Chances are, your mobile device doesn’t have the same security defenses as your work laptop or desktop computer. That’s why it’s important that you, the end user, do all you can to protect yourself from cyber threats. This article will focus on phishing and help you understand:
- What phishing is
- How it works
- How to identify signs you’ve been phished
- Which steps to take to mitigate phishing threats
- How to proactively protect yourself
What is phishing?
Phishing is a type of social engineering attack threat actors use to:
- obtain login credentials
- gather credit card numbers
- privacy data, like PII
- compromise devices
- steal user data
Phishing can used independently as a singular means to achieve threat actors’ objectives or as part of a larger, more complex targeted attack. Regardless of the aim, phishing occurs when an attacker masquerades as a trusted entity to trick a victim into providing sensitive information. Some of the common technologies used to contact victims are:
- SMS/text messages
- Social media
- Phone/VoIP calls
Phishing is a simple yet effective attack technique, which can provide the perpetrators with a wealth of personal, financial and corporate information. The aim and precise mechanics of the attack can vary, but they are usually centered around soliciting personal information from the victim or getting them to install malicious software that can automate compromising their devices, allowing threat actors to extend the attack footprint.
How does phishing work?
Phishing is not only very common — it’s also one of the most damaging and high profile cybersecurity threat facing enterprises today. According to the IBM Cost of a Data Breach Report, phishing tops the chart at 15% of all data breaches, costing organizations $4.88 million on average.
Usually, an unsolicited message is received by the target, urging them to perform an action, like clicking on a link. The link could point to a file infected with malware, a trojan file that executes malicious code or directs the victim to a fraudulent website. From here, the victim is required to complete the action by into entering their login credentials or providing other forms of confidential information, which is funneled back to the threat actor.
In order to solicit personal information from the victim, the attacker will often lull them into a false sense of security by sending them to a legitimate looking webpage to fill in their details. This intel could either be used immediately by threat actors to gain access to a service like social media, bank accounts or work email; or the data could be harvested and sold to others on the dark web
Types of phishing attacks
If you’ve been phished, chances are the attack was delivered in one of these ways:
- Smishing: Bad actors send users an SMS message containing a link to a phishing site, often with the intent to steal user credentials.
- Whishing: Similar to smishing, bad actors send malicious messages in Whatsapp.
- Email: Email phishing can be to personal or corporate emails, and may appear to be from an organization or website the target is familiar with. These emails may ask the user to log in to software they use, ultimately sending the user to a malicious but legitimate-looking site.
- Vishing: Voice phishing may involve spoofed numbers that appear as legitimate institutions. These attacks may also use a text-to-speech program or a real voice, and are often used to obtain financial information from their victims.
- Spear phishing: These attacks are sent to a specific target or grouping of individuals, such as members of the IT department and may be through email, text or other means. Bad actors may impersonate an individual the user knows, possibly asking for assistance or their personal information.
- Whaling: This attack type targets C-suite members or other high-profile executives. Bad actors may impersonate other executives to appear legitimate, eventually sending their victims to a spoofed site to harvest credentials or perform actions that require executive-level approvals, such as authorizing the payment of faked invoices.
- Social media posts and direct messages: Bad actors increasingly rely on social media to reach their victims. Like other methods, this usually involves a spoofed identity, such as an administrator for the service to gather personal information.
How to recognize a phishing attack
Hopefully, you’ll spot some signs you’re being targeted by a phishing campaign before you get to the point of handing over your valuable information. Some signs to pay close attention to are:
- Unsolicited messages, emails and social posts containing shortened links
- Web pages asking for login credentials or other sensitive information
- Suspicious emails with uncharacteristic language
- Web pages with suspicious or copycat URLs
- Misspellings, special characters or grammar mistakes (though note that AI is helping bad actors improve in this regard and some sites and messages may look legitimate)
In the example phishing attempt below, the message includes a shortened link and a demand for action (as users would want to dispute a purchase they didn't make). The shortened link makes it difficult to vet its legitimacy, while the lack of grammatical or spelling errors makes the attack less obvious. The best course of action is to ignore the link completely. Instead, manually log into or call any banking or payment card accounts to verify if the purchase did indeed occur.
If you’ve been phished and handed over your information, there are some telltale signs that can help you figure out if you’ve taken the bait. Phishing attacks can and do vary, and because they are often packaged up with other threats, the symptoms can be very broad. Here are some signs that could indicate a phishing attack has been successful:
- Identity theft
- Unfamiliar transactions
- Account lockouts
- Confirmation of unsolicited password reset requests
- Spam email coming from your account
What to do if you think you’ve been phished
So you’ve been phished, what now?
- If the compromised device is company-owned or if the phished email account is a work-related one, report the issue to your company’s IT department immediately.
- Quarantine the affected device, if possible or take your email account offline temporarily to avoid spreading phishing links to your contact lists.
- Change all your passwords for the accounts that have been compromised as well as the accounts that use the same or similar passwords to those that have been captured.
- If you entered your credit card information in the phishing page, inform the banking/payment card company immediately to prevent further use and reissue a new card number immediately.
- Scan your device for malware. Additionally, perform updates to your device’s OS and applications to mitigate any vulnerabilities that could be subsequently exploited by threat actors stemming from the phishing attack.
- Check security settings for any accounts affected in the attack. Specifically, enable and configure security controls to minimize the ability for threat actors to compromise or take over accounts in the future.
- Watch out for warnings of identity theft and put a fraud alert on your financial accounts.
Proactive steps you can take to protect yourself
Mobile devices are at increased risk of successful phishing attacks. Their smaller screen and on-the-go use makes it more difficult to closely inspect links for legitimacy, and users are often in too much of a hurry to do so regardless. Additionally, while many users download threat protection to their computers, less do so on mobile devices. This is why careful scrutiny is required.
“An ounce of prevention is worth a pound of cure.” — Benjamin Franklin
Stay safe from phishing by following this guidance:
- Never click on any link — copy and paste the link into your browser to check it first before visiting a webpage
- Never enter your credit card information (or other sensitive/confidential information) into unknown or untrusted services
- If a link directs you to your banking website, open up your banking site in a separate window by typing the URL in manually or use the app (if available) for direct access
- Always check the address bar for suspicious or copycat URLs like my.apple.pay.com
- Don’t fall for more obvious scams that claim you’ve won a prize
- If you receive an in-app message, never respond with personal information, like your telephone number or provide your credentials. Instead, communicate with the organization directly via one of their contact options outside of the app.
Organizations should take steps to minimize the success of phishing on corporate-owned and BYOD devices. This includes:
- Conducting regular employee training on phishing attacks and how to spot them
- Implementing security controls to prevent threats from reaching employee inboxes
- Perform active assessment campaigns to test user response success in identifying and mitigating threats
- Using Multi-Factor Authentication (MFA) to prevent stolen credentials from being used
- Deploying mobile threat prevention software to block access to phishing URLs — even if/when they are clicked on
- Supporting use of password managers that autofill based on a verified site domain (therefore it will both identify fake websites and not enter credentials on phishing sites)
- Keeping devices current with operating system, application and security patches up-to-date
