Author:
Last updated on Jun 7, 2022

What is Phishing?

How Hackers Steal Your Passwords and How to Stop Them

Phishing is an attack used by hackers where they try to gain access to your account by tricking you into clicking on a malicious link sent in an email, text message, or social media message. Phishing messages are designed to look important and legitimate to convince you to click on them. They're often phony password reset emails, appearing as if they're from online services you use frequently such as Facebook or your bank.

Once you click on a malicious link or email attachment, the attacker has already won since they can steal your current login session and use it for themselves. Oftentimes a phishing link opens to a form where they ask you to type in your password. If you do so, you give the attacker direct access to your account.

How Do I Avoid Phishing Attacks?

The best way to avoid being phished is to educate yourself on what a phishing attack looks like. Here are four (4) simple tips you can use to help protect yourself from being phished:

(1) When opening an email, ask yourself why you got it in the first place.

Did you ask Facebook for a password reset? If not, it's likely a phishing attack. Did you change credit cards and need to update a payment method on Amazon? If not, then it's likely a phishing attack. If an email doesn't match up to your recent online activity, alarms should go off and you should investigate further.

(2) Make sure the information in the email makes sense.

Start by checking who sent it. Make sure that the domain that sent it is spelled correctly. A common trick that hackers use is to register a domain that looks similar to a popular service, but spelled slightly differently. For example, googl.co rather than google.com.

Attackers will often try to get you to click on links by adding a fake sense of urgency to their emails. Saying things such as "if you don't respond in 24 hours your account will be locked". Legitimate services rarely do this. If you're unsure if this is real, go directly to the relevant website and see if the website itself has the same information. If it does, it's real.

Hovering over links show where they go before you click on them. Just like with (2), hackers will often send links that look real but are slight variations of popular websites. For instance, instead of bankofamerica.com, they could use the domain bankofameri.ca. Notice how instead of a ".com" it uses a ".ca"? Indicators that it's a phishing link.

Another indicator a link is could be a phishing attack is if it doesn't have an "s" in the https:// part of the URL. The "s" indicates that the site is secure and uses TLS to encrypt all data between you and the website. If it just has http:// without the "s", the site is insecure and should be avoided.

(4) Use a phishing filter.

Locke Fortress is a phishing filter that prevents you from receiving emails from unfamiliar accounts. This greatly reduces the ability for hackers to send you a phishing email. Register now to cut down on phishing emails and improve your online security.

How Common are Phishing Attacks?

Phishing is a simple social engineering attack that doesn't require a hacker to have any technical knowledge. As a result of it's simplicity, phishing is the most common form of cyber attack and the number 1 reason why people get hacked [1]. If you give a hacker your password willingly, they don't need to do any of the hard work of breaking complicated software systems.

Even the most secure systems in the world are at risk of being compromised by a phishing attack. In order to stay secure online, it's up to you to not click any potentially malicious links.

What Do I Do If I've Been Phished?

If you think you've been phished, you need to immediately change your password for the account that was targeted.

If you cannot change your password, that means the phishing attack was successful. You now need to change your password for all other accounts where you've reused that password. You also need to go to the account's website to start the process of recovering your stolen account. Locke can also help you with this, register an account to get our support hotline.

If you are able to change your password, either the phishing attack was unsuccessful or the email wasn't an attack at all. You should investigate further to be sure, but you're probably safe.

If you have been phished, we'll compensate you to see the email or text that did it so that we can improve our phishing filter. Please contact us if you've been phished.

Conclusion

To summarize: phishing is an attack that hackers use to try and steal your passwords. They perform this attack by sending you an email, text message, or social media message that looks like it's from a business such as Facebook or Bank of America.

That email has a link inside of it that the hacker wants you to click. If you click on the link, the hacker can immediately steal your login session for that account and take ownership of your account.

The best way to avoid being hacked is to be careful of what links you click on from emails, text messages, or social media messages.


[1]: ID Theft Center, Q1 2022 Data Breach Analysis

Published by Locke: https://locke.id