Put simply, phishing is one of the greatest security concerns there is. It is one of the easiest ways for a hacker to get into your bank account, your Facebook account, or even into your corporate perimeter. And yet a survey by McAfee from 2014-2015 showed that 97% of people globally are unable to identify phishing emails.
It is an attempt by a hacker to pose as a legitimate organization, such as your bank, and then trick you into giving up your credentials (typically your login and password).
Using the example of a bank, this is generally accomplished through an email that looks like it came from your bank which then leads you to a website that looks exactly like your bank website. Only it isn't your bank website. When you put in your login and password, the hacker now has what he needs to log in and take your money.
Phishing in 2 steps:
I'm going to take a few minutes to lead you through the most important things you need to know to avoid being victimized by this technique.
There are a lot of simple ways that an unsophisticated hacker could screw up and leave it obvious that there are not who they say there are.
A really easy way is that normally the people who are writing to you from your bank are able to perfectly speak or write in the language of your country.
More insidious though are malformed email addresses. Note in the image above, for example, a person whose name is given as "Sonia Bagasba" but whose email belongs to a person named "Anita Marquez". This is egregiously bad though, and you should not assume it will always be this easy.
A slightly harder example is when the URL (Uniform Resource Locator, a fancy name for the web address) looks almost exactly like the appropriate address but is not. For example:
Look closely, you'll see that the "o" in "of" is actually a zero. Go ahead and click on this link, and you'll see something interesting that we'll address in the next section. You'll note that it takes you to the correct website.
Another example - the hardest one to spot - is when the address appears legitimate but is actually not. Mouse-over the address below:
You see that the address looks correct, but when you mouse-over it, the URL actually hides the same bad address with a zero replacing the "o".
Lastly, just a general rule you should assume that your bank or any corporation really are never going to email you asking for your password. Most hackers have stopped doing this because most people know it by now. You are more likely to get an email claiming that your account has already been hacked and you must now change the password.
If you're ever not sure from the look of the email, call your bank directly and ask them if this is true.
Now if somehow you were still fooled, after checking all of these things, let's talk about how you can spot problems on the fraudulent website to which they linked you.
Here is the website I had you click on earlier.
You'll note that the address is correct and has no zero in it. A lot of banks and corporations are wising up to this problem, and as a safety measure, they buy all similar addresses themselves and have them redirect to the proper website. A hacker cannot send you to www.Bank0fAmerica.com because the real Bank of America bought that bad address to protect itself, and you, as their customer.
The second thing is that green padlock in the top left. Click it to reveal the website's certificate. If you click that second tab, "Connection", you'll see where I've highlighted that Symantec verifies that this website is the true website of Bank of America Corporation.
There are two more problems that are conspiring right now to make this still a bit of a tricky situation:
ICANN, the Internet Corporation for Assigned Names and Numbers, the organization that releases new web addresses, already has over 800 names (like .com, .net) and is releasing 1300 new names over the next few years. More names means it is easier than ever for hackers to create website names that look like they could belong to your company.
In the past, it was expensive and time-consuming to get a certificate like the one in the second image that verifies the website. Now, many organizations do it very cheaply for 30 days. Both of these are perfect for hackers. They get "verification" of their fraudulent site with less oversight, and it only lasts for 30 days so they can disappear after using it.
So I'm going to leave you with a special caveat: check very carefully that the address appears correctly in both the address bar (the first image in this section) and in the certificate (the second image).
Unfortunately, there are newer, more sophisticated types of phishing these days - ones that cannot easily be detected with little tricks like this and require something more.
Access our video "Phishing Attack"
