What is phishing and how do I prevent it?

A recent study shows that many employees in the field of cyber security in the Netherlands still really need extra security awareness training. A simulation of phishing or ransomware helps.

It is also important in your organisation to know how people view cyber security. Which signals are recognised by your employees and which are not? And what would you get out of it if you did? This simulation provides answers to these questions and provides more insight into how people show click behaviour. In this way, employees create awareness about the dangers of the internet.

What is phishing and how do I prevent it?

That’s the question you’re going to answer in this video. In phishing, an attacker often tries to communicate with a possible victim via e-mail. With this, the attacker wants to persuade the victim to provide personal information that he can then use for his own purposes. Examples include identity fraud, extortion or financial gain.

Where does the term phishing come from

Phishing originates from the english term for fishing where a fish hook is used to try to remove a fish from the water. In the digital version, internet users are seen as the water in which the attacker will fish with his hook. The vast majority of internet users will not be hooked just like real fish. A small percentage will bite and fall victim to phishing. This small percentage is often sufficient for a hacker because the stolen amounts of money are large, or the stolen data is of high value.

In the digital version, the f has been replaced by ph as a reference to another form of hacking that took place over the telephone. Called phone-freaking.


Cookies Phishing

A fraud-based attack that simulates the behaviour of cookies to steal user information, including login details and passwords. For years, the Internet has seen an increase in phishing attacks. Cookies Phishing attacks have been observed enticing users to click on fake popups that simulate login pages and contain their own cookies to grab the data the user entered when logged in.


What do attackers use?

In order to convince potential victims, cyber criminals use many different methods. For example, they copy e-mails that seem to come from banks or well-known companies, they copy their websites from banks or companies, or when they pretend to be a colleague of the recipient. An attacker can choose to launch a general attack or to target a person or organization specifically. The latter is also known as spear phishing. A common form of spear phishing is CEO fraud in which an attacker often pretends to be the director of the company. The attacker then asks one of the employees of the financial department, for example, to transfer an amount of money to usually a foreign account. In general, the attackers have searched the internet beforehand to find out who fulfils which function. This is in order to make the e-mail as convincing and targeted as possible. By using the director’s name, attackers hope that an employee will quickly listen and bypass any procedures that make such transactions impossible.

Internet criminals are also increasingly using text messages or other chat apps to approach potential victims. Examples include sending a fake text message from your bank to create login credentials outside, or imitating a loved one on WhatsApp to withdraw money.

How do I avoid becoming a victim of a phishing mail?

The characteristics drawn up by the Crime Prevention and Security Centre indicate that a phishing email stands out because of four characteristics:

  1. The header, most phishing mails are sent in large numbers so the attacker will not put the name of the recipient in the header with every mail. Because of this many phishing mails contain a general opening like dear madam or dear customer. However, if an email does have a personal salutation it does not mean it is not phishing.
    In the previously mentioned spear phishing the name is often used in the introduction.
  2. Text, language and spelling mistakes are common in phishing mails. Especially in the old days, mails were very poorly written in terms of language and really stood out. Nowadays the attackers use the Dutch to make the text as good as possible. But even now, phishing emails often still contain language and spelling mistakes. Always remember that a bank will not send flour containing a language or a typo to its customers.
  3. Content, in addition, a phishing email stands out because of its content. If you receive an email about a package that will be delivered, but you have not ordered anything, it is of course strange. The same goes for a money amount that you would have won if you hadn’t signed up for it. An outstanding account from a company not known to you, or the promise of a large sum of money if you pay the notary fees. Check if the story in the mail makes sense. If it seems a good thing to be true, it usually is.
  4. Sender, the fourth point of the ccv is that you should take a good look at the sender. At the sender’s email address you will find the email address from which you received the email. For example, PostNL mails with an e-mail address that ends at @postnl.nl. An attacker can choose to send an e-mail from the e-mail address ending at @nlpost.nl. That’s very similar, but in reality it’s a completely different sender. Attackers often use actual spelling error domains where they choose a domain name that closely resembles the name of a company, or what is linked to the content of the mail. An attacker can then pretend to e-mail from an energy company by using the domain energy.ru. But beware, these days attacks are smart enough to make it look like the email really did come from the right agency.
    That’s why we added a fifth point ourselves:
  5. The link, that is the link in the mail itself. The purpose of attackers is to click on the link in the e-mail so that you will be directed to a website where you can enter your details. For example, the attackers recreate your bank’s website. Then ask for the login details for bank account . A fake website is almost indistinguishable from the real thing, only the domain name cannot be faked by the attackers. Therefore, before you click on the link in the e-mail, always make sure you know where it is going. You can do this by placing your mouse on the link without clicking. A text area will then appear in which the url of the website to which you would be directed is shown. If it differs from the domain known to you, you should never click on the link to be sure you can always go to the bank’s website yourself in your browser and then log in and check your message.

What is important to remember is that you should always stay sharp when receiving emails. A mistake is so made. If you don’t trust an email, you are often right. It is better to ask too much if the e-mail is really from the sender than too little. If the mail seems to come from a colleague or a friend of yours, give this person a call if the mail seems a bit strange. This was a video about what phishing is and how you don’t fall victim to it. If you want to be even more secure watch one of our other videos

Security awareness for security awareness in the workplace