Fishing, as you may know, is a leisurely activity that can be for sport or for survival. Phishing — while similarly spelled — is a very dangerous threat to network security, and it happens every single day. In terms of network security, phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details — often for malicious reasons — by disguising as a trustworthy entity in an electronic communication. This is a serious threat because of how easy it is to get phished, and the vast amount of damage that can occur from it.
According to a ZDNET study, 45% of people who are phished fall for it. From the article, titled John McAfee: An email hack can destroy our digital world and we won’t see it coming — “We seldom consider the wide-ranging implications of someone hacking into our accounts. Assuming they don’t change our passwords and lock us out — the worst case scenario — we are still in a world of hurt. Every email that we send or have sent and received can be read by the hacker.”[¹]
There are a vast number of ways that one can be the victim of a phishing threat. It is only by education of the different phishing scenarios that one can limit the unintended release of their information. Here are a few ways that phishing attempts occur: receiving phishing links in a private message on social media or email, spoofed accounts registered in a trustworthy manner similar to well-known individuals, imposter URLs for trustworthy websites, and open redirect vulnerabilities.
Any message sent containing links or asking for sensitive information should be highly vetted. Spoofed accounts that look similar to friends or trustworthy figures should be properly vetted to make sure they are really who they say they are. Phishing websites are websites that replicate genuine services, but are designed to steal and collect information. For example, if you accidentally use a phishing website that is designed to look like a genuine bank, you may need up sending your login details to cyber criminals instead. Open redirect is not really a software vulnerability in any strict sense, but more of a web server behavioral quirk that can make phishing attacks somewhat easier to carry out. It happens when a trustworthy site like google.com, say, is able to be “tricked” into redirecting to any site on the internet. For example, if google.com/url?blahblahblahblah&redirect=google.co redirected to google.co instead of staying on the google.com domain, then cyber criminals could register google.co and spread the above link in an elaborate phishing attempt.
Organizations can mitigate the threat of phishing by a few different ways — but as explained before, education on the subject is highly important in mitigating the threat. The most important way to mitigate a phishing threat is to never trust a link you see posted anywhere on the internet without verifying it first. This is very important, regardless of who posted the link; they may have copied it from an insecure source without realizing it. Given the high prevalence of phishing attacks, MSU’s email always redirects through a url scanner (proofpointdefense) that can mitigate attacks.[²] Verifying addresses and URLs is a smart way to beat the threat of phishing. Using 2FA (two factor-authentication) is another way to mitigate phishing attacks — it eliminates 99% of phishing. Using different passwords on different websites can mitigate the threat of phishing, as some people can be compromised that way. Some companies have a system in place that automatically changes any http prefix to hxxp prefixes. This is to prevent people from clicking on potentially malicious links, by forcing them to manually change the ‘xx’ to ‘tt’.
As you have read, there is an abundance of ways that the threat of phishing can become more than just a threat. With the knowledge you have learned from reading this, you can be sure that companies are doing everything they can to mitigate the threat of phishing and keep your accounts and information secure. When in doubt, always check twice.
