Find out how good you are at detecting phishing scams
Phishing scams are disguised to trick you, but you can train to be a master at detecting them. Live Cyberstrong with our #BSHARP guide and test yourself to see if you can stay ahead of the scammers.
Cyberattacks are on the rise. The various innovative scenarios that they present themselves in are also making it increasingly difficult to tell legitimate emails apart from phishing attempts.
One moment you’re answering an email that’s supposedly from mum, the next you are finding yourself frantically telling your bank that you did not spend $10,000 on four flight tickets to Brazil.
That’s how a phishing attack works: answer a malicious email or text, or a questionnaire on a website, and bam, before you could bat an eye, your bank account or credit card is compromised. (P.S. this is the worst way for you to earn reward points on your credit card).
Most of us may think that we are already very careful or too savvy to be caught in a situation like this. But you might be surprised. Well, let’s test how “cyber strong” you really are with these scenarios below:
1. It’s easy to spot phishing attacks because their websites are always slightly misspelt, true or false?
If you answered ‘true’, don’t be surprised. So did we. But, in fact, the answer is ’false’.
Many fake websites do have slight spelling differences from the real thing, but there’s also a form of phishing that uses an International Domain Name (IDN) homograph attack.
What’s that, you may ask? When a website’s name uses a foreign alphabet (e.g. Cyrillic) it’s translated to something called Punycode. We won’t bore you with the techy details, but you should know that some characters in these foreign languages directly resemble their English counterparts when they appear in the address bar.
For example, the Cyrillic letter “a” is visually identical to the English one. But to the computer, they are different. Hence, it’s possible to set up a fake page that visually shows the correct address, but leads you elsewhere. A web developer, Xudong Zheng, recently demonstrated this by setting up a fake website that’s literally called www.apple.com (it even has the green “secured connection” lock and everything).
Currently, web browsers are developing ways to counter this. But if you want to be extra cyber safe, you should manually type in the address. Adopting this practice as a rule of thumb is the only way to be 100 per cent sure.
2. Phishing emails only appear out of the blue, which makes on-going email threads safe from phishing, right?
The fact is, phishing emails no longer always come as a new or standalone email. They can now even insert themselves into the middle of an existing email thread.
For example, say you’re in the middle of an email conversation with your colleagues. About five emails in, you get one that says “Hey, can you look this over for approval?”
Thinking nothing of it, you click it and… your computer starts downloading all sorts of malware and spyware.
It’s easy to be caught off guard since most people don’t expect a phishing email to appear mid-conversation. The only solution is to be alert and look out for any strange or out of context messages. It’s always best to check again with the supposed sender if something looks out of the ordinary.
3. Did you know that what you post on social media can be used to phish information from you?
You’ve probably heard of social networking sites like LinkedIn. Most LinkedIn profiles are filled with people’s achievements, places they’ve worked at, positions held, and so forth. That makes it easy for hackers to craft emails that look like they’re from your boss or colleagues.
Through Facebook, Instagram, and other social media sites, hackers can create contextual phishing emails or messages too. For example, they can view your vacation location on your Instagram pictures, especially if your profile is set to public mode. Then, hackers inconspicuously send you an email asking if you “left this while you were in Bali”. You click into the email unsuspectingly and end up downloading malware or spyware.
These sneaky hacker moves can sometimes be hard to notice, but there are some giveaway signs. For example, if a colleague who just resigned is apparently contacting you via their work email, or if the email about your last vacation is from a nameless source, you know there’s something “phish-y” going on. If you keep this in mind all the time, you’ll be much better at spotting and evading potential phishing attacks.
4. Do you verify payment requests before making payment?
The most common phishing attacks claim to be overdue account payments, or statements saying your last transaction failed.
In such situations, you’ll then be asked to click a link to verify details (for e.g. your Netflix payment). You will likely click into it because you don’t want to be spending Saturday night without your Netflix, right? You may even be kind enough to follow up with credit card numbers to update your billing information.
Soon, maybe even 30 minutes later, someone in an exotic country is buying themselves a new luxury hand bag at your expense*.
If you’re wise to phishing attacks though, you’ll be sure to follow up on such emails with careful authentication. This could mean a phone call to the service provider to confirm if it’s real and a refusal to click the email link before you get the verification.
*The thief probably isn’t the one who created the phishing attempt; they often just buy stolen credit card details online.
Phishing attacks get smarter all the time, so should you
No matter how cyber-sharp you think you are, bear in mind that phishing crooks have one big advantage: They can fail hundreds of times, but you only need to slip up once.
As an added precaution, get a credit/debit facility that comes with two-factor authentication (2FA) or a digital token. Having an additional layer of security creates an added barrier against phishing thieves who are trying their best to use your stolen card details or banking information.
And if you have clicked on any odd links, or experienced your computer slowing down, take it to a professional. Get it scrubbed clean of malware or spyware, even if nothing serious seems to have happened.
Make sure you get smarter against phishing attacks by learning about new tools to guard yourself financially while banking online. Check out how to Live Cyberstrong with our #BSHARP guide.
That's great to hear. Anything you'd like to add?
We're sorry to hear that. How can we do better?