Phishing is a common technique that hackers use to steal your personal information. But how can you defend against it?
What Is Phishing?
Essentially, phishing is when a hacker tries to steal your personal information, like passwords, credit card numbers, etc., by pretending to be someone else. They can pretend to be a friend or family member, or even a website. The most common way for a hacker to do this is via email.
The hacker sends you an email and tries to get you to click on a link, or open an attachment. The attachment usually contains malware, and the link is to a fake website. The site will probably look like a regular, innocent website, such as a banking website. You’ll then be encouraged to log into the fake website, where the hacker will capture your username and password.
In the early days of the internet, the first recorded mention of the word “phishing” was found in a hacking tool called AOHell. It included a programming function to try and steal the passwords or financial info of AOL users. Using AOHell, a hacker could pretend to be an AOL representative. After some users had been hacked, the company prevented people from using fake, generated credit card numbers to open new accounts.
The term “phishing” came about because AOL employees tried to detect words used in AOL chat rooms to suspend accounts involved with counterfeit software (warez) and those who trade stolen accounts. AOL looked for the most common HTML tag, which is “<><“. However, every chat transcript used this symbol, so AOL staff couldn’t filter it. Thus, hackers used the <>< symbol to refer to stolen credit cards, accounts or other illegal activity. Since it looks like a fish, the word phishing came about. Hackers took inspiration for the “p” from phreaking.
In a phishing email, a hacker tries to get you to click on a link or download an attachment. So the first step is to be wary of opening attachments from unknown senders. With URLs, the link will look very similar to a legitimate web address, but if you look closely you should see a difference.
For example, a fake website with the URL “http://wwwliquidvpn.com” looks awfully similar to “http://www.liquidvpn.com” Also, hackers will usually hide the strange-looking link by using a URL shortener. If the URL is supposed to take you to a banking website, check to make sure that HTTPS is at the beginning.
Remember: Just because you see a corporate logo, that doesn’t mean the website is real. Anyone can copy a logo and insert it into a fake page.
The “S” means that the site uses SSL and encryption. Most, if not all websites that deal with sensitive information use encryption. You can use a free website called CheckShortURL. Copy and paste (don’t click!) the URL into the website, and it will show you which website you’ll be visiting if you click on it.
A simple way to figure out if an email is legit is to ask the person who sent it. Use a different medium to contact them, like message, phone call or a separate email. But DON’T reply to the original email! If you see an email from your bank that has weird spelling and/or grammar issues, call your bank and ask about the email.
If you send other people files a lot, consider using a different service than attaching them to an email. Upload them to a cloud service like Google Drive or Dropbox. You can then specify which people you want to give access to that file, then email them the file link.
In certain situations it can be normal for you to receive attachments from unknown sources. You could be a journalist getting documents from a source, or a developer receiving log files from a user. In cases like this, it’s hard to figure out if the file is safe or malicious. One thing to do is to open the file in an online reader like Google Docs or Etherpad. Google routinely scans files in Drive as a way to detect malware.
If you’re an advanced user, you could open the file inside of a virtual machine. Or you can use an operating system like TAILS or Qubes. Always use an antivirus or antimalware program, although these programs can’t detect brand new malware. If it’s a link to a file, use the website VirusTotal to scan the URL.
Watch Out For Instructions
Be wary of email instructions that tell you to do something. Some phishing emails will claim to be from tech support, or from a website you have an account with. They will usually claim that you have to reset your password, or give remote access to “computer support.” If you see a suspicious email like this, forward it to the company that the person claims to represent. Virtually all businesses have some kind of customer support, and you can use that as well. They can quickly confirm whether their company sent the email to you or not.
Another tip for advanced users: A more efficient but harder way to prevent phishing is to use special software. You can use PGP to encrypt and sign your emails. In this way, the receiver of your email will know that only someone (like you!) with access to your private/public keys could have sent that email.
The downside, of course, is that both sender and receiver need to be using PGP. This won’t work for email newsletters, emails from companies, etc.
Although security is never perfect, and criminals never stand still, by using these tips you can go a long way to avoid becoming the victim of a phishing attack.