Phishing is a special kind of online fraud, which presupposes fishing out the user’s login and password or another sensitive information with the aim to enter the naive user’s account and to cause damage both to the user and to the system the hacker managed to get access to.
What is the phishing attack and what are its objectives?
One of the main phishing methods is mass mailing, often from a bank or another service. For example, it can be a notification about the receipt of the money order. The mail proposes to learn more details about this money order by clicking on the link in it. the link usually leads to the fake website, which only looks like the real one. Any email address available on a public domains, forums, and different groups in social networks can fall a prey to the phishing attack. Special bots constantly search the internet looking for the active e-mail addresses to enter them to the spam list.
Often hackers attack a certain site and its clients. Most often among such companies are banks and other financial companies running their business online. A hacker creates a fake version of a legal resource. As a rule, it is enough to create only a login page – hackers do not need more. After the user logs in, he receives the message with notification that the authentication data are wrong. In most cases, this is a trustworthy signal that he just entered a fake web page. Meanwhile, the hackers manually or automatically withdraw money from the victim’s account.
Phishing attacks are dangerous. It is hard to recognize such threats and stop them. This happens because a hacker doesn’t need a direct physical access to the victim’s computer. And, thus, data protection system doesn’t raise the alarm. The hackers get all the necessary information from the users. First of all, they are interested in passwords and logins to enter social networks and websites, and the credit card numbers and PIN-codes.
How to minimize damage from phishing attacks?
When you are working on the Internet, it is necessary to follow these simple rules:
- Carefully check the sender of the email, and do not follow suspicious links. If it is possible, contact the company by telephone, and check whether it has sent the letter to you or not.
- Keep all your passwords in secret and do not to give them to anyone under any ground. Big companies do not require sending confidential information (credit card numbers, passwords) via e-mail and other unencrypted channels. The customer’s data protection is extremely important for them.
- Type the addresses of the websites storing your sensitive information manually. Or use your own bookmarks. But do not click on e-mail links. When typing by hand it is important to pay attention to what is written in the address bar of a site which requires login and password. Often the domain name of the fake site only slightly differs from the original one – sometimes the difference is only in one letter.
- Regularly update your browser and anti-virus programs. The majority of modern web browsers can identify phishing websites and do it better with each update.
- The websites of banks and payment systems must have a secure connection by the protocol HTTPS. If this protocol is absent – the user got the wrong address.
- If you suspect that the phishing attack has already taken place, you should immediately change your password and warn the site administration of possible danger. The hackers might have been stolen the login information.
Many resources are now introducing their own security systems and develop applications for secure login. But not always new authentication methods can protect from phishing attacks.
For example, recently a new method of entering the account has come into vogue: you just need to scan a QR code and you are in.
Now imagine, the victim enters a fake company website that looks like a real one. The victim clicks the QR code icon on the phishing site using the application installed on his smartphone. The robot of the fake website clicks on an icon of the real website. The real site shows an entry code to the hacker. The hacker now sends this code to the victim via his fake website. The defrauded user scans the QR code with his smartphone. The smartphone sends the data to the real website and the latter authorizes a hacker.
But if the user used two-factor authentication with one-time passwords, the above-mentioned situation didn’t happen. Especially if the user had an OTP token with data signature function CWYS. For example, Protectimus’ Smart token. In this case, even if the hacker manages to steal the login, password, and even the one-time password, he will not be able to log into the user’s account. The OTP password is generated on the basis of individual user’s settings such as IP-address, screen resolution of the device he uses, a sum of money he transfers, etc.
So is it worth inventing new solutions, if there are already tried and tested ones? Two-factor authentication, using one-time passwords with the CWYS (Confirm What You See) function, is one of them. It can protect user accounts from hacking and deprive the hackers of their “catch”.