A guide to defending yourself from advanced phishing attacks

The word “phishing” might conjure up images of relaxing by a lake or stream to catch some fish, but there’s nothing laid-back about it. Phishing campaigns lure you with seemingly must-click offers – anything from get-rich-quick schemes to insistent security updates – and then steal your personal data. While phishing is among the oldest and best-known cyberattack techniques, it lives on, with continual improvements making it harder to spot.

Phishing expeditions: Why people keep falling for scams hook, line and sinker

It was once relatively easy to flag a phishing attempt. Common giveaways that a request for you to hand over personally identifiable information (e.g., your Social Security number, address, phone number, etc.) was illegitimate included:

  • Typos and general sloppiness in email communications.
  • Redirects to unsecured websites (i.e., ones without HTTPS encryption).
  • Well-known backstories, such as the “Nigerian prince” frame.

Nowadays, you can’t count on phishers to leave such obvious tracks. For example, in late 2017 security researcher Brian Krebs noted a sharp rise in phishing attacks from websites hosted on HTTPS domains, which are normally synonymous with safety. HTTPS-protected sites feature a padlock near their URLs; if you’re on a desktop PC, you might also see some green text indicating who holds the SSL certificate.
advanced phishing attacks
Using the HTTPS version of a site is always preferable to its plain HTTP address, and HTTPS is itself still a secure protocol, as well as an absolute must-have when performing tasks such as shopping or checking your bank account balance. None of that means it can’t be used as a distraction for attackers prodding you into handing over sensitive data; an HTTPS site is not necessarily legitimate, especially now that site owners can obtain valid SSL certificates for free.

PhishLabs has provided more details on the rapid ascent of HTTPS-associated phishing scams in recent years. Only 3 percent of phishing campaigns used HTTPS in 2016, compared to 25 percent in 2017. This increase coincides with the general rise of HTTPS traffic documented by all web browsers since the early 2010s, which has been mostly a blessing for internet users but also a bit of a curse in terms of complicating identification of phishing.

What you can still do to protect yourself from phishing

Now for some good news: You can still thwart virtually all phishing scams by paying careful attention to any unexpected and unusual communications. Let’s review a few useful tips in this regard:

1. Hover over links before clicking them

Links can’t always be trusted to go where they say they do. To avoid falling into a trap, hover your mouse over a link you’re not sure of to see where it actually leads. If you’re on a mobile device, you can usually do a light tap and hold on a link to preview where it goes.

The important detail to notice is the “root” domain. This sounds complicated, but it simply refers to what’s in between the “http(s)://” and the first “/”. Phishing sites often have lengthy and/or suspicious roots, such as “system.confirm” or “web-paypal.com.”

2. Bookmark your most important sites to keep reliable links on file

Phishers often steer would-be victims toward domains they falsely claim are legitimate sites, such as a bank’s web app or an identity verification landing page, with insistence you act quickly. You can actually preempt this line of attack by keeping all your most important sites saved as bookmarks in your web browsers.

These bookmarks provide a safe fallback in the unlikely scenario that you really do need to do something for your bank or to verify an address. It doesn’t matter where you save them, since all major browsers do cross-device synchronization if you are signed-in to the same account on each one.

3. Ignore installation prompts, particularly on Facebook

You might have tried viewing a video on Facebook or another social site, only to be prompted to download a special codec or plugin to actually watch it. These requests are almost always spurious, given the wide compatibility of video formats between browsers and operating systems.

Basically, if you did not go looking for a piece of software, do not download it, especially from sites you’re barely familiar with and that are likely choked with pop-ups and ads. The same holds for phishing attempts in general: Unless you were expecting to take action on a critical financial or commercial transaction, don’t let someone else talk you into doing so.

Shore up your defenses with security software

Alertness can go a long way in staving off phishing, even of the most sophisticated variety. At the same time, it’s recommended you have reliable security software in place to continuously protect your system against the latest threats. Try Ultimate Internet Security from Total Defense to get started.