Phishing attacks typically occur through e-mail. The attacker will send you an e-mail with a link that would take you to an authentic-looking site. In a typical phishing attack, the link will take you to a fake site and ask you to login. If you login, the login almost always fails, but not before the attacker has captured your username and password.
Phishing e-mails usually tend to be from one of the following sources:
- Your bank
- Your Employer
- Your E-mail Provider (Office 365, Gmail)
- Your File Sharing Provider (OneDrive, DropBox)
- A social media provider
- A trusted supplier or vendor
Once the attacker has your username and password, he or she can login to the real site with your credentials.
A typical scenario goes like this:
You receive an e-mail from a trusted individual asking you to click a link to login to your Microsoft Office 365 account to receive a shared file.
You click the link which brings you to a login page. You login, but nothing happens. You think there must be something wrong with the link, so you go back to your e-mail, and reply to the message and inform the sender of the issue.
Your reply, however, does not go to the trusted source you believe to have send you the e-mail. It instead goes back to the attacker, unbeknownst to you.
While you wait for a response which won’t come, the attacker uses the credentials you supplied when you logged into the “site” that “didn’t work” to actually login to your e-mail and download all of your contacts.
Now the attacker sends a similar e-mail to all your contacts, this time purporting to be from you. The e-mail will be similarly structured with a link used to coax your contacts into giving up their logins.
Rinse and Repeat.
Seven Best Practice to Protect yourself from a phishing attack
- Don’t open attachments in e-mails from unknown senders.
- Never Click a hyperlink in an email. The is especially true if the e-mail was not expected or comes from an unknown sender. Always confirm that the e-mail was send from a trusted source and that he or she actually sent you a hyperlink. You can also hover-over the hyperlink to make sure that the URL is where you actually want to go.
- Never enter sensitive information into a pop-up window. Make sure you only provide sensitive information online when you deliberately went to a site that requires such information. If you are on a website for fishing lures and all the sudden a Google Login page pops up, closed the window and leave the site—as the site might have been compromised.
- Verify that you are using a secure site. Confirm HTTPS:// in the address bar instead of HTTP://. Also you can click on the lock icon in the address bar. This will help you verify the website is actually real.
- Check for spelling and grammar errors in the e-mail subject and body. Spelling and Grammar errors are a telltale sign of a phishing e-mail.
- Verify the sender’s address. You can verify the senders address by hoovering over the sender’s name in the e-mail. If it doesn’t look quite right, don’t trust the e-mail.
- When in doubt, pick up the phone. There is no easier way to confirm the authenticity of an e-mail than to call the sender.