UNDERSTAND PHISHING TO COMBAT PHISHING
Written by Mark Barnabas Lee
Phishing is a process where cyber criminals use various methods to “hook” unsuspecting victims to click on malicious links or to reveal personal data. Just in case you are still struggling to pronounce it, the word “Phishing” has the exact same pronunciation as “Fishing”; what you do when you hide a hook under bait and toss it into a pool awaiting unsuspecting fishes to bite.
Similar to fishing, cyber criminals often dangle a bait to lure ignorant internet users to click on links so as to harvest personal information with or without permission. There are in fact several methods of phishing; the best way to prevent them is to be able to recognize them. Here are the common ones.
- Spoof Sites
As the name suggests, “spoofing” or creating fake websites that look exactly like the original ones familiar with the regular joe. However, little do unsuspecting explorers know, some fake websites are built to collect user data like logins and passwords for cyber criminals to login in again after you log out.
>> Before you punch in any password, check to ensure that you are indeed on the right page and not a fake one by checking the URL. Especially for bank pages, payment gateways, shared drives and even email login pages
- Email with Malware / Spyware
This is the most common form of phishing where the “evil phishermen” cast a big net by means of sending several emails (probably from crawling robots or stolen) with attachments loaded with Spyware, Malware or Trojan Horses.
>> First, do not click links from strangers or unknown sources. And if you are extremely curious what’s behind it especially when it came from a super compelling EDA or ex-lover, then be extremely sure the link goes to a legit site. It is still recommended you DO NOT open any strange links unless you are ready to handle unfounded surprises…
- Fake Email
It is uncommon to receive emails from cyber criminals who send emails with strange content that contain a strange weblink or an innocent looking attachment with a weird file name. These are fairly outdated methods and the more updated cyber criminals could send emails that can look almost identical to that of your regular telco, utility company, government office like the tax office or manpower authority. The uncanny resemblance fool many “unsuspecting fishes” who get phished!
>> Check the actual email address of the sender by right clicking on the name (may vary for different OS or platforms, but you get the idea?) and ensure that the email contents match that of the sender whom you might know. A friend of mine received an email from a “supplier” claiming that they have changed their bank account and requested that he transferred the payment for an invoice IDENTICAL to a REAL and OUTSTANDING invoice that my friend owed to the supplier. A good way to verify and avoid fake emails is to make a call to verify before clicking and link or opening any crazy looking attachment.
- Spear Phishing is use of email or other electrical communication mediums to target a specific individual, group of people, organisations or business. Typically intended to steal data but may also attempt to install malware on the victim.
>> Perhaps the best way to avoid this is to understand the risk profile of yourself. Are you an individual that hackers will want to hack? Do you at your position at work have special access to some privileged information or perhaps you are a high net worth individual. Ah, but hackers could also target anyone who has a credit card…
Having strong firewalls and hardened firewalls and other cyber security tools can help to prevent attacks from hackers and brutes force attacks. However, there is no substitute to being careful and not clicking on malicious links that can lead to dire consequences. Do also seek advice from professionals in your contact sphere for an external perspective of risks. You may also contact me for an assessment if you are based in Singapore and Malaysia.
Mark Barnabas is currently the Lead Consultant and Data Protection Officer of Profit Season Pte Ltd, a corporate advisory firm based in Singapore providing advice for business growth, overseas expansion, and enterprise risk. His areas of specialty are data protection and operational excellence. He has prior experiences in the following sectors education, tourism, hospitality, events management and F&B. In addition, has lived and worked in Malaysia, Philippines, India and has managed projects in the South East Asian region.
Learn more about PDPA in Singapore here!
- PDPA Compliance Checklist Singapore
- WSQ Fundamentals of the Personal Data Protection Act (PDPA) by Everest Innovation