Posted June 20, 2014
Phishing is a well-known word amongst information security professionals, and something they deal with on a daily basis. Simply put, phishing is defined as using tricks via digital communication methods to attempt to get unsuspecting people to provide personal information like passwords and account numbers that can be used to break into their online banking, social media, or other accounts.
While many people outside of IT now have at least some idea of what phishing is, they may also have some misconceptions. In this article, we debunk five common myths.
1) Websites With Locks in the Browser are Safe
The small lock icons that appear in the top left of the browser bar when you visit a website only mean that the communication between your browser and the website is encrypted – that an algorithm is used to keep your private information private. Encrypting websites is not limited to lawful businesses, however. Criminals can also encrypt websites, so don’t trust a website just because it has a lock and appears to support encrypted communications.
2) Not Clicking on Links Will Keep Me Safe
Criminal phishers only get the jewels by sending out links that people click on, right? Wrong. Pharming, a first cousin of phishing, is when criminals modify the Domain Name Server (DNS) to redirect you to a fake website that looks exactly like the real one without you knowing. The DNS is what gets you from a domain name or website URL, such as “abcsite.com,” to the site that you want to go to, using a string of numbers associated with that site, also known as an Internet Protocol (IP) address. Because you don’t see any of what goes on behind the scenes, you would not know that the criminal redirected you to a fake website. Criminals can modify the DNS by infecting your computer with malware, hacking your home network router, or compromising a DNS server at your ISP.
3) If a Link Isn’t Sent via Email, It is Safe
Several recent studies indicate that criminals are sending fewer phishing emails these days. Knowing that people are learning not to click on links in suspicious emails, criminals are now hiding malware and other viruses in email attachments and compromised mobile applications, as well as distributing them via social media posts, where they can spread like wildfire to thousands of unsuspecting visitors. For example, a criminal may impersonate a popular company like PayPal, and send a fake customer satisfaction survey which requires the target to download an email attachment. When it is downloaded, the file installs malware that is then used to steal personal details as you type them into your browser. Phishing links can also be sent via unsolicited instant messages from criminals posing as customer service representatives, “friends,” or colleagues.
4) Phishing is Primarily Limited to Emails
Rogue mobile apps are essentially a modern-day update on email phishing tactics. Just as they do with traditional email phishing schemes, criminals trick users into clicking links, downloading files, or disclosing personal information based on the false belief he or she is downloading a legitimate app or clicking on a safe link within an application or online app store. There are thousands of rogue apps on third party storefronts outside of official stores like iTunes, GooglePlay, Blackberry Market, Nokia OVI, and the Windows Phone marketplace. When a user downloads a rogue app that has malware or some other unwanted feature, criminals can use this to gain access to all the personal information stored on the phone.
5) If I Don’t Open Attachments, I’m Okay
Download “The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks” to learn more about how you can calculate the impact of phishing attacks to your organization.