Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

Tips For Protecting Yourself From Phishing Attacks
You are here: Home \ Phishing \ Tips For Protecting Yourself From Phishing Attacks
hitachi systems security - tips-for-protecting-yourself-from-phishing
Posted on Tuesday, February 16th, 2016 by

Put simply, phishing is one of the greatest security concerns there is. It is one of the easiest ways for a hacker to get into your bank account, your Facebook account, or even into your corporate perimeter. And yet a survey by McAfee from 2014-2015 showed that 97% of people globally are unable to identify phishing emails.

 

What is Phishing?

It is an attempt by a hacker to pose as a legitimate organization, such as your bank, and then trick you into giving up your credentials (typically your login and password).

Using the example of a bank, this is generally accomplished through an email that looks like it came from your bank which then leads you to a website that looks exactly like your bank website. Only it isn’t your bank website. When you put in your login and password, the hacker now has what he needs to log in and take your money.

Phishing in 2 steps:

  • A fraudulent email
  • A fraudulent website

I’m going to take a few minutes to lead you through the most important things you need to know to avoid being victimized by this technique.

 

Webinar The Anatomy of a Phishing Attack

 

How to Spot Fraudulent Emails

There are a lot of simple ways that an unsophisticated hacker could screw up and leave it obvious that there are not who they say there are.

A really easy way is that normally the people who are writing to you from your bank are able to perfectly speak or write in the language of your country.

 

  • If the email is riddled with grammar and spelling mistakes, it is almost certainly not really from your bank.
  • Malformed email addresses

phishing malformed email addressMore insidious though are malformed email addresses. Note in the image above, for example, a person whose name is given as “Sonia Bagasba” but whose email belongs to a person named “Anita Marquez”. This is egregiously bad though, and you should not assume it will always be this easy.

 

  • Incorrect URL

A slightly harder example is when the URL (Uniform Resource Locator, a fancy name for the web address) looks almost exactly like the appropriate address but is not. For example:

www.Bank0fAmerica.com

Look closely, you’ll see that the “o” in “of” is actually a zero. Go ahead and click on this link, and you’ll see something interesting that we’ll address in the next section. You’ll note that it takes you to the correct website.

 

  • Misleading URL

Another example – the hardest one to spot – is when the address appears legitimate but is actually not. Mouse-over the address below:

www.bankofamerica.com

You see that the address looks correct, but when you mouse-over it, the URL actually hides the same bad address with a zero replacing the “o”.

 

  • Personal Information Request

Lastly, just a general rule you should assume that your bank or any corporation really are never going to email you asking for your password. Most hackers have stopped doing this because most people know it by now. You are more likely to get an email claiming that your account has already been hacked and you must now change the password.

If you’re ever not sure from the look of the email, call your bank directly and ask them if this is true.

Now if somehow you were still fooled, after checking all of these things, let’s talk about how you can spot problems on the fraudulent website to which they linked you.

 

phishing websiteHere is the website I had you click on earlier.

  • Check the Website Address

You’ll note that the address is correct and has no zero in it. A lot of banks and corporations are wising up to this problem, and as a safety measure, they buy all similar addresses themselves and have them redirect to the proper website. A hacker cannot send you to www.Bank0fAmerica.com because the real Bank of America bought that bad address to protect itself, and you, as their customer.

 

  • Look for the Green Padlock

The second thing is that green padlock in the top left. Click it to reveal the website’s certificate. If you click that second tab, “Connection”, you’ll see where I’ve highlighted that Symantec verifies that this website is the true website of Bank of America Corporation.

phishing website certificate

 

Upcoming Phishing Problems

There are two more problems that are conspiring right now to make this still a bit of a tricky situation:

  • The rise of New Web Addresses

ICANN, the Internet Corporation for Assigned Names and Numbers, the organization that releases new web addresses, already has over 800 names (like .com, .net) and is releasing 1300 new names over the next few years. More names means it is easier than ever for hackers to create website names that look like they could belong to your company.

 

  • The rise of Cheap Certificate Authorities

In the past, it was expensive and time-consuming to get a certificate like the one in the second image that verifies the website. Now, many organizations do it very cheaply for 30 days. Both of these are perfect for hackers. They get “verification” of their fraudulent site with less oversight, and it only lasts for 30 days so they can disappear after using it.

 

So I’m going to leave you with a special caveat: check very carefully that the address appears correctly in both the address bar (the first image in this section) and in the certificate (the second image).

Unfortunately, there are newer, more sophisticated types of phishing these days – ones that cannot easily be detected with little tricks like this and require something more.

 


Access our webinar “The Anatomy of A Phishing Attack” by clicking down below:

The Anatomy Of a Phishing Attack

Andrew Kozloski
About author:
I’ve been a geek since before I could walk. I remember loading video games on cassette tapes with my Commodore 64. I remember downloading games too, back when geeks programmed them for fun and gave them away for free on Bulletin Boards. I literally live on the internet: I’m an inveterate gamer, an electronic music producer and I’ve put in time in the video games industry in a variety of positions before finding my way to cyber security and ethical hacking, where I expect to spend the rest of my career. I’m passionate about coding, copyright, privacy, human rights and the intersection of these things. I am the Security Evangelist at Hitachi Systems Security.In my spare time I study languages (particularly Middle English and Russian these days) and I cook traditional Japanese food.

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now

Subscribe

Recent Videos

What is Penetration Testing?

What is a Vulnerability Assessment?

What is a Control Assessment?


More