Check before you click

Phishing (pronounced fishing) has become more intense and devious in recent times, so much so that the unsuspecting victim often fails to recognize the peril at hand – and, yes, clicks on a link.

Accessing links on emails, commercial sites like PayPal or Amazon, and even on Dropbox or Google Drive without double checking their authenticity has brought innumerable woes to victims, some having to pay ransom to get back their computer files, or losing one’s credibility, which could be lethal to high-ranking government or corporate officials.

An authoritative listing of the five most common phishing attacks today comes from CloudManager, formerly CloudPages. It comes with important recommendations on how to protect oneself from falling for those phishing hooks.

1. Deceptive phishing

This is the oldest known form where a scammer would send to your email a link of a news item on a webpage that looks like the real thing, but with a few slight differences, i.e., philsstar.com instead of philstar.com, but definitely meant to trick you.

Deceptive phishing entices the intended victim to provide information that may unlock login data or any useful information that would lead to access to financial records. This could be your credit card number or even your social security details.

The best way to protect oneself from such email attacks would be to scrutinize the link to make sure it is the right URL, and if it carries a secure ID (https instead of http, with the s meaning secure). It follows to never give out any information about yourself to random requests.

2. Spear phishing

This is targeted fraud, but on several levels above deceptive phishing. Scammers will make their emails appear to be “official” by including more details identifying the victim, i.e., name, company, position, even phone number.

The source for basic personal data is usually mined from sites like LinkedIn, but the objective of the email with the malicious link is to extract additional personal information of the intended victim. Again, the best way for the individual to avoid falling for this scheme is the same as in deceptive phishing.

Companies should intensify their security awareness programs to prevent employees from divulging corporate data on social media sites. They are also advised to invest in mail security searches that disable suspicious links or attachments in any incoming mails of their employees.

Phishing is not always the objective of fraud intentions; some have links to malwares that can affect the whole company’s IT system.

3. Whale phishing or CEO fraud

The target of phishing are top-level corporate or government officials. A few notable personalities have surprisingly fallen prey to this. Security analysts attribute this to the inability or reluctance of most management team members or top government officials to attend cyber security briefings.

Still, with the company defrauded of millions of dollars after a fake CEO approves a transaction payment or fund transfer, a review of the company’s overall financial procedures is in order so that it can be cyber scam-proofed.

For government officials, this kind of phishing may determine the outcome of an election, even at a presidential level, if confidential emails are divulged no matter if there is an absence of incriminating information.

4. Pharming

This entails a certain level of scam sophistication where the domain name system (DNS) is targeted first. By poisoning the DNS cache and changing the numerical IP address associated with the alphabetical website name, the pharmer is able to access company employees’ data.

Such incidents happen mainly to companies that have been remiss in upgrading their anti-virus software and updating virus database, including installing security upgrades issued by their internet service provider (ISP).

Employees should still be aware of the existence of pharming, and are encouraged to log in only on their legitimate company sites that bear the https security assurance.

5. Cloud storage phishing

With people accessing their emails through a variety of electronic devices, including smartphones, phishers have turned their attention to immensely popular cloud storage services like Google Drive or Dropbox, the former boasting of over one billion users.

With this vulnerability of files that can be synchronized in limitless number of desktop computers, tablets, and mobile phones, the need to employ a two-step verification (2SV) system when accessing email accounts is recommended.

The 2SV system provides for an additional security layer on top of a login passcode, and this foils phishers’ attempts to open your email account even if they had successfully stolen your login details.

Both file storage services have easy step-by-step procedures on how to fortify the security of your emails. Installing a second step would seem a bit tedious to users who have gotten used to just typing their passwords, but such steps are now deemed necessary with phishers getting more cunning.

Weakest link

Hopefully, the above narratives about phishing will keep us alert about the dangers that await should we fail to be extra vigilant when opening attachments in our emails.

As cyber security experts always say, phishing is not about glitches in computers or any of our electronic gadgets’ operating system. It’s about people being the weakest link; if everyone would just observe the right protocol when opening attachments, phishers will become an extinct breed.

By the way, please use secure passwords, too. Definitely, 000000, which American celebrity Kanye West had for his iPhone, is the quickest way to expose his private life, which should have links to many other famous American entertainers.

Facebook and Twitter

We are actively using two social networking websites to reach out more often and even interact with and engage our readers, friends and colleagues in the various areas of interest that I tackle in my column. Please like us on www.facebook.com/ReyGamboa and follow us on www.twitter.com/ReyGamboa.

Should you wish to share any insights, write me at Link Edge, 25th Floor, 139 Corporate Center, Valero Street, Salcedo Village, 1227 Makati City. Or e-mail me at [email protected]. For a compilation of previous articles, visit www.BizlinksPhilippines.net.