Remember the hacker who hacked into celebrities apple icloud and leaked their nude photos? How did he do that? Because from what we know – Apple is “unhackable”, right?
Those hack, famously known as “The Fappening” or “Celebgate” scandal, was a result of Phishing email. Yes, phishing. Spear Phishing to be precise. The leaked nude images of Jennifer Lawrence, Kim Kardashian and many other celebrities was a result of phishing attack.
The hacker, Collins, used phishing attack to access 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebs, and illegally download the contents of their iCloud backups and look for more data, including nude photos of celebrities.
Phishing attacks have rose by more than 162 percent in the last 5 years. They cost organizations around the globe $4.5 billion every year and over half of internet users get at least one phishing email per day.
While the big companies have implemented many defense mechanisms against phishing attacks they can only do much from protecting its users. So it’s up to you to prevent yourself from phishing attacks. 97% of people around the globe cannot identify a sophisticated phishing email.
How To Identify a Phishing Email
1. Find out who the email is really from
Cyber criminals spoof the display name of the sender’s email address. For example – they can send an email from any email account and change the Sender’s name to “Apple Security Team”.
As you can see in the above image, the email actually looks like it’s sent from your legitimate bank – “My bank”. However the real email is sent from another email.
2. Spelling Mistakes
Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar.
Most English language phishing attack are sent from countries where English is not the primary language. Attackers, often perform phishing attacks by imprecise use of English even with quite common phrases and including spelling errors. So read the message very carefully.
3. Analyze the salutation
Many but not all phishing attacks start with generic phrases like “Dear valued customer” or your email account name, such as “Dear baconlover123” instead of your name “Dear John” for example. This is because they cannot personalize the email sufficiently as they are targeting thousands of other users too.
Most legitimate companies include your name in their correspondence because companies will have it on record (if you’ve dealt with them before).
4. Content of the email
Banks and other financial bodies and governments will not email you to tell you about a problem with your account. They recognize that email is fundamentally insecure and that personal information shouldn’t be sent via emails.
The email may give you a false sense of urgency claiming that your account has been used or someone tried to buy this/that from your account.
One common phishing technique is to include links in an email that look like they go to a legitimate website but instead take you to a malicious website. But, you can inspect if the link is legitimate or not.
Simply hover the mouse over (but don’t click) any link in an email, and you will see a pop-up that shows you the actual URL that you will be taken to. Here’s an example:
As you can see – the visible link and the real link do not match.
Some browsers doesn’t support pop-up. If you have the Status Bar enabled in your browser, hovering over a link will show the URL in the browser’s Status Bar at the bottom of the window.
6. Check that the website you’re accessing is legitimate
Sometimes you might get tricked into thinking that the URLS is legitimate. If you have clicked the link already, you can still check that it’s a trusted website or not.
On the browser’s address bar check if there’s HTTPS or HTTP in front of the URL.
HTTPS is secure while HTTP isn’t.
7. Asks for Personal Information
No matter how official an email message might look, it’s always a bad sign if the message asks for personal information. Your bank doesn’t need you to send it your account number because it already has it. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.
8. You didn’t initiate the action
This type of phishing email is very common and may be you have already received it. Emails informing that you’ve won a lottery or you won blah blah! If you had applied for the lottery then congratulations but if hadn’t then that’s definitely a phishing email.
And not only emails that says you’ve won something but also the emails as in the image above that says that your account will be deleted, or your password has been changed are some of the examples of these types of phishing email.