What is phishing? Anatomy of a phishing attack plus five security tips (Video)

phishing-emailsPhishing is one of the most effective means for cyber crooks to get around your security to steal sensitive information, usually in the form of an email that imitates real communications from trusted sources like banks, social media websites and delivery companies.

If you’ve ever come across a suspicious email promising you great deals or free money, you hopefully know to stay away. But sometimes a cybercriminal might manage to trick you into giving away your passwords to sensitive websites.

Phishing is a problem that won’t go away. But you can train yourself to look for giveaways that will tell you if you’ve visited a phishing website by mistake. Check out our five security tips to stay safe from phishing. Plus, watch our short video explaining how a secure web gateway can protect you and your business from phishing attacks.

Anatomy of a phishing attack

In a recent example of a phishing attack, cybercriminals sent out phishing spam looking to trick users of the online Bitcoin wallet Coinbase, with the email claiming that you need to review a new user agreement in order to continue using your Coinbase account.

The email included a link to a phony site copied from the real Coinbase.com. If you click anywhere on the phishing site however, a login screen pops up asking for your username and password, which the cybercriminals will gladly use to steal all your Bitcoins.

At first glance, the phishing email looks pretty convincing. It says it’s from Coinbase and has a copy of the real Coinbase logo. Look closer, however, and a few things make clear that this is a fake.

The first clue (see screenshot below) – there is a spelling mistake in the subject line (“Agreementy”).

Also, the email is addressed “Hello,” instead of using your real name. And it is oddly phrased to suggest it might not have been written by a native English speaker.

Hello,

On 02/17/14 our User Agreement has changed.

Review Our New User Agreement

In order to continue using our services you need to review and agree with the new agreement.

Kind regards,

The Coinbase Team

Five security tips — How to avoid phishing

1. Be careful what you click! 

Not all phishing emails are as obvious as this one, and some can look very professional and convincing. To protect against phishing attacks, it’s good practice never to click on links in email messages. You should enter the web address of your important websites directly in the address bar of your browser. Even better — use a bookmark or Favorite to save the link for your bank, email, and other important websites. Also, consider turning off HTML in your email to prevent malicious images from loading.

2. Check the address bar for the correct URL

The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called SSL or HTTPS. If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with https:// before entering your private information.

3. Look for the padlock for secure HTTPS websites

A secure HTTPS website has a padlock icon to the left of the web address. You can see in the screenshot of a fake Coinbase website that it does not have a padlock, although the real Coinbase.com has a padlock and a web address starting with HTTPS. Ironically, the fake website is a near exact copy of the real one, including the part telling you that the website uses SSL/HTTPS for security.

Fully encrypted. Wallets (and private keys) are stored using AES-256 encryption and the site runs entirely over SSL.

4. Consider using two-factor authentication for more security

When you try to log into a website with two-factor authentication (2FA), there’s an extra layer of security to make sure it’s you signing into your account. After you fill in your password, usually the second step is to enter a one-time security code. The code is sent to your phone so only you have access to it. Many banks and social media websites now have the option to add 2FA. Activate this feature for better password security.

5. Have complete protection such as Sophos UTM

Nothing beats having a good security system that stops spam and phishing. James Lyne, global head of security research at Sophos, explains that phishing attacks can get around some types of spam protection. Watch below to see how you can make sure you have adequate protection against phishing in this 90-second video.