Phishing attacks are fairly simple. A hacker attempts to get you to click a link inviting them into your computer or network. Okay, maybe not that simple, but the complications of being powned by the hacker are no laughing matter. It would be like someone coming to your front door and you believing the person you are seeing through the peephole is who they say they are; someone you know. However, they are the proverbial wolf in sheep clothing. So, you invite them in and give them the treatment you provide to someone you trust.
Hackers scheme to gain access to passwords, credentials, bank cards etc., which most often leads to identity theft or financial loss for the victim. The stolen information is their ticket to obtaining your identity eventually. How do they do it? Easy…..for them.
Who you Going to Trust
Hackers pose as trusted acquaintances and lure you, their victim, by sending emails with malicious links. The links are inside the email and may be in the body of a sentence or a separate stand-alone link that will supposedly take you to another trusted place on the Internet. Completely unaware the link is malicious, you click it and you have just invited the thief into your (computer) home.
Ironically, when the bad link is clicked some malware is downloaded or executed, and the hacker is now into your system. But companies and Government organizations continue to send non-malicious links in their emails to you. So, it can be hard for the average person to discern what is good and what is bad. Clicking the legitimate links don’t prompt the download of malware that freeze or infect a system. However, distinguishing the validity of the email, link and sender is a challenge for most people that makes the exploit easier for hackers.
For the best example of how phishing leads to access for an intruder, we can take a look at the circumstances surrounding the Democratic National Committee hack. his incident is a part of the broader 2016 Presidential election hacking scheme. The chairman of the Hillary Clinton Campaign, John Podesta, was spear-phished. Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. Mr. Podesta received an email claiming that someone in the Ukraine was trying to gain access to his Gmail account. he was prompted to change his credentials “immediately.” Who wouldn’t instantly try to minimize the threat once warned. So, he typed in his password.
We now know that the warning was a tactic geared to exploit our human nature. The warning appeared to be a real Google alert and the password reset page had an authentic look and feel. The fraudulent page was a ticking time bomb. The second his credentials were entered and submitted, Russian hackers gained entry to the Democratic National Committee computer system and access to confidential emails. They could now enter the system as “him”.
Websites Can Be Traps
In a very different approach but with the same results, hackers will impersonate websites that you trust. The placement of one letter in a web address (or removal) could determine the legitimacy of the web address. Typically, misplacing a single letter goes right over someone’s head and past their eyes. In you are viewing the communications from a small phone, low-light or just had a long day it is quite conceivable you will not see the misspelling of the web address. For instance, www.wallstreetjournals.com. The additional “s” at the end of the URL can transport a user to a malicious website where nefarious actors are lurking and waiting to gain credentials. This happens every day, yet still so many of us are fooled! It may take an extra minute to spell check a link, but it will be worth it in the long run.
Malware and phishing are not mutually exclusive, but typically pair together because it is the easiest form of hacking. You participate and essentially share what is in your system with the stranger trying to do you harm.
This may all sound elementary to people that have taken a cybersecurity class and feel they are up on this game. However, cyber professionals are also fooled. It is almost like parking in a no parking zone thinking you will only be 10 minutes and couldn’t possibly get a ticket in that time. You might get away with it for a few times. The issue is that when you get a ticket there is a remorse and realization the $50.00, you’ll pay could have been used elsewhere. With a successful deposit of malware on your computer the hacker could steal critical and personal data as well as gain access to your bank account. Worse, you may not realize there is an issue until something of real value has been taken.
So, don’t kick yourself later because you didn’t pay attention now. Don’t click the links in your email even when you believe them to be trustworthy. Go to your Internet browser and type the address in yourself. A little prevention is better than a lot of cyber headaches.