Staying safe from Phishing Scams

Navigating the internet whether it be web1, web2, or web3, has always been tricky, especially in the earlier days of each iteration's adoption. Bad-actors wanting to make money off unassuming people trying out new technology. There are numerous ways scams are done on the internet, but you shouldn’t be deterred from using it as a tool, since while there are scams there are ways to avoid them. 

In this lesson we will look into Phishing scams, a scam that can be used to target individual accounts or even companies and whole networks. By the end of this lesson you will be able to identify the characteristics of a phishing scam, and understand the basic ways to protect against it, and stay safe from phishing scams.

What is a Phishing Scam?

Phishing is one of the many ways that online hackers and scammers attempt to gain information from customers. It is a fraudulent practice that can occur via different means of communication including emails, SMS text messages, social media posts and fraudulent URLs. Attackers may brand themselves to be a legitimate enterprise and pretend to be that site. This is done to obtain sensitive information such as passwords and two-factor authentication codes. Within the crypto space, phishing scams usually target information pertaining to online wallets.

Phishing attacks are social engineering attacks and can have a wide range of targets depending on the attacker. They may take the form of a generic scam email looking for anyone with a PayPal account, such as in the example below, or phishing may also be a targeted attack focused on a specific individual. 

Types of Phishing Scams

Many different types of phishing scams exist. Here is a broad overview of some of the most common types:

• Standard email phishing is the most widely known form of phishing and this attack is an attempt to steal sensitive information via emails that appear to be from a legitimate organization. Email phishing scams are usually not a targeted attack and can take place en masse.
• Malware phishing utilizes the same techniques as email attacks and encourages targets to click on a link or download an attachment so malware can be installed on the device. As it stands, it is the most pervasive form of phishing attack.
• Smishing is SMS-enabled phishing that delivers malicious short links to smartphone users, usually in the form of account notices, prize notifications and political messages.
• Search Engine phishing is an attack by cybercriminals setting up fraudulent websites designed to collect personal information and direct payments. Sites like these can show up in organic results or as paid ads for popular search terms.

‍

Phishing is a popular cybercrime because of its efficacy, Stanford University IT even has a constantly updated list of Phishing scams that are being distributed to its network. 

Cybercriminals, for years, have been successfully using emails, texts, direct messages and social media to get people to respond with their personal information. It is easy to fall prey to this attack due to the fact it effectively copies an entity that we usually trust, and that is why it is important to know what to look out for.

Identifying a phishing attack can be avoided by looking out for the following:

• Urgent calls to action/threat. Users should be careful opening an email that claims they must click, call or open an attachment immediately. Often the message will say that the receiver is eligible for a reward.
• Requests for sensitive information such as Social Security numbers or bank and financial information is a red flag. Most official communications wont randomly ask for sensitive information through an email. 
• First time and infrequent senders. It is not unusual to receive correspondence from new senders, but users should be wary if it is an address or number they do not recognise. If messages are unexpected and unsolicited, always consider this suspect. 
• Spelling and bad grammar. Often spelling mistakes and bad grammar are indicators of a scam as professional and legitimate organizations use mechanisms to ensure proper grammar and spelling are used in their correspondence.
• Suspicious links and unexpected attachments. If you are suspicious of the content of an email or message, do not open any links or attachments to the document.
• Mismatched email domains. If an email specifically claims to be from a reputable company such as Microsoft or your bank but sends emails from another domain like Yahoo.com or any free email service, it is likely to be a scam. Also look out for Items in the email address that will be changed so that it is similar enough to a legitimate email address, but has added numbers or changed letters.
• The greeting in the message is not specifically addressed to you and there may be several random email addresses included in the “To:” field of an email.

Securing Accounts and Information From Phishing Attacks

Now that we’ve learned about what to look out for, we need to know what to do next. 

If you receive a suspicious email, here are some steps recommended by the University of Massachusetts IT:

• Do not reply, even if you recognize the sender as a well-known business or financial institution. 
• Do not click any links provided in these emails (or cut and paste them into a browser). This may download viruses to your computer, or at best, confirm your email address to phishers.
• Do not open any attachments. If you receive an attachment you are not expecting, confirm with the senders that they did indeed send the message and meant to send an attachment.
• Do not enter your personal information or passwords on an untrusted Web site or form referenced in this email. 
• Report any suspicious messages - Report the message as spam, and notify the entity that you believe is being impersonated in the message.
• Delete the message.

When in doubt, always use security best practices:

Securing your personal and account information is essential. Regularly updating software and antivirus software are some of the most obvious ways to do so, but further action is required. Keeping apps and software updated is also essential, just make sure you are always downloading from legitimate sites. Users should also make use of two-factor authentication in order to protect themselves.

Users should be very cautious when it comes to using social media and the information that is shared thereon. Therefore, try to limit the personal information that you post to social media. A password manager is also a good practice when trying to keep information protected. Finally, users need to be very alert when it comes to emails from unrecognized senders which often contain links and attachments which may include malware. 

Summary (TL:DR)

Phishing emails, texts, etc. are designed to appear legitimate and get better all the time. Social engineering attacks - such as phishing, are designed to take advantage of a user's possible lapse in decision-making. Always watch-out for red flags like urgency, mismatched links and emails, and the request for sensitive information. Be aware and never provide sensitive or personal information through email or unknown websites, social media, or over the phone.

Sources:

1. Samples of Phishing - Stanford University IT : https://uit.stanford.edu/phishing
2. Protect yourself against Phishing Scams and identity Theft - University of Massachusetts Amherst - https://www.umass.edu/it/support/security/protect-yourself-against-phishing-scams-identity-theft
3. How to Improve Your Cybersecurity - https://hacken.io/researches-and-investigations/how-to-improve-your-cybersecurity/ 
4. Security Pitfalls & Best Practices - https://secureum.substack.com/p/security-pitfalls-and-best-practices-101 

‍

About Hacken

Hacken is a cybersecurity auditor born in 2017 with a vision of transforming Web3 into a more ethical place. With 5+ years of experience, hundreds of blockchain partners, and thousands of secured crypto projects, Hacken protects technological businesses and crypto communities worldwide with the most competitive suite of professional cybersecurity services. 

Hacken in figures:

• 1,070+ clients, including THORSTARTER, ConstitutionDAO, XTblock, Paribus, to name a few
• 180+ partners including Avalanche, Polkastarter, CoinMarketCap, Weld Money, CoinGecko, Solana Foundation, Simplex, to name a few
• 23/50 top crypto exchanges are Hacken clients
• $10B in users’ assets saved from being stolen by hackers

Strategic goal: get a 20% share in the Web 3.0 cybersecurity market by 2024.‍

For more on Hacken follow them on:

Twitter | Discord | Telegram | Hacken.io

‍