How phishing works and how to prevent it?

How to recognise phishing attacks?

Here are some of the most common ways in which they target people.

2. Strange attachments

If you receive an email from someone you don’t know asking you to open an attachment, do not open it. Same thing if you receive an unexpected email from someone you know. These attachments can capture your personal data or contain malware.

4. Poor spelling and grammar

You can often spot a phishing email by the poor language used in the body of the message. The writing style might be different to what you are used to receive from the sender and it might contain spelling and grammatical mistakes. If you receive an email fraught with errors this can be a strong indicator it is actually a phish.

These are warning signs.

What happen if users’ fall through the net ?

What if, despite of those warning listed above, someone access the spoofed page?

Once the victims visit the spoofed page — which is only a clone of the website the victims usually connects to — they may be asked to enter sensitive information such as ID, passwords, social security or credit card numbers. Then, one of those two things happens next :

• Either the victim inputs his user ID and password into the fake site, and that data is forwarded onto the attacker, or
• The copied site contains malware that automatically installs itself into the victim’s machine to collect all of his data stored on his device or browser memory.

Then, the victim’s credentials are sent to a drop email account or forwarded to another domain controlled by the attacker. Once attackers access a victim’s credentials they can either :

• Use the credentials to log in as many websites as they can using automated scripts, also called credential stuffing, or
• When the hack happens in a corporate environment, the stolen credentials are directly used into corporate resources gaining access to all the company’s network and database.

Attackers usually go after organization’s top executives. Top executives have more authority and access to confidential information and funds.

How can phishing impact your business?

First of all, when you are victim of phishing, your entire corporate network and brand are at risk. Also, these attacks always lead to a loss of revenue and the financial impact can be huge. According to Global IT Security Risks Survey of 2014, the typical damage of a breach (including the costs of hiring professional services, lost business opportunities) was $35,000 for small-to-mid-sized business and $690,000 for enterprises.

Along with being damaging for your business, following a phishing attack, users can lose confidence in your company and may sooner or later drop it for a competitor. Worse, if they actually become victims, they might even initiate legal proceedings, or, if the data is covered by data protection regulations, the company can be levied fines for noncompliance.
Following the announcement of a data breach, a company’s reputation immediately takes a hit and recovering from an attack may take few months or even years.

48% of consumers stop using services after a data breach.

The number of attacks and data breaches are proving that cybersecurity is still not a standard for every company. Most of modern portal services and sites rely on username/password and the increasing popular two factor authentication as mode of security. However, security experts have demonstrated that an automated phishing attack can now bypass that added layer of security potentially fooling off-guard users into sharing their private credentials.

How to protect your business against phishing ?

There’s bad and good news. The bad one is that no one can effectively avoid phishing… Simply because it’s not something we can control. You’ll never be able to stop a malicious person to clone your website or use your logo on your behalf.

The good news is that you can make sure that the hacker comes back from phishing empty handed, at least, without your user’s credentials. How? By having integrated on your website an authentication solution that does not require the user’s email or password.

The wrong answer would be to delegate the authentication to a third party IDP (identity provider) like social sign-in.

Social authentication does not eliminate the risk of stolen credentials.

Another reason why social authentication is not an advised solution for your company is that, under the guise of simplicity for users, everyone knows that most of the companies providing with login services, are very interested in collecting data about your users. And if you’re not comfortable with a company potentially knowing a lot about your users and your business, it’s best not to link your website to that company.

The alternative that would render credential theft obsolete but that also is respectful to user’s privacy would be a 3rd party authentication solution that is decentralized and doesn’t collect any users’ data.

How does Unikname Connect work?

Unikname Connect, the Confidential and Secure user connection

Protect your business and attract more users.

Follow us!

• Website: https://www.unik-name.com/
• Twitter: https://www.twitter.com/Unikname_UNS
• Facebook: https://www.facebook.com/UniknameConnect/
• Linkedin: https://www.linkedin.com/company/unikname