Phishing: How Hackers do It, How to Protect Yourself

Phishing, also known as phishing or spoofing is the most common cyber-fraud technique. However, a few precautions are enough to protect against the majority of these cyber attacks.

There is no such easy-to-access and inexpensive method of cyber-surveillance as phishing. In its simplest version, phishing doesn't even require computer skills, other than knowing how to send an email. 

Phishing can cause damage on its own, but it is also used to deploy much more complex attacks, with ransomware for example. Protecting yourself against phishing should therefore be your first priority in terms of digital hygiene, at home and in your business. Especially since unlike other types of attacks, phishing can always be avoided. On one condition: remain suspicious in all circumstances.

WHAT ARE THE CONSEQUENCES OF PHISHING?

Cybercriminals use phishing to extract information that will allow them to do things with your identity or your money. Depending on the type of data the hacker manages to extort from you, the consequences vary:

Bank information: the bank card number, the three-digit security code on the back, or the credentials to make a transfer. You will have a deadweight financial loss. The amount will depend on how long it takes before you realize the deception.

Authentication information for email or application accounts. If the perpetrator recovers your passwords and identifiers, he can simply deny you access to them. It can also spend money if you have linked your bank details to the compromised account. In the case of email theft, the attacker will use your email address to bolster their phishing campaign and reach even more people. It can also be used to reset the passwords of your less protected accounts, and take control of them. In the worst-case scenario, the attacker will use the passcodes to monitor your activity (for example, your emails) and extract sensitive data. This new information can then be used to carry out larger-scale attacks - ransomware or “president scam”.

Personal and administrative information: for example numbers and photocopies of passport, identity card or vital card. With much of this data, cybercriminals can steal your identity or resell it on the black market and create false documents. Identity theft can cause serious damage: a criminal can, for example, make you accused of crimes. Above all, the process to prove identity theft and regain control can be very laborious.

More and more, cybercriminals are using phishing to trick their victims into installing malware. Phishing then becomes a first step in the deployment of complex software such as Trojans or ransomware. In these cases, the damage can run into millions of euros, and up to the loss or theft of all the data on your computer or a company's computer network.

HOW DO HACKERS LAUNCH THEIR PHISHING ATTEMPTS?

Gain your confidence to better manipulate you

The methods deployed for phishing are mainly social engineering: they are manipulation techniques. Thieves want to trick you into giving out sensitive information on your own. Their observation is simple: most often, it is easier to make a human make a mistake than to defeat several computer security barriers. To achieve this, manipulators can contact you through all possible communication channels: emails, messaging, phone calls, SMS, social networks, etc.

Send E-mails

The simplest phishing attempts involve massive email campaigns. Attackers will send a typical email to thousands or even millions of addresses they have purchased on the black market. Then they just have to hope that a small percentage of that targeted fall into their trap. Not very personalized, these campaigns are generally easily spotted but work on the most gullible people.

When they have more information - than they can get through a data breach or the exploitation of a vulnerability, for example - hackers can create tailor-made phishing emails. Phishing is then aimed at a smaller group of people but will have a higher success rate.

They will identify the key people, who could help spread their scam. For example, the email account of a company CEO or a human resources manager has a high value. Company employees will be more likely to click on links sent from these addresses. Or pay a false bill.

Create Fake Sites

The most developed phishing campaigns are based on fake sites or documents. The email or message will be used to redirect you to the falsified platform, owned by hackers. They will, for example, reproduce the donation page of an association, a social network or the connection interface to your professional accounts (such as Microsoft 360).

You will think you are on a legitimate site, but all the information you write will be picked up by the thugs. This practice is common to steal your account name and password for certain applications. Similarly, some emails or messages have the sole purpose of making you download malware with one or more clicks.

HOW TO SPOT PHISHING?

You have surely already heard the first principle, rehashed after each successful scam: under no circumstances should you communicate your username and password. Whatever the chat channel (email, phone, messaging) through which you are asked. Regardless of the department or application involved, even if it is your boss or an employee of a company who asks the question. If customer service or network administrator really asks you to do so, they are incompetent, and you shouldn't answer them.

Beyond this basic principle, a few observations to be carried out in a systematic way make it possible to avoid falling into the traps.

We Ask You to Act Urgently

The hacker will mobilize your sense of urgency to hamper your thinking: the exceptional offer he offers only lasts for a very limited time, or the update of your password that he requires must be made in the second. It is very unlikely that a company will ask you to act so quickly.

Ask yourself the right questions about the message received

Do you know the sender of the email? Does he have a vocabulary, spelling and syntax that matches what you know about him? Your distrust will protect you: it is better to be too careful. If the email or call seems too suspicious to you, check it another way. For example, you can telephone the company or the person concerned, or visit the official website through the address bar of your browser.

Are you the only recipient or does the mailing list contain names you don't know?

HOW TO PROTECT YOURSELF FROM PHISHING?

Take advantage of the protections implemented by services and software. Your electronic mail service (Gmail, Outlook, Lacoste, Proton Mail…) already filters some of these cyber-attacks and sends them as spam. Likewise, your web browser (Firefox, Edge, Safari, Chrome, etc.) warns you if a site seems suspicious before letting you access it.

On Windows, use anti-malware: it won't necessarily protect you against phishing itself, but it could limit the damage caused by malware deployed through phishing. Some solutions like Malware Bytes offer "real-time" protection work in the background.

Use two-factor authentication when available: If a hacker has your password due to a phishing campaign, your account remains protected.

If a virus does find its way to your computer anyway, a Free antivirus can prevent it from doing harm. "Better to buy an antivirus, because the paid software is unfortunately still much more powerful than the free." Here again, the main thing is to do the updates.