HOW TO AVOID PHISHING ATTACKS?
As part of your efforts to enhance your digital security, you may come across ill-intentioned parties or people who try to put you at risk. We call these people and actors "adversaries" or "attackers". When an attacker sends you an email or link that appears innocent but later appears malicious, it is called phishing.
The phishing attack usually comes in the form of a message intended to convince you that:- You click on the link;
- Opens an attached file;
- Install a program on your device; or
Enter your username and password on a
website that is designed to look original.
Phishing attacks can trick you into
exposing your passwords or installing malware on your device. Attackers can use
this software remotely to take control of your device, steal certain
information, or spy on you.
This guide helps you identify phishing
attacks when you see them and provides some practical steps to help you fight
these attacks.
Types of
phishing attack Anchor link
Phishing
for passwords (also known as Credential Harvesting)
Web addresses attached to messages can go
to destinations other than the one that appears in the address. On a computer,
you can usually see the destination of the address by placing your mouse
pointer over the link. But links can be masked by placing similar letters or by
using site names that resemble well-known sites with a difference of only one
letter, so that you convert to a web page that appears to follow an electronic
service you are familiar with, such as Gmail or Dropbox. Typically, these
fraudulent pages requesting login details are identical to the original pages,
so you may not hesitate to enter your username and password. But if you did,
you would have sent these details to the attacker.
So before entering any passwords look at
the address bar at the top of your web browser. You will see the real address
of the page, and if this address is contrary to the address of the website that
you thought you were browsing, stop immediately! Remember that seeing the
company logo on the page does not necessarily mean that it is the original
page. Anyone can copy a logo or design and paste it on their page to fool you.
Some phishers use sites that look like
popular web addresses to be able to trick you, for example, http: //wwwpaypal.com
is different from (https://www.paypal.com/). Likewise, http: // www. Pa
ypaI.com (with a capital “I” instead of a lowercase “l”) is different from (https://www.paypal.com/).
Many people use specialized services to make a long web address easier to read
or print, but the same technique can be used to mask malicious destinations. If
you received a short web address like (t.co) popular on Twitter, try to check
it at (https://www.checkshorturl.com/) to see its true destination.
Remember, it is easy to forge an email to
show a fake destination. This means that looking at the sender's visible
address is not sufficient to confirm that the email was actually sent by the
person whose name appears.
Phishing
bayonet (or router phishing) Spear phishing
Most phishing attacks rely on spreading a
large network, so the attacker may send e-mails to hundreds of thousands of
people claiming that the mail contains an interesting video, an important file,
or details of a financial problem.
But sometimes a phishing attack is designed
based on certain information the phishing knows about the victim, and this is
called spear phishing. Imagine receiving an email from your uncle with a name
saying it contains pictures of his children. Since Basim already has children,
and it appears that the email is coming from his address, you open it and find
an attached PDF file. When you open the attached file, you might find there are
actually pictures of children with the name, but at the same time it is hiding by
installing malware. On your device it helps to spy on you. It is not Uncle
Basim who sent the e-mail, but rather an attacker who knows that you have an
uncle named Basem (and that Basem has children). The file you opened up ran a
PDF reading program but took advantage of a flaw in the program to run its
code. That is, it showed you a PDF and at the same time downloaded malware on
your computer. This software can copy the contact details of people you know as
well as record what the microphone hears and the camera sees on your device.
The best way to protect yourself from
phishing attacks is by not clicking on any links or opening any attachments.
But since this advice is not practical for most people, here are some practical
steps for countering phishing attacks.
How can
you help protect yourself from phishing attacks Anchor link
Make sure
your software is always up-to-date
Phishing attacks that use malware often
rely on vulnerabilities in other programs to be able to download malware onto
your device. Usually, when a defect is detected, the software manufacturer
releases an update that addresses the defect. This means that outdated software
has a lot of widely known flaws that help install malware. Thus making sure
your antivirus software
is always updated reduces the risk of malware.
Use a
traffic ferry manager with an auto top-up option
Passphrase- managing programs that
automatically fill in passphrases keep a record of the sites and their
passphrases. While it is easy to track individuals with fake web pages requesting
login details, passphrase management software cannot be spoofed in the same
way. If you are using a passphrase management program (including the feature to
save the passphrases in the browser) and this program refuses to automatically
fill in the login details, you should stop for a moment and confirm the website
you are browsing. Perhaps it is better to use a program that generates
passphrases and thus you are forced to rely on the AutoFill feature, thus
reducing the chances of you entering your passphrase on a fake site.
Verify
emails with their senders
One way to confirm whether an email is
phishing is to check it with the sender through other communication channels.
If this email claims to be sent by your bank, do not click on the links in the
mail. Instead, contact your bank, or open your browser and type the website
address of your bank. Likewise, if your uncle sends you an email with
attachments, contact him by phone and make sure that he actually sent you the
pictures of his children before opening the attachments.
Open
suspicious files on Google Drive
Some people expect to receive emails and
attachments from people they don't necessarily know. For example, journalists
usually receive multiple files from their sources. However, it can be difficult
to ensure that the Word, Excel or PDF file does not contain malware.
In these cases, do not double-click the
downloaded file. Instead, upload it to Google Drive or other online document
readers. This will convert the file into an image or HTML file, which will
almost certainly prevent it from installing malware on your device. If you are
ready to learn new programs and willing to spend the time needed to prepare a
new environment to read received mail and files, there are some operational
systems designed to reduce the impact of malware. The system TAILS that runs on
Linux operating systems erased itself after you use it. It also Qubes, another
system on Linux, separating applications with caution so do not interfere with
each other, thereby sharply from the impact of any malicious software. Both
systems are designed to work on both desktop and laptop computers.
You can also put suspicious links and files
on VirusTotal, an online service that scans files and links with multiple
anti-virus engines and then reports the results. However, it is not a
completely foolproof method, as antivirus often
cannot detect modern malware or targeted attacks, but it is better than no
verification at all.
Any file or link that you upload to a
public site such as VirusTotal or Google Drive can be viewed by any of that
company’s employees, or even by anyone who has the right to access the website.
If the information in the file is sensitive or very private, you may want to
use another method of verification.
Use
the Universal Second Factor (U2F) key when logging in
Some websites allow you to use a special
standalone device with advanced features to avoid phishing attacks. These
devices (or "keys") communicate with your web browser to confirm
login details for the website. This is called the universal second factor (U2F)
because the standard method is to request a second method of authentication -
along with your passphrase - upon logging in. You can log in as usual, and then
when asked, you connect the key to your computer or smartphone and press a
button to log in. If you are visiting a phishing site, the browser will know
not to log you in using the login details verified on the original site. This
means that even if phishing tricked you and stole your passphrase, they would
not be able to penetrate your account.
But this should not be confused with two-factor
authentication in general, which may not provide protection from phishing.
Be careful with email instructions
Some phishing messages claim to be from a
computer's technical support department or a tech company and ask you to
respond by sending your password or allowing the "technician responsible
for repairing your device" to access your device remotely or disable some
security features on your device. The e-mail may give a false justification for
the reason and importance of this request, for example by claiming that your
email inbox has become full or that your device was vulnerable to hacking.
Unfortunately obeying these false instructions can be very bad for your
security. Be especially careful before giving anyone any technical data or obeying
any technical instructions unless you are absolutely certain that the source is
real and authentic.
If you have any doubt about any link or
email that was sent to you, do not open this mail or click on the link before
you take the precautions previously mentioned and before you are completely
sure that it is not malicious software.
Comments
Post a Comment