Phishing Attack!

In the light of recent complaints from my friends and relatives about their passwords being stolen, and attempts to steal their one-time-password (OTP Codes), I decided to put together this article. First thing first – when someone accesses your Facebook account, it’s not that someone hacked Facebook to gain access to your account. In fact, you might have given your password to them without even knowing that you did.

Q/A Time!

What is a phishing attack?
Do they steal my fish?

No. They steal your passwords. If you don’t know what a phishing attack is, you are already a target of one. A phishing attack is one of the oldest tricks used to steal passwords and other confidential information like credit card numbers & bank account information.

Whoa! How do they do that?

When an attacker wants to steal your information, they design a webpage that looks similar to other websites that you already know – like the login page of your social media account, or your online banking account.

Then they put that fake login page on a website that has a confusing URL, like https://www.facebook.com.login.php.continue-settings.profile-settings_tab-deactivated-account.example.com/settings?tab=deactivated. Open this link and look at the address bar of your browser.

You will see a message that tells you that no such website exists. When an attacker designs a form, it might look something like this:

image-1587728422164.png

That’s a login page. Yay! Can I log in?

No! Stop. The page looks like a legit Facebook login page, but if you scroll the address bar horizontally, you can see that the domain of the website is example.com, which is not a website operated by Facebook.

image-1587728696963.png

When you open that kind of malicious web page and enter your username and password, they store the password in their database and redirect your browser to the official website so you don’t even know what happened.

But… why would I open that page?

The attackers may send you a message that looks like an official notice and put a link to this malicious website somewhere in the message. They might send you such a message through email or messenger apps, and lure you into clicking on the link.

Well, then how do I protect myself?

To save yourself from such kind of phishing attacks, take these precautionary steps:

  1. Be suspicious about all emails that ask you for any kind of verification, or urgent account issues. Think twice before clicking on links sent through unknown emails & messages. 
  2. Always log in to a website by manually entering its address in your browser. Never login to any website by following a link sent by email or text.
  3. Remember that your banks, mobile phone company, social networks, and other service providers don’t ask for your passwords, pin numbers & other personal information by sending you an email or a text.
  4. Whenever you receive a suspicious message, contact the service provider directly so they can help you and other users who might have been targeted.
  5. Enable two-factor authentication in all your accounts to prevent misuse of a stolen password. Almost all service providers let you enable two-factor authenication in your account, so enable it whenever there is an option.

Two-factor authentication?
What the fish is that?

Don’t you know? Oh.. read on then. This is important.

When you enable Two-factor Authentication (2FA), attackers cannot log in to your account only using the stolen password. Moreover, you get notified whenever someone tries to access your account with the stolen password.

A password can be stolen (through phishing attacks, you guessed it!) and sometimes mistakenly shared by you. Some of your friends might install software on your computer or your mobile that secretly records everything you type. Even if your friends wouldn’t do it, your ex would if they had a chance.

Some smart people can even guess your password. Let me guess… is it your phone number? Is it your crush’s name followed by 123? Is it nepal12? Nepal123? No? Check if your password is one of the most commons passwords. Also, check if your password is in the list of leaked passwords.

You could not guess my password. Am I good?

No. I cannot stress enough about using a different secure, random password for each login. Unfortunately, the password of your email account is probably the same as the password of your social media account. If not, it’s probably a variation of the same password. It is hard to create a new password that you won’t forget, so you create a password and use it everywhere. 

Password re-use is one of the biggest problems in the world of information security. You must have re-used a password at least somewhere. Everyone has done that because:

  1. Thinking of a new password for a new account is hard.
  2. Remembering all your passwords is hard.
  3. Writing a password somewhere is not secure.

Password managers make it easier to generate a secure, random password for each login and help you automatically fill login forms with the password. Please start using password managers today.

That’s it?

No. Fake login forms are not the only way you can fall for a phishing attack. They can happen through a phone call or a fraudulent mobile application.

  1. Never give away your confidential information over the phone if someone calls you, and asks for it. Some sophisticated attackers can spoof an incoming phone number, and claim to be calling from a legitimate business. If they ask for your personal information, cut the call, and call the institution on their trusted number.
  2. Always download mobile apps from the Google Play Store if you have an android device. Downloading an app from other sources like a website or transferring the app from someone else’s device may risk your device & data.

These precautionary steps will save you from the most common phishing attacks.

Phew!

Yeah, phew!