What is phishing, and why should everyone know about it?

Phishing is a type of cyber attack that uses fraudulent means to trick people into giving up sensitive information, from credit card and social security numbers to confidential business data. Unlike with other types of cyberattacks, there are limited technical means of combatting them. While spam filters will help weed out some phishing emails, the best and most effective way to combat phishing attacks is to raise awareness among users.

To that end, here’s an update on the rising sophistication of phishing attacks that we’ve seen, as well as tips on how to avoid falling victim to them.

How sophisticated have phishing attacks become?

Recently, we’ve seen an increase in the cleverness of phishing attacks. Phishers have long been adept at making the emails they send to their victims look like legitimate correspondence. They often pose as brands people know and recognize, using company logos and other design elements to fool their victims. And, when the victim clicks a link in the email, they are taken to a website that looks somewhat similar to the brand’s real website, where they are asked to divulge information, such as a username, password, or more sensitive personal or financial information.

The difference in some recent phishing attacks that we’ve seen is that the websites they have set up to “phish” for users’ information have become extremely sophisticated. Look at the screenshot below, which depicts a phishing page set up to fool customers of Comcast’s Xfinity service.

If you’re an Xfinity customer, you probably recognize the problem. Whereas in the past, phishing pages were usually somewhat easy to spot, at least to discerning eyes, this page looks remarkably similar to Xfinity’s actual login page. The cybercriminals have pulled out all the stops, mimicking Xfinity's design elements. And if the user enters a username and password, those credentials are compromised, giving cybercriminals access to any accounts for which the user uses those same credentials.

As if that weren’t enough, after the user “signs in,” the various links on the page work; they take you to other convincing-looking but fraudulent web pages or to Xfinity’s real site. So, it’s possible to “sign in” and surrender your privacy without even knowing you weren’t on Xfinity’s website.

What’s the best way to avoid falling for these scams?

The best way to avoid falling for phishing scams is to stop clicking on links in these kinds of emails altogether. If a company with whom you have an account sends you an email, either sign in directly to their website in a web browser or call their customer service line to sort out the matter. As you can see from the above, it’s just too hard to tell if, once you’ve clicked on a link, the website you’re looking at is legitimate.

And, really, users should exercise caution when clicking on links or attachments in all emails, even personal ones. Many cybercriminals are going beyond mass-market spamming and using social engineering to pose as individuals’ personal or business contacts as well.

Finally, if you’re an owner or manager in a business or nonprofit environment, get the word out to your team as soon as possible. Send them a link to this blog post, and make sure they know what the dangers of falling for phishing schemes are.

And, as always, contact us if you have any questions or would like to take your company’s security to the next level.