Understanding Phishing Attacks

Questions and Answers

What is the primary goal of a phishing attack?

• To improve the performance of a victim's computer.
• To encrypt the victim's data to secure it from outside threats.
• To provide software updates.
• To steal sensitive data or install malware. (correct)

Which of the following methods is commonly used in phishing attacks?

• Using radio frequencies to intercept data transmissions.
• Physically installing spyware on a victim's computer.
• Directly hacking into a company's database.
• Sending fraudulent communications that appear to come from a reputable source. (correct)

What is a typical characteristic of malicious attachments used in phishing attacks?

• They have enticing names like 'INVOICE' to encourage opening. (correct)
• They are always in the form of executable files.
• They are digitally signed by a trusted authority.
• They require administrative privileges to open.

How do malicious links in phishing emails typically compromise a user's security?

By leading to websites that download malware or harvest credentials. (B)

Which of the following is a potential personal risk associated with falling victim to a phishing attack?

Experiencing fraudulent charges on credit cards. (D)

What is a potential business-related risk associated with a successful phishing attack on an employee?

Loss of corporate funds. (C)

According to the information, why is identity theft through phishing so widespread?

Because it is easy for unsuspecting people to share personal information. (B)

What should you do if you receive an email requesting you to 'verify your account' by clicking on a link?

Contact the company directly through a known legitimate channel to verify the request. (A)

Which of the following is a sign that you might be targeted by a phishing attack?

Generic greetings or a lack of customized information in a message. (D)

What is the significance of 'https' in a website's address when submitting personal information?

It signifies that the connection to the website is encrypted and more secure. (D)

Besides checking for 'https', what visual indicator in the web address bar suggests a secure connection?

A lock icon. (A)

What is the recommended action if you suspect you've received a phishing message?

Contact the company the message is supposedly from to verify its legitimacy using a trusted channel. (D)

What is 'vishing'?

Phishing attempts conducted via voice calls. (D)

What is 'typosquatting'?

Registering domain names with common misspellings of popular websites. (B)

What is clickjacking?

Using multiple transparent layers to trick users into clicking malicious links disguised as legitimate buttons. (D)

Which action can help protect against phishing attacks?

Using varied and complex passwords for all accounts. (A)

What is the primary target of cryptocurrency phishing scams?

Those with cryptocurrency wallets. (D)

What tactic do scammers use to encourage users to stay on the phone during vishing attempts?

Trying to keep you on the phone and force you to take action. (D)

What might a smishing message typically contain?

A link or phone number the scammers want you to use. (A)

Flashcards

What is Phishing?

The practice of sending fraudulent communications that appear to come from a reputable source, often via email, to steal sensitive data or install malware.

Malicious Attachments

A common phishing tactic where malicious email attachments, often with enticing names like 'INVOICE,' are used to install malware on victims' machines when opened.

Links to Malicious Websites

A phishing method where malicious links in emails point to fake websites that resemble legitimate ones, designed to download malware or steal login credentials.

Personal Phishing Risks

Phishing attacks can lead to stolen money, fraudulent charges, lost data, fake social media posts, and impersonation, putting individuals at risk.

Workplace Phishing Risks

Phishing at work can cause loss of funds, expose personal data of customers/coworkers, lock files, and damage the company's reputation.

How Scammers Find You

Phishing scams often use spam emails or messages requesting you to "verify your account" or "confirm your billing address" on malicious websites, thriving because people share personal data easily.

Signs of Phishing

Requests for confidential information, emotional language, misspelled URLs, links within messages, and lack of a personal greeting can all mean you're being targeted by a phishing attack.

Phishing Protection

Protect yourself by not providing personal information to unsolicited requests. Use sites with "https" and a lock icon and complex passwords.

Suspect Phishing?

If you suspect phishing, contact the company, use strong passwords, and avoid clicking unverified links/attachments.

Forms of Phishing Attacks

Includes: email phishing, voice phishing (vishing), SMS phishing (smishing), typosquatting, clickjacking and cryptocurrency phishing

Email Phishing

Appears in your inbox normally with a request to click a link, reply, pay or open an attachment. The sender may also try to closely resemble someone valid.

Voice Phishing (Vishing)

Scammers will call you and try to impersonate a valid person to try and decieve you and force you to take action.

SMS Phishing (Smishing)

Similar to vishing, this scheme will imitate a valid organization, using urgency in a short text message to fool you. There may be a link or number to click.

Typosquatting

Social engineering attack where targets incorrectly type a URL into their web browser rather than using a search engine, typically leading to visiting malicious websites with URLs that are common misspellings of legitimate websites.

Clickjacking

Tricks users into clicking something different than what they perceive, done through layers of transparent content on a webpage.

Cryptocurrency Phishing

Targets those with cryptocurrency wallets through various scams and deceitful websites.

Study Notes

• Phishing attacks involve sending fraudulent communications that appear to originate from a reputable source.
• Phishing is usually carried out through email
• The goal of phishing is to steal sensitive data, such as credit card details and login credentials, or to install malware on the victim's device.

How Phishing Works

• Phishing operations generally use one of two basic methods.

Malicious Attachments

• These are malicious email attachments installing malware on the victims’ machines when opened
• The attachments usually have enticing names like 'INVOICE' to trick users into opening them.

Links to Malicious Websites

• Malicious links redirect users to websites, frequently clones of legitimate sites.
• These websites either download malware or contain login pages designed to harvest user credentials.

Dangers of Phishing

• Phishing poses several risks to both individuals and businesses

Personal Risks

• Money theft from bank accounts
• Fraudulent charges on credit cards
• Loss of access to photos, videos, and files
• Fake social media posts made in your accounts
• Cybercriminals impersonating you to a friend or family member, putting them at risk.

At Work Risks

• Loss of corporate funds
• Exposure of personal information of customers and coworkers
• Files becoming locked and inaccessible
• Damage to the company's reputation.

How Phishing Scams Work

• Phishing is a widespread style of identity theft due to the ease with which people share personal information.
• Phishing scams often use spam email and messages, requesting users to "verify your account" or "confirm your billing address" on a malicious website.
• Phishers can only reach you if you respond.

Identifying Phishing Attacks

• Signs indicating you are targeted by a phishing attack.
• Requests for confidential information via email or instant message
• Emotional language with scare tactics or urgent requests
• Misspelled URLs, spelling mistakes, or the use of sub-domains
• Links contained within the body of a message
• Lack of a personal greeting or customized information.

Protecting Yourself from Phishing

• To safeguard against phishing

Methods of Protection

• Do not provide personal information in response to unsolicited requests.
• Only provide personal information on sites that have "https" in the web address or display a lock icon before the search bar.
• Contact the company by phone if you suspect an email is phishing bait to confirm whether the message is legitimate.
• Use varied and complex passwords for all your accounts
• Avoid clicking malicious links/attachments without verifying the source’s authenticity.

Forms of Phishing Attacks

• Email Phishing
• Voice Phishing (Vishing)
• SMS Phishing (Smishing)
• Typosquatting (URL Hijacking)
• Clickjacking
• Cryptocurrency Phishing

Email Phishing

• Email phishing often appears in your email inbox with a request to follow a link, send a payment, reply with private info, or open an attachment.
• The sender's email might closely resemble a valid one and contain personalized information.

Voice Phishing (Vishing)

• Vishing involves scammers calling you, impersonating a valid person or company to deceive you.
• The scammer might redirect you from an automated message and mask their phone number.
• The scammer will try to keep you on the phone and force you to take action.

SMS Phishing (Smishing)

• Smishing is similar to vishing, and uses a scheme to imitate valid organizations using urgency in a short text message.
• The message typically includes a link or a phone number for you to use.

Typosquatting (URL Hijacking)

• Typosquatting is social engineering, targeting internet users who incorrectly type a URL into their web browser.
• It involves tricking users into visiting malicious websites with URLs that are common misspellings of legitimate websites.
• For example: A website uses a variation of a real website name, changing a letter.

Clickjacking

• Clickjacking uses multiple transparent layers to place malicious clickable content over legitimate buttons.
• For example: an online shopper might download malware while attempting to make a purchase,

Cryptocurrency Phishing

• Crypto Phishing targets those with cryptocurrency wallets.
• Instead of using long-term means to mine cryptocurrency themselves, the criminals try to steal from those that already have these funds.