Recognising phishing attacks and how to protect against them

Cyberattacks are on the rise and scammers are getting smarter. The many innovative scenarios that they create to deceive victims are making it increasingly difficult to tell legitimate emails apart from phishing attempts.

One moment you’re answering an email that’s supposedly from a co-worker, the next you are frantically calling your bank to tell them that you did not spend $10,000 on four flight tickets to Greenland.

That’s how people fall for phishing scams: answer a malicious email or text, or a questionnaire on a website, and before you can bat an eye, your bank account or credit card is compromised.

Most of us may think that we are already very careful or too savvy to be caught in a situation like this. But you might be surprised. Well, let’s test how “cyber strong” you really are with these scenarios below:

1. True or False: It’s easy to spot phishing attacks because their websites are always slightly misspelt.

Though it may be the case sometimes, the answer is ’false’.

Many fake websites do have slight spelling differences from the real thing, but there’s also a form of phishing that uses an International Domain Name (IDN) homograph attack.

What’s that, you ask? When a website’s name uses a foreign alphabet (e.g. Cyrillic) it’s translated to something called Punycode. To put it in basic terms, some characters in these foreign languages directly resemble their English counterparts when they appear in the address bar.

For example, the Cyrillic letter “a” is visually identical to the English one. But to the computer, they are different. Because of this, it’s possible to set up a fake page that visually shows a correct address, but will lead you elsewhere. A web developer, Xudong Zheng, recently demonstrated this by setting up a fake website that’s literally called www.apple.com (it even has the green “secured connection” lock and everything).

Web browsers are currently developing ways to counter this. But if you want to be extra cyber safe, you should type in the address manually. Adopting this practice as a rule of thumb is the only way to be 100 per cent sure you’re avoiding this trap.

2. True or False: Phishing emails only appear out of the blue, which makes on-going email threads safe from phishing.

Again, false.

Phishing emails no longer always come as a new or standalone email. They can now even insert themselves into the middle of an existing email thread.

For example, say you’re in the middle of an email conversation with your colleagues. A few emails in, you get one that says “Hey, can you look this over for approval?”

Thinking nothing of it, you click it and… your computer starts going berserk, downloading all sorts of malware and spyware.

Most people don’t expect a phishing email to appear mid-conversation, so it’s easy to be caught off guard this way. The only solution is to be alert and look out for any strange or out of context messages. It’s always best to check again with the supposed sender if something looks out of the ordinary.

3. Did you know that your posts on social media can be used to phish information from you?

You’ve probably heard of social networking sites like LinkedIn. Lots of people take time and effort to embellish their LinkedIn profiles with their achievements, places they’ve worked at, positions held, and so on. That makes it easy for hackers to craft emails that look like they’re from your boss or colleagues.

Through Facebook, Instagram, and other social media sites, hackers can create contextual phishing emails or messages too. They can view your vacation location on your Instagram pictures, especially if your profile is set to public mode. Then, hackers inconspicuously send you an email asking, for example, if you “left this while you were in Bali”. You click into the email unsuspectingly and end up downloading spyware.

Cunning hacker moves like these can sometimes be hard to notice, but there are some telltale signs. For example, if a colleague who just resigned is apparently contacting you via their work email, or if the email about your last vacation is from a nameless source, you know there’s something “phish-y” going on. If you’re constantly vigilant, you’ll be much better at spotting and evading potential phishing attacks.

4. Do you verify payment requests before making payment?

Finally, the most common phishing attacks claim to be overdue account payments, or statements saying your last transaction failed.

In such situations, you’ll then be asked to click a link to verify details, for payment or other matters. You will likely click into it and fill it all up, because you don’t want to be spending Saturday night without things like your Netflix, right?

But as soon as even 30 minutes later, someone in an exotic country is buying themselves a new luxury hand bag at your expense*.

If you’re wise to phishing attacks though, you’ll be sure to follow up on such emails with careful authentication. This could mean a phone call to the service provider to confirm if it’s real and a refusal to click the email link before you get the verification.

Phishing attacks get smarter all the time. So should you.

No matter how cyber-sharp you think you are, bear in mind that phishing crooks have one big advantage: They can fail hundreds of times, but you only need to slip up once.

As an added precaution, get a credit/debit facility that comes with two-factor authentication (2FA) or a digital token. Having an additional layer of security creates an added barrier against phishing thieves who are trying their best to use your stolen card details or banking information.

And if you have clicked on any odd links, or experienced your computer slowing down, take it to a professional. Get it scrubbed clean of malware or spyware, even if nothing serious seems to have happened. As attackers get more and more clever, it’s always better to be safe then sorry.

Make sure you get smarter against phishing attacks by learning about the latest tools to guard yourself financially while banking online. Check out how to Live Cyberstrong with our #BSHARP guide.

*The thief probably isn’t the one who created the phishing attempt; they often just buy stolen credit card details online.