‘I am the Prince of Nigeria, honest. Send me your credit card details and I’ll send you $5,000,000,000.’
Ah, those were the days, weren’t they? Kind of feels nostalgic. Spam emails seem to have been around as long as the net and, these days, we all consider ourselves pretty savvy to them.
Don’t click on links in your emails, etc, etc.
No-one is going to fall for this 1996 stuff anymore, right?
Actually, the problem’s getting worse, with over 100,000 reports of phishing attempts per month across the web. Some of them are incredibly successful (up to 45% accuracy in some cases) and even seasoned tech-heads fall for them.
Phishing criminals are getting wilier
So we’ve got a lot of people falling for these month after month and these criminals are raking it in. How can this still be the case with all of the advances in internet security?
Simple: they’re getting sneakier.
Ok, that’s a simplification. The problem is actually twofold, so let’s break it down and have a look at how they do it and how we can keep ourselves safer against these sorts of attacks.
Personalization can be turned against you
First, it’s easier now than ever before to get fooled by phishing attempts.
This is because the same technologies that can be used to enhance your online experience, can also be employed against it.
Deep machine learning, for example, is used by Apple’s Siri assistant to create a believable interaction with a computer. It learns from you and from your usage and employs that to create a ‘personality’ that can often seem lifelike.
What’s to stop attackers from doing the same? Absolutely nothing.
This is called spear phishing and it’s proving scarily effective at fooling real humans into handing over their data.
Since the entire thing can be created in seconds using an AI and send out automatically, this can reach a larger global audience than ever before.
The same technology allows multiple responses and conversations between the victim and the AI controlling the emails, which convinces the user they’re speaking to a genuine human – and so they hand over their data.
Website tracking makes this even easier!
You ever noticed that you’ll go buy one thing off the internet and suddenly it’s advertised everywhere you go? From the second you click on a website data is being collected on what you look at; where you went; how long you looked at a page.
Most companies are just using this to sell you stuff, but if you combine that level of personal knowledge with deep learning AI, you’ve got a tool that knows exactly what you’re most likely to respond to if it comes from some unsolicited email.
We’re (still) letting them win
The second and much larger problem is that, sadly, we’re all too lazy to protect ourselves online and it’s coming back to bite us.
Despite attempts from companies around the world to entice, cajole and, in some cases, downright force consumers to use secure passwords, two-factor authentication and VPNs, most people are still relying on their Windows firewall to save them.
Trust me; it won’t.
A true horror story example of this is of the famous hack on Yahoo’s servers (I say hack, there have been multiple hacks, with billions of user details stolen).
The problem is that if you use the same user credentials on multiple accounts, they don’t just have your email address and password. Got a facebook account? They’ve got it. Xbox live? Yup. Apple ID? Amazon account? What if you use online tracking services like “Find my Friends” to see where your family are? Well, now they can too.
The truth is most online accounts use your email address as your User ID and most customers use the same password for multiple services. So once they’ve got one they’ve got them all. From there they can fool your friends and family into thinking they’re you and thus the attack spreads.
Beat phishing attacks
How can you protect yourself?
First of all, decide you’re going to. Take it seriously. This isn’t just your password, it’s your entire online identity and everything that goes with it.
If a service offers Two-Factor Authentication, sign up. Two-Factor works because it secures your login to certain “Trusted” devices which basically means that even if someone gets your password, they can’t get into your account. You can learn more about this here:
If you’ve read and taken this to heart and you didn’t click on the link, award yourself a point (don’t worry if you did, it’s a perfectly safe site).
Google ‘What is Two Factor Authentication’ and you’ll find all you need.
Use all your security
In addition, if your service offers any other additional layer of security – add it. It’s worth the extra 30 seconds of typing in a code to prevent loss of personal data. This applies both to your online services and your local ones. Don’t rely on a free firewall, the company is simply not going to keep as up to date on the latest security threats as one whose money is made off keeping you safe.
Thirdly, protect your devices. A lot of phishing attacks result in the downloading of malware, viruses and all sorts of bad stuff so they can keep pumping you for money. Keep your security and anti-virus up to date.
Protect your traffic
Last but not least:
Lease a VPN and put every internet enabled device that you have on it. This works because it encrypts your incoming and outgoing data through a secure server. Think of it as if you had a personal bodyguard watching over you when you went to put in your bank details at the ATM machine.
Any attempt to get your data from your data traffic (that’s the data as it wings it’s way across the interwebz) will result in the attacker looking at a lot of encrypted computer code they can’t read.
Finally, remember this. These intrusions get you because you give them permission to and they work by exploiting one of two basic responses: Fear or Greed. If something looks too good to be true; don’t click on it. If it’s telling you things will be bad if you don’t click on it; don’t click on it.
Stay safe and us me know if you’ve enjoyed this or found it educational. We’d also love to hear any of your horror stories about phishing attacks!