Wednesday What-Is - 01 - Phishing

Phishing

Welcome to the Wednesday What-Is, a (hopefully) once-weekly blog post where I break down cyber security concepts so that (hopefully) anyone could understand them.

This week's topic is, as you might have guessed, phishing.

To start with, here's what the Merriam-Webster dictionary defines phishing as:

Phishing

: The practice of tricking Internet users (as through the use of deceptive email messages or websites) into revealing personal or confidential information which can then be used illicitly

In its simplest form, phishing is about finding out useful secret information about a person.

Let's say that I am, for the sake of example, Joe Bloggs, and I have an email address. That email address is mine and mine alone. The same goes for any passwords I use to sign up to a website or online service. My usage of those services will be unique to me, because I have used my secret information to access them.

Now, if someone wanted to hijack my usage of the website or service, one way they could do that would be to find out my secret information (email and password) that I used when I signed up- to 'impersonate me' so to speak. If they find out and use my secret information to access these sites and services, those sites and services are going to think I am the one using them. 

For all intents and purposes to them, I appear the one using them. However behind the computer or phone, it isn't actually me, it is an impersonator! This is of course a bad thing- if some stranger I don't know is using my online accounts, who knows what they might be doing or messing around with? Replace "online account" with "banking information", or credit card details, and it starts to sound even scarier doesn't it?

Thankfully, in order for this stranger to have access to my accounts, they would have to have my secret infromation, and they don't have that right now so, big sigh of relief.

That won't be enough to stop bad people from wanting to access your accounts, though, as many are determined to find out your secret information if they believe it to be worth their while.

Enter the technique known as phishing (fishing with a ph).

Phishing, as we defined earlier, is the act of trying to trick a person into revealing their secret information such as a password, usually with the intent to use it to gain access to their account, or to engage in other criminal activity.

Phishing attempts are often made through emails, but can come from texts, websites, chat rooms, etc. When these attempts occur, the person or people doing the phishing will almost always attempt to impersonate someone else- your bank, your boss, family, an anonymous tech-support worker who needs access to your account, it could be anyone. Often, the most tricky attacks to spot are those that appear most legitimate.

For example, let's say that Joe Bloggs has just opened a new bank account, and he receives an email from someone who appears to be with his bank. Since Joe has just opened a new account, he may be expecting a few emails from his bank- the perfect chance for him to fall for a phishing attempt.

These days, organisations dealing with secret, sensitive information, like banks, will often have advice or information sent out with their emails to help you spot phishing emails, however it always pays to be dilligent.

Here are some pieces of advice to help avoid falling for these attempts:

1. If someone requests sensitive account information for any reason over email, text or some other method of communication, do not give it to them.
2. If you are suspicious of an email or a text, despite it claiming to be from a trusted source, try emailing or having a phone call with the person that the original message is claiming to be from. 
• Do this from your contact list, or manually type out the email, so that you don't run the risk of accidentally reaching someone malicious. You can then confirm with that person or organisation whether the email or text is genuine or not.
3. If you are otherwise unsure, reach out to someone you know and trust about it, preferably someone with technical knowledge or experience if possible.

Phishing, according to studies such as the Cyber Security Breaches Survey, is one of the most common ways people will attempt to hack into your accounts or organisations in recent years, and it's only getting more common by the day, so please do your best to remain aware of these impersonators!

Thanks for reading this week's Wednesday What-Is!

I think I may have chosen an inopportune time to start this blog, as I while I am currently on my Easter break at university, I am in the final stretch of my coursework before the submission deadlines, so I may not have time to fill out a blog post for the next few weeks. I expect these to hopefully pick back up once I am all done with my degree, which will hopefully be mid-May. Until then!

- Ollie -