Cyberattacks are on the rise these days. The various “creative” scenarios that they present themselves in are also getting increasingly difficult to detect. One minute you’re answering an email that’s supposedly from mum, the next you’re frantically telling your bank that you did not, in fact, spend $10,000 on four flight tickets to Brazil.
That’s how a phishing attack works: answer a malicious email or text, or a questionnaire on a website, and whoosh; your bank account or credit card is compromised (this is the worst way to earn reward points). Though you may think you’re a bit too careful and savvy to be caught like this, there’s no harm testing yourself with these scenarios below to see just how “cyber strong” you really are.
Many fake websites do have slight spelling differences from the real thing; but there’s also a form of phishing that uses an International Domain Name (IDN) homograph attack.
When a website’s name uses a foreign alphabet, such as Cyrillic, it’s translated to something called Punycode. We won’t bore you with the techy details, but you should know that some characters in these foreign languages – when they appear in the address bar - directly resemble their English counterparts.
For example, the Cyrillic letter “a” is visually identical to the English one, although they are different to the computer. As such, it’s possible to set up an address that, visually, has the correct address but leads you elsewhere. A web developer, Xudong Zheng, recently demonstrated this by setting up a fake website that’s literally called www.apple.com (it even has the green “secured connection” lock and everything).
Currently, web browsers are developing ways to counter this. But if you want to be really safe, you’d better manually type in the address.
Adopting this practice as a rule of thumb is the only way to be 100 per cent sure.
The fact is, phishing emails no longer always come as a “new” or standalone email. They can now even insert themselves into the middle of an existing email thread.
For example, say you’re in the middle of an email conversation with your colleagues. About five emails in, you get one that says “Hey, can you look this over for approval?”
Thinking nothing of it, you click it and…download all sorts of malware and spyware.
It’s easy to be caught off guard, since most people don’t expect a phishing email to appear mid-conversation. The only solution is to be alert and take note of any strange or out of context messages. It’s always best to double check with the supposed sender if something looks out of the ordinary.
Ever heard of a little site called LinkedIn? Most LinkedIn profiles are filled with people’s achievements, places worked, positions held, and so forth. That makes it easy for hackers to craft emails that are apparently from your boss or colleagues.
Through Facebook, Instagram, and other social media sites, hackers can create contextual phishing emails or messages too. For example, especially for public profiles, they can see your vacation location on your Instagram pictures, and ask if you “left this while we were in Bali” (clicking the email then downloads malware or spyware).
If you keep this in mind all the time, you’ll be much better at spotting and evading potential phishing attacks. There are some giveaway signs, such as if a colleague who just left is apparently contacting you via their work email, or if the email about your last vacation is from a nameless source.
The most common phishing attacks claim to be “overdue account payments”, or statements saying your last transaction “failed”. You’ll then be asked to click a link to verify details for, say, your Netflix payment – and we all know Saturday night is better with John Wick than with real friends, so you’re likely to click it.
You may even be kind enough to follow up with credit card numbers to “update your billing information”.
About 30 minutes later, someone in an exotic country is buying themselves a new pool table at your expense*.
If you’re wise to phishing attacks though, you’ll be sure to follow up on such emails with careful checks. That means a phone call to the service provider to verify if it’s real, and a refusal to even click the email link before that.
*The thief probably isn’t the one who created the phishing attempt; they often just buy stolen credit card details online.
No matter how cyber-sharp you think you are, remember that phishing crooks have one big advantage: they can fail hundreds of times, but you only need to slip up once.
As an added precaution, look for credit / debit facilities that come with two-factor authentication – more banks provide these nowadays. This creates an added barrier against phishing thieves trying to use your stolen card details.
You can also download the new DBS Digibank app which comes with a Money Safe Guarantee. That is, in the unlikely event that there is an unauthorised transaction, the bank will repay the money taken from your account, if you’ve taken the necessary steps to keep yourself safe online.
And if you have clicked on any odd links, or experienced your computer slowing down, take it to a professional. Get it scrubbed clean of malware or spyware, even if nothing “too serious” seems to have happened.
Find the tools to guard yourself financially while banking online. Here’s how to Live Cyberstrong with our #BSHARP guide.