never showed any interest in real estate, or never heard about an old rich relative in your family, chances are that this crazy amount of money you just “won” or opportunity to buy a house is fake.

7. Let us worry for you

Protect yourself from phishing attempts and try Airo AV today.

By preemptively scanning domains and websites, Airo technology is able to prevent phishing attacks on a daily basis. Keeping you safe, and free of sorrow.

Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo