LoanTap’s ‘Bajrang’ relaunched with a new identity and features as ‘I-Loans’ – a one-stop arrangement for all loan requirements
Cybersecurity awareness month: Fight the phish!
Published on October 20, 2021
By Paul Ducklin, Principal Security Researcher, Sophos
It’s the second week of Cybersecurity Awareness Month 2021, and this week’s theme is an alliterative reminder: Fight the Phish!
Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think it’s what computer scientists or mathematical analysts call a solved game.
Tic-tac-toe (noughts and crosses outside North America), for example, is a solved game, because it’s easy to create a list of every possible play, and figure out the best possible move from every game position on the list. (If neither player makes a mistake then the game will always be a draw.)
Even games that are enormously more complex have been “solved” in this way too, such as checkers (draughts)…and in comparison to playing checkers, spotting phishing scams feels like an easy contest that the recipient of the message should always win.
And if phishing is a “solved game”, surely it’s not worth worrying about any more?
How hard can it be?
Simply put, the phishing “game” only has two moves: the scammers always play first, trying to trick you, and you always get to play second, after they’ve sent out their fake message. There’s little or no time limit for your move; you can ask for as much help as you like; you’ve probably got years of experience playing this game already; the crooks often make really silly mistakes that are easy to spot…and if you aren’t sure, you can simply ignore the message that the crooks just sent, which means you win anyway!
How hard can it be to beat the criminals every time?
Of course, as with many things in life, the moment you take it for granted that you will win every time is often the very same moment that you stop being careful, and that’s when accidents happen.
Don’t forget that phishing scammers get to try over and over again.They can use email attachments one day, dodgy web links the next, rogue SMSes the day after that, and if none of those work, they can send you fraudulent messages on a social network:
Instagram phishing uses 2FA as a lure
The crooks can try threatening you with closing your account, warning you of an invoice you need to pay, flattering you with false praise, offering you a new job, or announcing that you’ve won a fake prize.
They may pretend to be your ISP today, they may masquerade as Apple iTunes tomorrow, and yesterday they might have said they were a courier company trying to delivery your latest online order.
In contrast, you only have to make one mistake for the crooks to win. You might be tired, or in a hurry, or simply get caught up in an unlucky coincidence where the subject of a phishing message happens to match up with something you just did online. Phishing isn’t a “solved game” after all, and phishing scams are still the main way that crooks get their first toe over the threshold in online cyber incidents such as ransomware attacks.
Keep yourself informed
To stay ahead of the phishing crooks, both at work and at home, start by reading up on our Top Ten Phishing Treacheries.
We’ve listed the email topics that catch out people the most when you train them using the Sophos Phish Threat toolkit, and it’s often the friendliest messages that trick the most people.
(In case you’re wondering, one of the top phishing lures in our tests was also one of the simplest: “Headlights left on. Is this your car?”)
You should also read our article Phishing tricks that really work, and how to avoid them, which gives you useful insights into the psychological tricks that scammers use:
Phishing tricks that really work – and how to avoid them
Learn how to get your anti-phishing act together at work with our explainer Gone phishing: workplace email security in five steps.
And learn about the many different ways that phishing crooks can adapt their game in our technical analysis entitled Serious Security: Phishing without links – when phishers bring along their own web pages.
Remember, when it comes to unexpected messages that want you to hand over information that you think you should keep to yourself: IF IN DOUBT, DON’T GIVE IT OUT!