Contributed by Matthew Reida, Cybersecurity Major
Phishing is a type of attack that relies heavily on human nature. Humans are easily distracted by things that are too good to be true. Most phishing attacks are emailed, and some are very well disguised. They often imitate a normal email communication from a bank or online store. The goal of a phishing email is not to “hack” a user by exploiting their system, but rather to obtain information from a user, who is willing to give it away. The user usually makes the first move, by interacting with the email in some way; most often times opening a link that is contained in the body of the email, or opening an attachment.
In order for the phish to accomplish this, it must appear legitimate: many emails are sent from supposedly reputable companies, however the “from” email address can be easily spoofed. If one looks closely, many times an email claiming to come from “JP Morgan Chase”, for example, may actually come from an email address that does not belong to that domain. More sophisticated and aimed phishing attacks may actually spoof the “from” field in an email header, meaning that information in the header field is forged, making it appear to even careful users that the sender is legitimate, even though the email originated from outside that domain.
Once the user is convinced that the email is legitimate, attackers coax the user to interact with the message, like asking the user to open a link within the email. This is dangerous, because attackers can create their own website, designing it in a way that looks similar to the target site, and if one does not look closely to the opened URL, they can voluntarily give away their passwords to attackers.
The best way to defend against this sort of attack, besides being generally suspicious of emails encouraging direct action, is to view the URL that will be opened. This can be done on computers by hovering over the hyperlink with the cursor, and on mobile devices by pressing and holding on a hyperlink. This launches a tooltip that reveals the URL, which would then be opened upon clicking. Even though an email may appear to contain a link to a legitimate site, the actual URL may be completely different.
My name is Matt Reida, and I am pursing an associates degree in Server Administration at Metropolitan Community College. As a very young child, I was enamored with computers, and strived to learn about them constantly. As I grew older, my passion for learning remained, and inspired me to pursue a career in the IT field.