How to protect money and personal data on the Internet

2024 Author: Malcolm Clapton | [email protected]. Last modified: 2023-12-17 03:44

The better informed you are, the more difficult it is to deceive you. Here's everything you need to know about phishing with Microsoft.

Find even more tips on how to protect yourself from digital threats.

What is phishing and how dangerous it is

Phishing is a common type of cyber fraud, the purpose of which is to compromise and hijack accounts, steal credit card information or any other confidential information.

Most often, cybercriminals use e-mail: for example, they send letters on behalf of a well-known company, luring users to its fake website under the pretext of a profitable promotion. The victim does not recognize the fake, enters the login and password from his account, and thus the user himself transfers the data to the scammers.

Anyone can suffer. Automated phishing emails are most often targeted at a wide audience (hundreds of thousands or even millions of addresses), but there are also attacks aimed at a specific target. Most often, these targets are top managers or other employees who have privileged access to corporate data. This personalized phishing strategy is called whaling, which translates as “catching whales”.

The consequences of phishing attacks can be devastating. Fraudsters can read your personal correspondence, send phishing messages to your circle of contacts, withdraw money from bank accounts, and generally act on your behalf in a broad sense. If you run a business, the risk is even greater. Phishers are capable of stealing corporate secrets, destroying sensitive files, or leaking your customers' data, damaging the company's reputation.

According to the Phishing Activity Trends Report of the Anti-Phishing Working Group, in the last quarter of 2019 alone, cybersecurity experts discovered more than 162,000 fraudulent websites and 132,000 email campaigns. During this time, about a thousand companies from all over the world have become victims of phishing. It remains to be seen how many attacks were not detected.

Evolution and types of phishing

The term "phishing" comes from the English word "fishing". This type of scam really resembles fishing: the attacker throws the bait in the form of a fake message or link and waits for users to bite.

But in English phishing is spelled a little differently: phishing. The digraph ph is used instead of the letter f. According to one version, this is a reference to the word phony ("deceiver", "swindler"). On the other - to the subculture of early hackers, who were called phreakers ("phreakers").

It is believed that the term phishing was first used publicly in the mid-1990s at Usenet newsgroups. At that time, scammers launched the first phishing attacks targeting customers of the American Internet provider AOL. The attackers sent messages asking to confirm their credentials, posing as company employees.

With the development of the Internet, new types of phishing attacks have appeared. Fraudsters began to fake entire websites and mastered various communication channels and services. Today, such types of phishing can be distinguished.

• Email phishing. Fraudsters register a mailing address similar to the address of a well-known company or an acquaintance of the selected victim, and send letters from it. At the same time, by the name of the sender, design and content, a fake letter can be almost identical to the original. Only inside there is a link to a fake site, infected attachments or a direct request to send confidential data.
• SMS phishing (smishing). This scheme is similar to the previous one, but SMS is used instead of email. The subscriber receives a message from an unknown (usually short) number with a request for confidential data or with a link to a fake site. For example, an attacker can introduce himself as a bank and request the verification code that you received earlier. In fact, scammers need the code to hack into your bank account.
• Social media phishing. With the proliferation of instant messengers and social media, phishing attacks have flooded these channels as well. Attackers can contact you through fake or compromised accounts of well-known organizations or your friends. Otherwise, the principle of the attack does not differ from the previous ones.
• Phone phishing (vishing). Scammers are not limited to text messages and can call you. Most often, Internet telephony (VoIP) is used for this purpose. The caller may impersonate, for example, an employee of the support service of your payment system and request data to access the wallet - supposedly for verification.
• Search phishing. You can face phishing right in the search results. It is enough to click on the link that leads to the fake site and leave personal data on it.
• Pop-up phishing. Attackers often use pop-ups. Visiting a dubious resource, you may see a banner that promises some benefit - for example, discounts or free products - on behalf of a well-known company. By clicking on this link, you will be taken to a site controlled by cybercriminals.
• Farming. Not directly related to phishing, but farming is also a very common attack. In this case, the attacker spoofs the DNS data by automatically redirecting the user instead of the original sites to the fake ones. The victim does not see any suspicious messages and banners, which increases the effectiveness of the attack.

Phishing continues to evolve. Microsoft spoke about new techniques that its Microsoft 365 Advanced Threat Protection anti-phishing service discovered in 2019. For example, scammers have learned to better disguise malicious materials in search results: legitimate links are displayed to the top, which lead the user to phishing sites through multiple redirects.

In addition, cybercriminals began to automatically generate phishing links and exact copies of emails at a qualitatively new level, which allows them to more effectively deceive users and bypass security measures.

In turn, Microsoft has learned to identify and block new threats. The company has used all of its knowledge of cybersecurity to create the Microsoft 365 package. It provides the solutions you need for your business, while ensuring that your information is effectively protected, including from phishing. Microsoft 365 Advanced Threat Protection blocks malicious attachments and potentially harmful links in emails, detects ransomware and other threats.

How to protect yourself from phishing

Improve your technical literacy. As the saying goes, he who is forewarned is armed. Study information security on your own or consult experts for advice. Even just having a solid knowledge of the basics of digital hygiene can save you a lot of trouble.

Be careful. Do not follow links or open attachments in letters from unknown interlocutors. Please carefully check the contact details of the senders and the addresses of the sites you visit. Do not respond to requests for personal information, even when the message looks believable. If a representative of the company asks you for information, it is better to call their call center and report the situation. Don't click on pop-ups.

Use passwords wisely. Use a unique and strong password for each account. Subscribe to services that warn users if passwords for their accounts appear on the Web, and immediately change the access code if it turns out to be compromised.

Set up multi-factor authentication. This function additionally protects the account, for example, using one-time passwords. In this case, each time you log into your account from a new device, in addition to the password, you will have to enter a four- or six-character code sent to you via SMS or generated in a special application. It may not seem very convenient, but this approach will protect you from 99% of common attacks. After all, if fraudsters steal the password, they will still not be able to enter without a verification code.

Use passwordless login facilities. In those services, where possible, you should completely abandon the use of passwords, replacing them with hardware security keys or authentication through an application on a smartphone.

Use antivirus software. A timely updated antivirus will help protect your computer from malware that redirects to phishing sites or steals logins and passwords. But remember that your main protection is still adherence to digital hygiene rules and adherence to cybersecurity recommendations.

If you run a business

The following tips will also be helpful for business owners and company executives.

Train employees. Explain to subordinates what messages to avoid and what information should not be sent via email and other communication channels. Prohibit employees from using corporate mail for personal purposes. Instruct them on how to work with passwords. It is also worth considering a message retention policy: for example, for security purposes, you can delete messages older than a certain period.

Conduct training phishing attacks. If you want to test your employees' reaction to phishing, try faking an attack. For example, register a mailing address similar to yours, and send letters from it to subordinates asking them to provide you with confidential data.

Choose a reliable postal service. Free email providers are too vulnerable to business communications. Companies should choose only secure corporate services. For example, users of the Microsoft Exchange mail service, which is part of the Microsoft 365 suite, have comprehensive protection against phishing and other threats. To counter fraudsters, Microsoft analyzes hundreds of billions of emails every month.

Hire a cybersecurity expert. If your budget allows, find a qualified professional who will provide ongoing protection against phishing and other cyber threats.

What to do if you are a victim of phishing

If there is reason to believe that your data has fallen into the wrong hands, act immediately. Check your devices for viruses and change account passwords. Inform the bank staff that your payment details may have been stolen. If necessary, inform customers of the potential leak.

To prevent such situations from recurring, choose reliable and modern services for organizing collaboration. Products with built-in protection mechanisms are best suited: it will work as conveniently as possible and you will not have to risk digital security.

For example, Microsoft 365 includes a range of intelligent security features, including protecting accounts and logins from compromise with a built-in risk assessment model, passwordless or multi-factor authentication that does not require additional licenses.

In addition, the service provides dynamic access control with risk assessment and taking into account a wide range of conditions. Also, Microsoft 365 contains built-in automation and data analytics, and also allows you to control devices and protect information from leakage.