In this technologically advanced era, clicking has become one of the most fundamental acts we perform. According to Wellnomics and Statista, the average computer user makes 600 clicks per hour and spends 3 hours and 27 minutes on the computer, respectively. Based on the statistics, we may estimate that an average user could make 2,070 mouse clicks each day, assuming a rate of 10 clicks per second. The higher our click rate, the more likely we are to make a mistaken click, jeopardizing our digital security.
Many people have been harmed because of erroneous clicks. Even the most secure and well-defended organizations, such as Google and Facebook, have fallen prey to phishing scams. Both organizations are accused of being duped into transferring more than US$100 million to a scammer, an activity that allegedly lasted from 2013 to 2015, although both organizations were able to reclaim a major portion of the monies.
The most pressing question is: how many of us can restore what we lose online, and if so, to what extent? Let's have a look at a very typical cyber-attack that many people fall prey to simply by making a wrong click. Phishing is a type of cyber-attack that includes disseminating misleading information that seems to come from a reliable source. The primary goal of this attack is usually to get access to sensitive data, such as user credentials, credit card numbers, personal information, or to spread malware to several targets. This type of attack focuses on people rather than systems because humans are the weakest link in the security chain. As a result, in 2020, phishing was the most common type of cyber-attack or cybercrime.
According to CSOONLINE, 6.95 million phishing and scam pages were produced, a higher number than in previous years due to the pandemic and the shift to remote employment. According to Verizon's data breach investigations report, 2021, email is the most popular method of distribution for this type of attack. With the rise of social media, it has also become a viable means of disseminating forged correspondence with phishing links attached.
How Attackers Operate
As previously said, humans are the weakest link in terms of digital security; therefore, these attackers create their messages intending to abuse the human aspect for a variety of reasons, including creating a sense of urgency and impersonating well-known brands.
Let's examine how attackers exploit these to entice people.
Conveying a sense of urgency
Humans have a predisposition to react quickly to anything that appears to be important. We are certainly correct in our desire to answer quickly, but in our haste to be "swift," we are frequently less critical and attentive to details than we would normally be. This creates a window of weakness or vulnerability for attackers to exploit. In this situation, attackers create their communications with a high sense of urgency, luring many people into replying or opening links without first verifying the messages' legitimacy, which can be harmful.
Impersonating well-known brands
We have developed a high level of trust for several well-known businesses because of our contacts with them. Because we are constantly willing to respond to or trust communications that appear to come from any of these businesses, our sense of trust might make us vulnerable. These attackers usually spoof/mimic these trusted brands by delivering false communications on their behalf. Because many people mistakenly believe the message comes from a trusted source/company, they fall prey to the attackers' demands. Some of these attacks may take the form of updating your account information or making other changes.
Effects of Phishing Attack
Upon leveraging these incentives to entice targets to fall for their baits, the following are the likely effects on their victims
Victims of phishing-related cyber breaches may lose a variety of data, depending on the type and severity of the attack. Personal data such as addresses, phone numbers, and credit card information are among the data that could be stolen.
Besides losing data, victims may also lose credentials, which could lead to accounts being compromised. Attackers may tamper with the corresponding user accounts using the credentials gained during their phishing campaign, or they may reset the credentials, preventing the original owners access to the accounts. With these compromised accounts, attackers may mimic the account's legitimate owners and deceive or attract additional users into having their accounts compromised, and the cycle will continue.
Depending on the type of attack, victims may be swayed to download malicious attachments that compromise the victims' systems. Spyware, which is used to exfiltrate user data from victims to the attacker, and ransomware, which encrypts user data and demands a ransom from victims before their files or data are decrypted, are two frequent types of infections.
Forms of Phishing Attacks
Phishing attacks can take many forms, but the most typical ones are:
Typosquatting is a prevalent tactic used by cybercriminals to impersonate reputable brands. To deceive people who do not adequately verify URL (website address) before visiting a website, attackers register domains that are misspellings or typographically mangled versions of genuine domains. Amaz0n.com, amzon.com, and amazon..com are all examples of typosquatting of the original domain amazon.com. After successfully spoofing these domains, attackers distribute their phishing links to their targets to entice them to visit their phishing sites, which may contain malware or some other method of obtaining user data.
Think before you click: when you receive a link from a colleague or a friend, do not rush to visit the website, regardless of what brand the link appears to represent. Instead, run a quick analysis of the URL by checking the below:
- Ensure no more characters have been added or removed from the original URL (e.g., faceboook.com).
- Ensure individual characters in the URL have not been swapped (e.g.: faecbook.com).
- Conduct a simple web check to make sure the URL matches that of the original brand.
- Check to verify if the URL begins with an "https" prefix rather than the "http" prefix, even though "https" alone does not suggest it's "genuine."
- Instead of clicking on a dubious link to a website, type in the URL or search for it online.
Phishing attacks are frequently carried out using emails. The attackers frequently send emails impersonating a person or a reputable company to persuade their target to divulge vital information. They may instruct a target to share credentials with them while imitating a trusted party.
Think before you click: When you get a message, whether it is from a colleague or a legitimate company, don't be in a hurry to answer or disclose the information requested. It is best to be certain that:
- The sender's email address corresponds to the trusted parties.
- A cursory inspection of the contents of the mail to check that there is nothing strange or suspicious about it.
- Check the mail for any unusual typos or grammatical problems.
- There is no link in the email that redirects you to share or reset your account credentials if you have not requested one.
Some phishing emails include instructions for downloading a file that has been attached to the message. In most situations, these attachments contain malicious content that may infect the target machine. Windows executables, office documents, compressed archives, pdf files, and other types of executables are some of the most typical harmful files attached to these emails.
Think before you click: when you receive an email with an attachment, whether it is from a colleague or a respectable business, don't be tempted to download or open it right away. It is best to be certain that:
- The email comes from a known source
- The sender's email address is the same as the trusted parties.
- It is not an unexpected request, even if the sender's email address appears to be legitimate.
- The filename is not a random string of characters or a strange name that has nothing to do with what you would expect.
If you truly requested an attachment, the file extension should match what you expect to receive. If you asked for a picture, anticipate file extensions like jpeg, jpg, or png rather than exe.
Regardless of how urgent the message appears to be, double-check the content of the message, and confirm with the sender whether he/she sent the email.
These have become ideal choices for phishing attacks to take place. After being persuaded to visit phishing sites, victims are made to complete a series of forms to advance. For nefarious purposes, several types of user data are collected and kept.
Think before you click: when you get a link that asks you to give some personal information or user credentials, do not be rushed into sharing or disclosing that information via the form. It's best to be certain that:
- The form's website is authentic.
- The information required is relevant; for example, why would an online news outlet request your credit card information in addition to your email address for their mailing list?
- The form is secure, which means it is an https form rather than an http form.
- Nothing on the page is suspicious
Make it a point to enable multi-factor authentication on any account that supports it, so that if your account credentials are lost, you still have a second layer of protection to verify the user before granting access. It is also a good idea to turn off automatic attachment downloads in your mailbox. Before opening or executing files, always scan attachments or downloads. Always think about why a form will require such information and what it will be used for before you provide it online.
Since we cannot entirely rule out the need to click, the best prevention will be to reconsider our decisions before we click: we must THINK BEFORE WE CLICK.
Author: Obu Raymond Buernor, Inveteck Global (Member, Institute of ICT Professionals Ghana).