How to prevent phishing attacks? Falling into the net of phishing can happen to anyone and can have disastrous consequences. In this article we describe how to recognize phishing, and we recommend the appropriate tool to avoid it.
1. What is phishing?
Let’s take a quick look, in detail, at what is meant by phishing. The term phishing was coined in the 1990s and is considered a “word salad,” or the combination of the beginning part of one word and the ending part of another; in this case, the English words phreak and fishing. The first term was coined in the 1970s and meant hacking into a telephone system, usually to make free phone calls. Fishing, on the other hand, is the act of trying to catch fish. Therefore, phishing means, in some way, trying to hook a user who is surfing the internet.
Technically, phishing is the activity whereby a user is encouraged to click on a link, then causing sensitive data to be sent or entered into a web page. Through phishing activity, one can also trigger the installation of malware, spyware, or a Trojan on the computer or Smartphone of the unfortunate person.
The attack occurs by sending an email or text message, and, even, through a chat program like Whatsapp or Facebook Messenger. It often happens, for example, that after having purchased something on an ecommerce site, you receive an email or text message asking you to click on a link. The message, which appears to come from a courier, warns you that there may be a delivery delay, and it asks you to click on a link to track the shipment.
However, attempts at phishing attacks can be very creative. You may even receive a message that appears to be from a bank, an energy provider, or an insurance company, asking you to click on a link with the utmost urgency in order to solve a sudden problem.
2. How a phishing attack works
A phishing attack follows a pattern called “social engineering,” that is, it exploits some personal data held by the attackers. Let’s consider the case of a message to be opened about a supposed shipment. How is it possible for this message to arrive right after you have made the online purchase?
In the best case scenario, the site or courier databases may have fallen into the hands of the crooks. Again, one of the computers in which the transition occurred could contain spyware, just as spyware could be lying dormant inside the victim’s devices.
Whatever the reason why our references (email, chat accounts, etc.) are in the hands of criminals, it is around this information that the attack is built. Generally, cyber criminals are not mad at us specifically. The attack is launched on a large scale (spam phishing), so much so that there will be someone who falls for it; it is mathematical.
The design of a phishing attack may prompt you to open an attachment, click on a link, fill out a form, or respond directly to the message with personal information. The most common scenario is as follows:
» You open your e-mail and find, in your inbox, a notice from your bank, truly your bank. When you click on the link, you land on a web page very similar to that of your bank.
» The site is built only to steal information. The alert you received will warn you that there is a problem with your account and will ask you to confirm your login and password.
» After having entered your credentials on the fake page, you are redirected to the bank’s real site, where you will be asked to enter your information for a second time, so you will not immediately realize that your information was stolen in the previous step.
What we have explained is a classic phishing setup aimed at stealing your home banking codes. However, those who specialize in phishing can use a variety of tools, from SMS messages to phone calls, with just one goal in mind: to steal confidential information. And, unfortunately, only those who are particularly careful can avoid getting into trouble.
Moreover, the fake web page trick applies to a variety of contexts. For example, cyber criminals can build a fake ecommerce site to prompt a purchase, and the unsuspecting user will enter his credit card information.
In summary, the goals of a phishing attack are:
» To infect the device with malware, a Trojan, or spyware by clicking on an email attachment or a link that leads to a page hiding the malicious code
» To steal personal data (bank credentials, health data, physical home address, etc.).
» To gain control of credentials in order to access applications and to then use them for an attack on the corporate network.
» To convince you to send money or blackmail you in some way.
It should also be noted that a phishing message can arrive from a known sender without his knowledge. The classic case is the message received on Facebook Messenger from a friend, a message that invites you to click on a link. Because you receive it from a friend, you tend to trust it, and the damage is done. On the other hand, the friend’s Facebook account has been compromised, without his realizing it.
The friend could also be your boss who is asking you to do something, for example, send confidential company documents. And what do we do? Don’t we send them to him? No. Therefore, be careful, because a well-constructed phishing attack can be the prelude to an attack that can crash corporate systems.
>> FlashStart protects you from a wide array of threats and prohibits access to malicious sites ? Start your free trial now
3. How to prevent phishing attacks and live peacefully
Having understood the risks involved, now is the time to explain “how to prevent phishing attacks,” that is, how to prevent phishing attacks, and live peacefully.
First, it is necessary to be very careful–there are numerous cases of phishing where users, who were not very clear-headed at the time, have taken the bait. Also, you must carefully analyze the message. Let’s see what to watch out for specifically:
» Type of request. No one, not even a supposed friend in need, would ask for money via e-mail. Banks, and others, warn users in every way: we never send requests for money or for personal information via the web, just as gas representatives are not sent to look at bills. In that case, we verify the veracity of the request with a phone call.
» Attachments. We never open mail attachments of which we are unsure and which have suspicious file extensions, such as .exe.
» We are wary of urgencies. The phisher wants to alter your emotional state, to make you do something without thinking clearly. So, he will use terms like “hurry up,” “urgent,” “solve the problem now,” “you must do this right away.”
» Grammatical errors. Attackers are almost never Italian. The text of the message, and the landing page you end up on, generally contain errors in grammar or syntax. Read every word carefully before doing anything.
» Link and sender. Never click on the link, but hover over it with your mouse. At the bottom left, your email program will show you the full link, and you can verify that your bank’s domain is not showing. Likewise for the sender of the email. Let’s see the full address by expanding the sender field and double check. If it is a generic address, with a very strange domain name (email@example.com is the first one I found in my spam folder), delete the email immediately.
» Dear Sir. Your bank, or your energy provider, would never send you an e-mail message that starts with “dear sir”; your bank knows very well what your name is and even knows how to preset your name in the first line of text.
4. A DNS filter also protects you from phishing
Having provided you with all the useful information needed to know “how to prevent phishing attacks,” we conclude this mini-guide with the most important tip: equip yourself with a DNS filter which blocks the browsing of sites that are considered dangerous.
A browsing protection service, such as FlashStart’s DNS filter, can be installed on all the devices used, including Smartphones and laptops. Thanks to the very large network of databases of dangerous sites (blacklists) consulted in real time by FlashStart, the user will always be guaranteed not to land on a site with malicious intentions, and it will protect the browsing of the youngest, the most defenseless, and those who are not sufficiently careful.
Also, because of what we have said earlier, the problem of phishing does not only affect individual users. Therefore, it is strongly recommended that a company also equip itself with a filtering system for browsing from its employees’ devices.
4.1 FlashStart: an influential source for “ScamAdviser”
Since 2022, FlashStart has been an influential source of “trust” for ScamAdviser.
On every public, malware/danger-free search, FlashStart will always be mentioned and linked, an important achievement which reinforces the company’s mission and, because of its platform, it can be considered as an alternative to ScamAdviser.
The cyber security journey of the Italian company FlashStart started in SMEs and schools reaching, today, a global distribution in as many as 146 countries with a variety of protection services and products able to meet every need, with any type of business device and connection, even remotely, all over the world.
FlashStart’s vision is to ensure the safety of users over any economic consideration and to make use of a selected and growing network of local partners which can guarantee immediate, on-site intervention for any need.
Thanks to its unwavering commitment to cyber security, FlashStart can now guarantee the security of online searches on the famous and already established ScamAdviser system, helping millions of consumers every month to determine if a Web site is genuine or an attempted scam.
DNS filters for home and family users, such as FlashStart’s ClientShield, block the browsing of sites considered dangerous for any reason (pornography, pedophilia, malware, scams, phishing, etc.): better to give it a thought; with a single solution, also available as a service, you can browse safely.
On any router or firewall you can enable FlashStart® Cloud protection in order to secure desktop, mobile, and IoT devices on local networks.