What is Phishing and What can You do to Protect Yourself?

You were working one day in the comfort of your home when an email inquiry came up. You were managing a fleet of cars, and before the pandemic, they were mainly used for ride-sharing apps. However, because of the health crisis, business slowed down, and to survive, you pivoted to a rental service for companies to shuttle their staff. Upon seeing the inquiry, you got excited. This would be your third client, if ever.

You opened the email.

The email sender seemed to be interested in getting your service. However, there was one problem. The sender was having trouble with one of your listings in a car rental site. The link to the website was provided in the email. Because of the urge to help and to on-board a new client, you clicked the link and entered your credentials to check your account. Upon clicking submit, you were redirected again to the login page. That was weird, but you thought that: It could have been just a glitch. So, you entered again your credentials, and the website worked fine.

Days later, you received a lot of email messages. There were bookings for your cars. Some clients already paid, but the thing was you didn’t receive any money in your account. The tone of the emails ranged from concerned inquiries to angry complaints, and you were left with a huge amount of investigating and explaining, not to mention the breach of client data that you have to deal with. Little did you know that the first website where you entered your credentials was fake, and the supposedly “client”, which was the email sender, took over your account and got payments from your real clients.

Seems familiar? Though this is just a hypothetical story, reports like this have abounded in social media and the internet. And the most common of which are stories of Phishing victims.

What is Phishing?

According to UK National Cyber Security Centre, Phishing is a type of attack which attempts to lure a victim to provide confidential information such as username/ID and password. This can be in any form of communication, but the most common is through email. Phishing can reach a huge number of users but it can also be part of a targeted attack to a particular organization or person.

How an attack is conducted?

The attacker (usually black-hat-hackers) may use email, text, or phone call, but no matter the mode, usually the attacker pretends as someone the victim trusts. It could be a person of authority or someone close to the victim. In the story in the beginning of this article, the attacker posed as an anticipated client.

If mode is via email or text, the attacker usually urges the victim to click on a link that will lead the target to a fake website which may contain malware to steal personal information and passwords. If via phone call, the attacker usually tries to get the personal information verbally from the victim by using urgency or appeal to emotion.

However, attackers may find other cunning ways to get sensitive information which is why all the more that we need to be careful. It is common for attackers to conduct surveillance first on their target victim to know the opportunities that they can take advantage of. 

So how do we keep ourselves safe?

First, we need to make sure that our infrastructure is hard to infiltrate. The following are a few techniques that we can do to accomplish this.  

• Layer your network security. This can be done by using tools that will make it hard for attackers to enter into your system. This involves using firewall, anti-virus and anti-malware software, and security patches.

• Control information access. Limit the people and employees who have access to sensitive information such as client data and financial records. Identify what positions or job functions need to interact with these documents and implement guidelines so as to avoid abuse and negligence.  

• Stay on top of all security updates. However, downloading and installing security updates might be the least priority of users especially when they are busy with work, so one way to ensure that computers are all updated is to set the security updating as automatic. 

Second, we need to ensure that people know how to safeguard themselves against these cyber-attacks.  Train them about simple yet effective practices such as the following:  

• Avoid opening emails from unknown sources. But this is easily said than done. Most of the time, the email sender will appear to be legitimate and the subject line very catchy, so it might be hard to distinguish which is fake and which is not. However, if the email is unsolicited, think twice before opening it.  

• Avoid clicking links immediately. One way to know if a link is legitimate is to hover your cursor on top of it (make sure NOT to click it yet) to see the full address. In this way, you will know if the link provided is the real thing. However, this is applicable only in emails.  

• Validate the information you receive by visiting official websites or calling official contact numbers. This might mean extra effort on your end, but this will help you determine if the person behind the email or text is legitimate.  

• Keep yourself updated of the latest in cybersecurity and recent attacks. Black-hat hackers and attackers are constantly evolving their strategies, so we must also be aware of the latest in news especially about cybercrime.  

• Report any suspicious communication. Get in touch with the authority assigned on cybersecurity (usually IT administrators in company settings) if you encountered any malicious or suspicious communication. In this way, you have helped not only yourself but also others who might not be aware of these kinds of tactics.

What to do if you think you’ve fallen victim?

Even though we have already implemented measures to safeguard ourselves and our company, there may still be loopholes that black-hat hackers and attackers may take advantage of, so we should also know how to react just in case we think that we’ve fallen victim to a cyber-attack. The following are a few tips:

• Report to the concerned authority for proper guidance. Immediately report the incident to the concerned authority (usually IT administrators in company settings) if you opened a suspicious email or clicked an illegitimate link. Remember that attackers are moving fast, so reporting the incident as early as possible will be beneficial.

• Change your password. If your account hasn’t been compromised yet, changing your password might help you prevent the attacker from further access to your information. However, this doesn’t necessarily mean that no harm has been done, so it is still better to report the incident to the concerned authority.

• Run an antivirus/anti-malware scan on your computer. Attackers might have installed a malware on your device, so running an antivirus/anti-malware scan will help you identify if there is such. But just to set expectations, security software may not be able to detect all malwares especially the newer ones. This is why layered network security is essential.

• Regarding bank transactions, report to your bank as soon as possible. Make sure that you have the contact number of your bank, so that when there is an emergency such as cyber-attack to your account, you can immediately give your bank a call.

We at Trinity hope that the tips mentioned above will be helpful for you and your company in the fight against cybercrime. This is why apart from standard insurance products, we are also offering specialty insurance lines. One of which is Cybercrime Insurance.

Cybercrime Insurance is a protection for liability arising out of unauthorized use of, or unauthorized access to, electronic data or software within your network or business. This insurance will provide protection against claims due to breach of confidential customers’ information and will provide expenses for legal advice in connection with an investigation by the Data Protection Authority

Sources:

• https://www.facebook.com/DICTgovph • https://www.nisc.go.jp/security-site/eng/campaign/handbook_ENG.html • https://www.ncsc.gov.uk/guidance/suspicious-email-actions • https://www.ncsc.gov.uk/guidance/phishing