[Internet Safety] Phishing Attacks

There are many dangers and scams lurking on the internet, schemes designed to snare and entrap even the most tech-savvy amongst us. This is the fourth in a new series of articles geared towards internet safety, scams and schemes with the aim of spreading awareness about the many different traps around. Many of the discussed schemes are just modern incarnations of age-old scams. This weeks topic is Phishing.

---

What is Phishing?

Phishing is a form of cybercrime where an attempt is made to obtain sensitive information (such as usernames, passwords, email etc., by disguising themselves as a legitimate organisation or person usually in the form of an electronic communication. Phishing emails, phone calls and websites are nearly always malicious in their intent, and the information is then used to gain access to your accounts and can often result in identity theft and financial loss.

---

Some Common Features

1. Too Good To Be True - Eye-catching statements or seemingly lucrative deals are designed to attract your attention immediately. Maybe you’ve won a prize or maybe your action is needed urgently. Whatever it is, don’t click on any suspicious links.
2. Sense of Urgency - Creating a sense of urgency is a favourite tactic of the cybercriminal. It’s an attempt to cause you to act immediately without having chance to think things through. The majority of reliable, trustworthy organisations will give you ample time to respond, for example freezing an account that they suspect of fraud to prevent further access until you can contact them.
3. Hyperlinks - Links may not appear to be what they appear to be. This applies to everything on the internet really. A malicious link can be hidden within a seemingly innocent tag. Look at the following anchor tag; http://www.facebook.com it looks like it’s going to take you to Facebook, but oh no! It’s google. This is how they trick you into going to their sites, made only to steal your information.
4. Attachments - If you see an attachment in an email that you weren’t expecting (no matter who it’s from) do not open it. They will often contain payloads of malware or ransomware.
5. Unusual Sender - Often emails will come from an unusual sender, but no matter who it comes from, if anything seems unusual or out of the ordinary, just don’t click it.

---

Phishing Techniques

There are many different ways for a criminal to try to steal your information, and we’ll go through a few of them here. This is by no means an exhaustive list of techniques, with these people constantly trying to outdo countermeasures and improve their methods. Unlike many scams that are intended only to appeal to the naive or gullible, phishing attempts are made on all of us and can get you no matter how experienced you are.

Email Forgery

This is probably one of the most common attempts at phishing, with these emails being designed to look like they are from a trustworthy institute. A very common scam is the PayPal email, where they will often ask you to confirm your details with them after spotting some unusual activity on your account. These days, it can be very hard to tell the difference from a genuine and fake email, as they are very well designed and often look exactly like their legitimate counterparts. A common method Phishers use to avoid anti-phishing filters is to use images instead of text to make it harder for those filters to detect them. In response, the filters now utilise OCR (optical character recognition) to optically scan the images and filter them. The battle between Phishers and Security services rages on.

Website Forgery

So, let’s say a victim has clicked one of those suspicious links and finds themselves on a web page that looks like it’s what they were expecting i.e. PayPal login screen. Unfortunately, the deception is not over. These pages look exactly like the page you’d be expecting, and will often ask you to sign in first or confirm your personal information. These days some even use JavaScript scripts in order to alter the address bar to look like the legitimate site.

Social Engineering

Social engineering is the psychological manipulation of people into performing certain actions or divulging confidential information. This could include causing outrage with a fake news story, and asking people to click something, or maybe attempts via social media to check something out.

Phone Calls

Phishing phone calls can take the form of a incoming call that uses a fake caller-ID to appear to be from a trusted organisation, or even convincing victims to call a certain number regarding problems with their bank account.

Steemit

Phishing attempts seem to be on the increase on the Steemit platform. I’m seeing more and more compromised genuine accounts being used to spread fake links, which is so sad to witness. The comments these compromised accounts leave can take many forms, with the first one that I came into contact with stating that another user has plagiarised your posts, click here to see it. The community was quick to respond, but there’s no doubt that some people were caught out.

If they acquired your master password, they can then empty your account and use it to spread the scam to your followers. As the Steemit platform grows, and the value of both Steem and SBD increases so will the number of attacks, so it’s more important than ever to be vigilant online.

---

Preventing Attacks

There’s a few things you can do to prevent attacks, and I think the most important thing on Steemit is to never use your Master Password for “normal” logins. Never give your Master Password to anyone, or any service. Instead, you should use your Private Posting Key as much as you possibly can. Using your Private Posting Key instead of your Master Password means that attackers can’t access your money, they could only post.

Try to avoid clicking links on Steemit, or any platform unless you 100% trust the person and you’re confident their account hasn’t already been compromised. If you are buying the vote of a bot, avoid situations where you are told to send funds to a trading site, as it is most likely a scam. If you’re unsure, ask a smart friend you trust to check things out first.

Whenever you received an email, phone call or pop-up window and feel uncertain whether it is from someone you can trust, don't take the risk. Reach out to someone and ask for help. I also recommend using an adblocker like AdBlock Plus or uBlock Origin, as these days advertisements online just cannot be trusted and should be phased out. Platforms such as Steemit have new and better ways of paying for content and services, so let's give advertisers the middle finger for being so damn bad.

Reporting Phishing Attempts

As far as I am aware, there isn’t a way to report users on Steemit. There are bots and other such services set up to tackle spam, scams and phishing attempts but they can only do so much. Outside of Steemit, you can report phishing attempts to the organisations that are being imitated, or phone calls to one of the following:

In the United States, use the FTC Complaint Assistant form.

In Canada, the Canadian Anti-Fraud Centre can provide support.

In the UK, you can report fraud as well as unsolicited calls.

---

A little late, but this post has been entered into the recent contest @simplymike has posted. You can read more about it, plus the many other entries here: https://steemit.com/contest/@simplymike/20sbd-contest-protect-people-from-the-ongoing-phishing-scam

I hope you found this helpful, and if you have any further tips or advice for combating phishing then please let me know in the comments down below, and let me know your thoughts too. We all need to band together to tackle the current issues facing Steemit, not just limited to Phishing and compromised accounts. As always, make sure to follow me for the latest Cryptocurrency, Internet and Pop Culture updates, and until next time, I'll see you in the comment section!

---

Sources
How to recognize phishing email messages, links, or phone calls (https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx)
Brief look on how to avoid being scammed by @apsu (https://steemit.com/steemit/@apsu/brief-look-on-how-to-avoid-being-scammed)
PayPal Phishing (https://www.paypal.com/uk/webapps/mpp/phishing)
What is Phishing? (http://www.phishing.org/what-is-phishing)

All images are used without the express authorisation of the copyright holders. They are used under what's known in British law as "Fair Dealing" or under US law as "Fair Use" exceptions. For example, exceptions relating to research and private study, criticism or review, or news reporting. For more information visit the UK Gov website or the US Gov website.