If you’re receiving unsolicited emails from a stranger, but you’re also making purchases online, it’s most likely phishing. Sometimes called “phishing,” this type of cyberattack involves the use of malicious emails to steal login credentials or other personal information and then pretend that you are someone else — and that you have legitimate reasons for making these purchases, such as sending money to an account number. This is often accomplished by disguising your identity as someone who is actually a person you know. There are several tactics used in phishing attacks, including spoofing identities through stolen pictures, impersonating people you do not, stealing passwords through malware on your device or through social engineering with fake websites.
What Causes Phishing?
Phishing often falls into two categories: impersonation scams, which involve posing as someone you don’t know, and deceptive websites, where scammers use convincing text messages to get you to divulge sensitive financial information. In both cases, there are usually no details about the sender or their intended purpose. While some will be able to convince you, others won’t. Most of the time they are trying to trick you into sharing sensitive information. They will call you over the phone, offer links to bogus sites designed for fraudulent purposes, and ask for payment in cryptocurrency.
The goal is most likely to make you hand over vital details that could be used against you later, such as credit card data, Social Security number, date of birth or address. These types of scam are becoming more prevalent with new technologies like artificial intelligence, machine learning, computer vision and facial recognition.
Why does it happen?
There are several factors involved in phishing attacks. First, you can access free accounts on popular services such as Gmail, Facebook and Microsoft Outlook, while many people don’t realize these accounts are free until after they’ve been compromised. Then, once you sign up for a service, they give away a list or directory of possible victims, which you may visit to try to log in and gain access to your accounts. Another cause of phishing is hackers who want to obtain credit card numbers, bank account details, contact numbers, social security numbers and usernames.
Lastly, a cybercriminal might use phishing to create customer loyalty programs for things like virtual currency, gaming, gift cards and subscription services. Each method uses different strategies to capture your sensitive information, although they all share similar goals of selling you out and getting you to give them money.
Some of the ways scammers can steal your information include using phishing techniques like creating fake websites that look legit and claiming to come from companies with reputable names. More advanced attack methods involve exploiting weaknesses in applications and operating systems such as Windows, Android devices, iOS devices, macOS and Linux, according to Cybersecurity Alliance. As mentioned above, most of these scams aren’t technically frauds, but simply attempts at manipulating your trust.
For example, if someone gets you to click on a link or download an attachment, they are taking advantage of vulnerabilities built into software or mobile apps. Some of those apps allow users to interact with their secure messaging app, Google Messages, directly, which gives hackers easy opportunities to steal your password or use your search history for spam. Similarly, when you use one of the popular email providers, they may expose passwords on their servers to see if anyone has already hacked them or stolen your information.
How would I know?
You will have noticed that emails tend to contain subtle clues that indicate a potential connection with a fraudulent website. One email might tell you where to go to the site without explicitly telling you that it’s a phony source and not real. You can take steps to prevent phishing if you are comfortable doing so. Here are a few tips:
• Never open any attachments from unknown senders.
• Open only the messages you expect to receive with a suspiciously large subject line or with unusual attachments, such as PDF documents with images instead of HTML files with links (such as a form).
• Do not respond to anything that makes sense in terms of content.
• Make sure that the URL of URLs from unfamiliar sources doesn’t look like it’s coming from a trusted place. Check emails carefully when they arrive in your inbox.
• Delete older versions of your Gmail, Yahoo!, Hotmail! and PCMag newsletters.
• Keep track of all incoming and outgoing emails from strangers. When you find something that seems strange, take note. Send it to yourself. And then delete it. After you’ve done that, check what was sent. Don’t just read emails, but also write notes, write down screenshots, and follow up with calls, to track what is being said.
• Change any passwords that you use in accounts like Bank of America, Chase, Wells Fargo, MasterCard, etc. Be careful that this isn’t related to important accounts that have sensitive data on them, such as your own.
Be Careful About Your Online Accounts
If you use an online service such as PayPal, credit card company Visa and Apple Pay, you should check how secure those sites are. All three provide helpful tools to keep track of credit card transactions including identifying how many people have spent your money. However, you should also consider adding a second layer of protection to guard against your account being breached. That will help protect you if your accounts are compromised by a third party with malicious intent and a bad actor gains access to your account. With that added defense, you might need additional safeguards, depending on the site you choose to use.
PayPal takes precautions to limit unauthorized transactions to reduce exposure to phishing attacks. According to Payment Card Industry Data, PayPal reported that since January 2020, 4.2 million users had fallen victim to phish, of which 1.4 million were logged into accounts through social media. In fact, the majority of those were tracked after March 2020.
For Apple Pay, it provides security measures, such as setting up biometric authentication when providing authentication to pay with Apple Pay. Additionally, you can change user passwords, revoke transaction codes, set pin codes, lock your iPhone or iPad automatically and add a PIN code to your wallet. If you are willing to accept a higher level of risk of compromise, you may still want to consider using 2-factor authentication, even though these services require minimal human intervention. Apple Pay is a good choice, as the technology itself offers features designed to resist brute-force hacking attempts.
Cybersecurity Association recommends checking whether a site lets customers change their default username before signing up and changing password preferences. Once you enter your password, a message should appear indicating changes must be completed within 24 hours. Also, if you are registered under multiple email addresses to better ensure the location of the sender, you must enter that information on the page you are visiting.
Finally, make sure you are using strong passwords and unique passwords for each account, such as keeping only one password and one key to unlock the account. A basic way of ensuring a stronger password is to either put random letters, numbers and symbols in plaintext, or by inputting a combination of numbers and characters from the dictionary list.
Always remember that a hacker cannot guess the combination of words in order to guess or match the actual password. Using a separate password for every site will increase both strength and complexity of a password database. It is recommended that you use two passwords for two different accounts, such as the same password for each site that holds private information on you.
Read our other blogs on Cybersecurity!
Kokila Mishra