Despite the availability of numerous faster modes of communication - including instant messengers, communication apps, and social media - email continues to be the preferred means of communication for official purposes.
Most of us have at least one personal email address. We also need email addresses to register and login in order to access important online services. This is why email addresses and their associated passwords are the most sought after information that cyber criminals look for.
Phishing letters
The easiest way to get someone's email address and passwords is to get them to divulge it themselves. This is exactly the technique that cyber criminals are using - it's called phishing. Cyber criminals use phishing in various forms. The most common method is to send out phishing letters. Using the popular web-mail services, cyber criminals send out letters that seemingly originating from services that users most commonly interact with - banks, schools, clubs, and so forth.
Types of phishing letters
The types of letters that cyber criminals usually employ to phish user details are:
Request for information: These are generally simple text based messages that request users to share email address and password on various pretexts. Users are requested to share details at a specified email address different from the one the letter is sent from. This is the most basic form of phishing. Now that cyber criminals have evolved they have moved on to more sophisticated methods.
Redirect to phishing website: This is currently the popular method to phish out details. Cyber criminals send out automated messages to users that have one or more links that redirect the users to a fake website, created with the sole purpose of stealing personal details of the users. These websites are lookalikes of popular websites with similar domain names. However, since the links are actually different from the legitimate ones, cyber criminals conceal them by making images and texts clickable.
Attachments: Cyber criminals use attachments - HTML, Doc, or PDF files - with short text message in the email. This is with a view to make the message look genuine and originating from a legitimate source.
With the use of HTML attachments, cyber criminals bypass the need to redirect users to a phishing page on the internet as they can steal information from the HTFL form itself.
Direct back to genuine website: Probably the most sinister way to phish out details is to coax users into logging into lookalike websites. The webpage then displays an error message that something went wrong so the user could not be logged in or the details could not be submitted; and the users must try again. When the user click this 'try again' tab, she is directed back to the legitimate website and the user doesn't notice that she has been scammed.
Also read: How spear phishing is done: The anatomy of an attack
To protect yourself from such phishing scams, be wary of clicking on any links—whether text- or image-based—in your emails. The common tell-tales of prospective phishing scams include:
- Time-bound action: The message comes with a time-frame to create a sense of urgency. Users are requested to taking immediate action, within the specified time frame, to avoid their account getting locked, or losing out on a chance to win a prize.
- Misspelled URLs: Pay attention to the URLs mentioned in the email. Usually, the fake links have misspelled names or changed domain names. It is possible that in order to maintain the correct spelling, cyber criminals may use similar-looking symbols from other languages. For instance, á instead of a or ç instead of c.
It's a good idea to call back your bank, school, club, or any other service provider and check if the email was indeed sent by them. It's better to be safe than sorry.
The article has been written by Neetu Katyal, Content and Marketing Consultant
She can be reached on LinkedIn.