Cyberattacks

What is phishing? Everything you need to know to prevent and fight it

by

Have you ever been a victim of fraud via email? This type of fraud is known as phishing and is becoming more common and dangerous every day. It is a method used by cybercriminals to deceive users, showing them information that seems like it comes from a known company, thus, they get confidential information such as credit cards, social security numbers or bank account numbers.

They usually send you an apparently corporate email (for example, an email from your bank) where they will direct you to a fake website, and kindly ask you to update your password, validate information about an account, or the most attractive ones offer you gifts, among other things, which will then allow hackers to keep your data. 

In some cases these attacks are easy to detect, however, in the day to day especially during working hours, we do not have time to look at small details. Spelling errors, unofficial URLs of companies that claim to be, or sometimes very similar addresses but not exactly the same, are the main indication that something is wrong. 

There are not only produced via email we can find several types:

Types of phishing attacks: 

  • Deceptive Phishing: This is the traditional type that we described above, the aim of the attacker is to obtain personal information from the user either by trying to get the user to provide it or by redirecting it to a fake website in order to obtain said information.
  • Spear phishing: This type of attack is usually more personalized and may include more personal information such as the name of the victim, phone or workplace. Spear phishing can come with names of known people, where they tell you that they attach a file that may be common for you, but this can be infected. These types of attacks are much more difficult to detect.
  • CEO Fraud: It works in the same way as Spear phishing, but in this specific case, the attacker pretends to be the CEO or someone with a relevant position, where they requests confidential information and that the employee will believe that must be given as someone with decision-making power in the company. 
  • Smishing: This type of attack is produced by SMS. They usually offer prizes and to receive it, the victim has to click on a link, reply to the message or call a phone number.
  • Vishing: This type of attack differs by being through a typical telephone call, where the attacker, as well as via e-mail, seeks to obtain certain personal information. 
  • By search in the browser: the fraud occurs in the same way with a fake site, but in this case, the hacker uses SEO and SEM techniques to position his false site and thus the user finds them among the first options of what you are looking for 
  • Pharming: This type of attack manipulates the hosts files or Domain Name Systems (DNS) to redirect a specific domain name to the one chosen by the cyber-attacker. 

What to do to prevent it?

  1. Recognize and identify a possible phishing: some details that can help us detect an email of this type: 
  • The URL address is different from the official website of the company where it says it is. The difference can be minimal: an “i” in uppercase (I) looks like a lowercase “L” (l).
  • They usually offer gifts or ask to update data, which is rarely requested in this way. 
  • Check the wording and language: often this type of emails have some details in the wording or language, if you see an email from your bank written in another language, this can be a clear sign of phishing.
  1. Enter your confidential data only on secure websites: In addition to checking the domain, check that the website is secure and that it starts with https: //
  2. Use two-factor authentication for all the services that allow it, especially for those who handle financial information
  3. Check the shortened URLs: if you see an abbreviated URL on a social media or it arrives by mail, there are websites that allow you to see the full address, that will allow you to see where you are redirected. 
  4. Open documents with other online documents viewer such as Google Drive: If it is usual for you to receive files from different contacts, you can open it first in an online document reader which will prevent some malicious software from being installed on your device. 
  5. Frequently update all the operating systems, browsers and applications that you use, thus avoiding vulnerabilities. 

Cyber ​​attacks are becoming more sophisticated every day and we can easily be deceived, but if we take the necessary preventive measures and are aware of how they are evolving, we can go a step further and thus reduce the risk of being the next victim. 

Technology as a tool to help protect your online privacy

by

It’s no secret that technology has made us more connected but also more vulnerable. To regain our online privacy, there are different complimentary methods. One way is to limit our online exposure by avoiding to post personal info. However, since we can’t practically live in a cocoon, we might as well embrace the power of technology by using it to better protect our digital lives.

As the founder and CEO of a cybersecurity company, I spend a considerable amount of my time focused on ways to protect both the online privacy of my customers, my team, and my own. It’s a bit like the surgeon who has seen so many car accident injuries: I am on guards for whatever new way hackers are inventing to steal people’s personal and professional information, and in awe of the damage they can inflict to someone’s reputation, financials, business and family. While we look for new ways to protect from new attacks, it’s also astounding how well-known “old” attacks are still in use, because so many people still are either not much aware of the online dangers, or forget to use basic protection means.

Of course each day it’s becoming less likely not to have at least some kind of awareness (think of the headlines about cyberattacks) and yet many individuals and even some companies think it won’t happen to them…until it does. In fact, most companies don’t find out until 6 months after the facts, that they have been hacked.

The two dimensions of data protection and online privacy:

There are two main dimensions to data protection and online privacy: one is to protect the perimeter, i.e. not to let the bad guys into your house, by locking the windows, the doors, and having good walls (that would be the real life equivalent of firewalls and intrusion detection systems). This is hard and in fact the bad guys tend to be one step ahead. The other dimension would be making sure that each of your precious jewelry is protected by a separate vault, and that only you have the key to each vault. Simplifying a bit, this is the real life equivalent to data protection via encryption.

The good news is that so far it’s the good guys who are winning the encryption battle. Of course there is a caveat: it depends what type of encryption you use (algorithm, key length, etc.) and how you implement it. Continuing the analogy: you should have a vault that is thick not thin, that has a sophisticated lock not a basic one.

Encryption: a strong tool for your online privacy. Now it’s even easy to use!

It used to be that using encryption was a hard thing to do, and thus only reserved to geeks. This was the traditional conundrum between security and convenience, where security traditionally came at the cost of usability. And we all know that if something that provides security is hard to use, people end up not using it and reverting to easier, less safe behaviors. Not any more. Several cybersecurity companies are working at making the life of their users both more secure and still very easy. It’s our case too.

At Syneidis we have created HushApp, which allows any user, without needing any technical skill, to easily and safely store any file (whether photos, PDFs or financial excels) in a very safe digital box, where each one is protected separately. It also allows sharing files in an easy way via the web, but with the important extra layer of protection, transparent to the user, which ensures that only the intended recipient, and no one else, will be able to watch the private information. This is of course one example only. Besides protecting your file, one should consider using a VPN, a firewall, etc.: security is a global matter and no one solution could cover all the angles.

People are the weakest link in online privacy protection. Are you?

In fact, while we ought to embrace technology tools that allow us to protect our online privacy, we need to be aware that unfortunately the weakest security link still tends to be…people themselves. So please be among the prudent ones: do you really need to post that photo on Facebook, which will tell burglars that you are not at home? Should you really send this excel with financial data by email or via some free cloud service? Should you really sync my phone camera’s gallery to Apple or Google clouds? I’m sure you know very well the answer to these three questions…But there are many more…How well would you fare on a cybersecurity awareness test? You can find out here with this short test whether you are an expert or a dummy in online privacy.

Kind regards,

Frederic Thenault

Read more related articles here.

20 basic tips you can follow to protect your mobile

by Leave a Comment

Cyberattacks have increased at the same rate that the number of mobile devices users have, and despite this, many users are still unaware of the need for mobile cybersecurity. That’s why we collected 20 basic tips that you can follow to protect your mobile.

How to protect your mobile device?

  1. It is essential not only to install an antivirus on your mobile, but also to keep it updated.
  2. Avoid downloading suspicious applications, especially those that come from advertisements. They often extract personal information.
  3. Backup your files regularly.
  4. Do not store passwords of your credit cards, email, credentials or other sensitive information on your device.
  5. Do not trust phone calls or emails that request passwords or PIN number who pass themselves for banks identities.
  6. Access trusted websites, with secure access (https) or with a small lock in the browser bar.
  7. Close sessions each time you use applications with sensitive information, such as banks or some others with access to medical data.
  8. Like the computer, you can use incognito windows to stop your browser from saving information regarding the pages you are visiting. Your internet provider will still have access to your navigation history, but at least others will not be able to access it.
  9. Beware of open Wi-Fi, they are always useful for an emergency, but anyone can access them and your data. That’s why it is not recommended to make private or sensitive information available to unwanted entities
  10. Always download applications from the official store (Android or iOS), these platforms bring protections designed against malicious software.
  11. Control access requirements, such files, camera, photos, GPS, etc. It is not always necessary to give permission to everything requested.
  12. Install an application to find phones remotely in case of theft or loss of your device.
  13. Use an encryption system for your files, this will protect your information not only in case you lose your mobile phone, but it will also
    allow you to store and share files easily.

Mobile cybersecurity for the business world:

Companies have changed their work environments, looking to be adaptable and flexible to staff needs. That’s why the use of corporate mobile devices has grown. Employees can use them outside the workplace, and manage their time in a way that best suits them. However, if they do not take the necessary security measures, the company can be exposed to a cyberattack, and if it is not handled properly, the damage can be serious.

  1. To protect company communications, employees must know the VPN connection and how to access it.
  2. In the case of corporate mobile devices, establish cybersecurity policies, infrastructure and resources to fulfill them inside and outside the company.
  3. Do not install applications on the company mobile without the authorization of the technical department.
  4. If the device is used for personal reasons, create separate accounts in order to not mix information.
  5. Use 3G or 4G connections to avoid unknown Wi-Fi, this is ideal for the company when dealing with sensitive data.
  6. The managers and employees of the company must know the risks they are exposed to in the case of a cyberattack. Therefore, blocking protocols and actions must be established in case of emergency.
  7. If you need to send sensitive or confidential information to a client or partner, it is convenient to use encryption systems. It allows you to protect files that you send until they reach the recipient you choose. The HushApp can help companies improve this process. This application protects confidential information by encrypting files sent to third parties in an easy and secure way without the need for the client to sign up.

In addition to the measures listed above, there are many others that can be applied to the business world in order reinforce mobile cybersecurity.