If you think about it for a second, online phishing is not that far from actual fishing. The major difference is that the online fishermen (phishermen?) are criminals. Unlike the trout, fluke, or bass that you may fish for recreationally, the trophies that these fraudsters are after are your personal data, banking credentials, and so on.
Unfortunately there is no real cure for phishing attacks aside from paranoia-level vigilance on the case of the end user. This threat is like the flu — constantly evolving and changing attack approaches. Criminals can launch targeted phishing campaigns directed at employees of a certain organization — or expectant mothers. It’s a bit like a marketing campaign — a malicious, criminal marketing campaign.
There are numerous ways to take the bait: accessing public Wi-Fi, logging into a fake website or following a link in an e-mail promising exclusive Black Friday or Christmas deals. It’s impossible to enumerate all the cases.
Kaspersky Lab is ready to help keep your @Facebook account safe! http://t.co/uokXWD3YkR pic.twitter.com/DZIOc3uRsj
— Kaspersky Lab (@kaspersky) June 23, 2015
In short, it’s easy to get infected. But how can users protect themselves?
- Always check the link before clicking. Hover over it to preview the URL, and look carefully for misspelling or other irregularities.
- Enter your username and password only over a secure connection. Look for the “https” prefix before the site URL, indicating the connection to the site is secure.
RT @threatpost: Wifiphisher Wi-Fi Hacking Tool Automates #Phishing Attacks – http://t.co/AhSeYcZB2I
— Kaspersky Lab (@kaspersky) January 5, 2015
- Even if a message or a letter came from one of your best friends, remember that they could also have been fooled or hacked. That’s why you should remain cautious in any situation. Even if a message seems friendly, treat links and attachments with suspicion.
- Messages from official organizations, such as banks, tax agencies, online shops, travel agencies, airlines, and so on, also require scrutiny. Even internal messages from your own office. It’s simply not that hard to fabricate a fake letter that looks like a real one.
A FIFA-related phishing site included a downloadable ticket, which was really a malicious form of the Banker Trojan: http://t.co/YJ0FIfZtFv
— Kaspersky Lab (@kaspersky) May 30, 2014
- Sometimes e-mails and websites look just like real ones. It depends on how well the criminals did their homework. But the hyperlinks, most likely, will be incorrect — with spelling mistakes, or they can redirect you to a different place.
- It’s better not to follow links from e-mails at all. Instead you can open a new tab or window and enter the URL of your bank or other destination manually.
New #TeslaCrypt #Ransomware Targets Gaming Files: https://t.co/bfsXP4ctXO pic.twitter.com/dLUlv7S6ix
— Kaspersky Lab (@kaspersky) March 23, 2015
- If you discover a phishing campaign, report it to the bank, the support desk of your social media network, or whatever other entity the phishing message claims to represent. Reporting really helps in the pursuit of criminals.
- Avoid logging in to online banks and similar services via public Wi-Fi networks. Hotspots are convenient, but it’s better to use a mobile connection or wait to get to a secure network than to lose all of the money on your credit card or in your bank account. Open networks can be created by criminals who, among other things, spoof website addresses over the connection and thereby redirect you to a fake page.
Q3 2015, the percentage of #spam in email traffic accounted for 54.2% #KLreport #infosec https://t.co/nKGjX6CH3N pic.twitter.com/Sxs0wM7my7
— Kaspersky Lab (@kaspersky) November 12, 2015
- Do not open unexpected files sent by you massively multiplayer online role-playing game comrades or other online buddies. They may be malicious ransomware or even spyware, just like attachments from official-looking e-mails. So be vigilant!
- Install Kaspersky Internet Security and follow its recommendations. Our AV solution will solve the majority of problems automatically and alert you if necessary.