In April this year, the Dow Jones briefly fell 143 points, following a hack on the Associated Press' Twitter account. Tweets appearing to be from the trusted news organisation claimed the White House had been bombed, and President Obama injured. Although the false tweets were immediately removed, the case showed how stolen credentials can have potentially devastating consequences.
Phishing attacks are happening every day, says John Mc Loughlin, MD of J2 Software. "Hackers are making a fortune off stolen accounts, and phishers create campaigns to target multiple accounts at a time."
He says they use a combination of fake pages, often using genuine tragedies or scandals in the news as bait, and social engineering to fool their targets.
A few months ago, Zscaler ThreatLabZ uncovered a phishing page aimed at Yahoo e-mail users. Yahoo introduced two-factor authentication in 2011, and sent e-mails to its users to encourage them to set it up. In this instance, the phisher actually took advantage of the introduction of two-factor authentication to aid in an attack. The scam involved spoofed e-mails, that threatened Yahoo users with dire consequences should they fail to turn on two-factor authentication. Of course, the link in the false e-mails directed users to a phishing page, which stole login credentials.
Phishing of this nature is extremely commonplace, says Mc Loughlin. "Most spam folders are crammed with e-mails claiming to be from LinkedIn or Facebook asking users to click on a link to verify their accounts."
Many people have a 'so what' attitude about their social media accounts, he says. They believe it doesn't really matter if cyber criminals have access to their Facebook, for example, as there is no financial information stored there, and no sensitive data.
However, Mc Loughlin says this is far from true. "Once an account has been compromised, it can be used as an attack vector for other accounts. In addition, your information can be used to commit identity theft or fraud. Your login details in the wrong hands could also be used to send out spam messages or malware, and could seriously damage your reputation."
He says there are several ways to avoid being caught on a phisher's hook. "Firstly, check out the URL you are being directed to, by hovering your mouse over the link. Do not just open links regardless. Any strange characters, or odd numbers, such as www.facebook1.com, are a dead giveaway.
"It is also vital to have an understanding of what legitimate financial institutions will and won't do. Your bank will never ask you to provide or verify sensitive information through a non-secure platform such as an SMS or e-mail. Also be wary of e-mails that use scare or pressure tactics - reputable organisations won't do this."
When in doubt, Mc Loughlin advises users to pick up the phone. "If, for any reason, you think one of your financial service providers may genuinely need some information from you, call them. They will quickly be able to verify whether or not the request is a genuine one."
He adds that you must make sure you have good security measures in place, and most importantly, be sensible. "If you have not typed in the URL yourself then don't take the risk - it is simply not worth it."
Another sure-fire method to stay safe is to ensure you use a secure browser whenever you transact online. "If your bank does not provide this to you, get it yourself," says Mc Loughlin. A secure browser will ensure all your keystrokes are hidden from cyber thieves and it will prevent them from using dangerous software to take screenshots of your activities as well. Once you complete your online session, the secure browser will remove any identifying data from the system, ensuring security even when you leave the machine.
"You then have the peace of mind that you are working in a secure environment - wherever you log on from. If your browser does not have built-in secure communication, phishing protection and keystroke logging protection - how can you be sure that you are safe online?" he concludes.
Share