How phishing works and how to prevent it?
Unikname Connect is about Security
It’s official : Cybercrime profits reached 3.5 billions dollars in 2019 with phishing in the top scams, according to the service’s internet crime complaint centre.
2019 was, by far, the worst year for cybersecurity…and 2020 isn’t looking so great either.
Several major incidents have already occurred since the beginning of the year and have increased the number of breached records to an astonishing 1.5 billion globally. Phishing attacks being the most popular way of scamming people.
What is phishing?
Basically, phishing is a cyber attack in which a target is contacted by email, or text message by someone posing as a company or legitimate institution.
The goal is to trick the email receiver into believing that the message is something they need or want — a request from their bank, for instance, or a note from a colleague — and to click a link or download an attachment.
Phishing techniques are becoming more and more sophisticated, making it difficult for people to tell “real from fake”. Specially because web or email addresses that are fooling people are looking increasingly legitimate.
Let’s have a look at the numbers of phishing and Email Fraud in 2019 :
- The average cost of a data breach is $3.86m (IBM)
- 15% of people successfully hacked will be targeted at least phished one more time within the year
- Phishing represents 90% of data breaches
- Around 1.5m new phishing sites are created each month (Webroot)
- Phishing attempts have grown 65% in the last year
- 76% of businesses reported being a victim of a phishing attack in the last year
- 30% of phishing messages get opened by targeted users (Verizon)
Email and phishing attacks are not only increasing with time but they’re also evolving. Understanding how phishing attacks are frequently affecting executives and companies worldwide is important.
How to recognise phishing attacks?
Here are some of the most common ways in which they target people.
1. The email is sent from a public address email
Often, the criminal will use a public email address such as gmail.com. If your bank or colleague is going to email you, it will come from a company email account with the company name in the email address. As an example, legitimate emails from Amazon will read ‘@amazon.com’.
2. Strange attachments
If you receive an email from someone you don’t know asking you to open an attachment, do not open it. Same thing if you receive an unexpected email from someone you know. These attachments can capture your personal data or contain malware.
3. Email with a sense of urgency
Phishing emails frequently ask receivers to verify personal information, such as passwords or bank details. They can create a sense of urgency by pretending to be someone you know who is in urgent need of financial help. It can also warn you that your account has experienced suspicious activity.
4. Poor spelling and grammar
You can often spot a phishing email by the poor language used in the body of the message. The writing style might be different to what you are used to receive from the sender and it might contain spelling and grammatical mistakes. If you receive an email fraught with errors this can be a strong indicator it is actually a phish.
These are warning signs.
What happen if users’ fall through the net ?
What if, despite of those warning listed above, someone access the spoofed page?
Once the victims visit the spoofed page — which is only a clone of the website the victims usually connects to — they may be asked to enter sensitive information such as ID, passwords, social security or credit card numbers. Then, one of those two things happens next :
- Either the victim inputs his user ID and password into the fake site, and that data is forwarded onto the attacker, or
- The copied site contains malware that automatically installs itself into the victim’s machine to collect all of his data stored on his device or browser memory.
Then, the victim’s credentials are sent to a drop email account or forwarded to another domain controlled by the attacker. Once attackers access a victim’s credentials they can either :
- Use the credentials to log in as many websites as they can using automated scripts, also called credential stuffing, or
- When the hack happens in a corporate environment, the stolen credentials are directly used into corporate resources gaining access to all the company’s network and database.
Attackers usually go after organization’s top executives. Top executives have more authority and access to confidential information and funds.
How can phishing impact your business?
First of all, when you are victim of phishing, your entire corporate network and brand are at risk. Also, these attacks always lead to a loss of revenue and the financial impact can be huge. According to Global IT Security Risks Survey of 2014, the typical damage of a breach (including the costs of hiring professional services, lost business opportunities) was $35,000 for small-to-mid-sized business and $690,000 for enterprises.
Along with being damaging for your business, following a phishing attack, users can lose confidence in your company and may sooner or later drop it for a competitor. Worse, if they actually become victims, they might even initiate legal proceedings, or, if the data is covered by data protection regulations, the company can be levied fines for noncompliance.
Following the announcement of a data breach, a company’s reputation immediately takes a hit and recovering from an attack may take few months or even years.
48% of consumers stop using services after a data breach.
The number of attacks and data breaches are proving that cybersecurity is still not a standard for every company. Most of modern portal services and sites rely on username/password and the increasing popular two factor authentication as mode of security. However, security experts have demonstrated that an automated phishing attack can now bypass that added layer of security potentially fooling off-guard users into sharing their private credentials.
How to protect your business against phishing ?
There’s bad and good news. The bad one is that no one can effectively avoid phishing… Simply because it’s not something we can control. You’ll never be able to stop a malicious person to clone your website or use your logo on your behalf.
The good news is that you can make sure that the hacker comes back from phishing empty handed, at least, without your user’s credentials. How? By having integrated on your website an authentication solution that does not require the user’s email or password.
Create your enterprise account to install the Unikname Connect plugin!
The wrong answer would be to delegate the authentication to a third party IDP (identity provider) like social sign-in.
Social authentication does not eliminate the risk of stolen credentials.The theft, indeed, is not operated in your data base but directly on the IDP’s side. Recent news have shown that those actors are not infallible, specially because they operates on a centralize data base.
Another reason why social authentication is not an advised solution for your company is that, under the guise of simplicity for users, everyone knows that most of the companies providing with login services, are very interested in collecting data about your users. And if you’re not comfortable with a company potentially knowing a lot about your users and your business, it’s best not to link your website to that company.
The alternative that would render credential theft obsolete but that also is respectful to user’s privacy would be a 3rd party authentication solution that is decentralized and doesn’t collect any users’ data.
This is when Unikname Connect comes in…
Unikname Connect is a next-gen authentication that combines the security of a decentralized world and a peer-to-peer protocol that guarantee the ultra-confidentiality and the untraceability of the connection. Unikname Connect is a decentralized solution in the service of centralized economy.
In other words: your users account are secured and protected from Phishing.
How does Unikname Connect work?
Unikname Connect, the Confidential and Secure user connection
Protect your business and attract more users.
Since Unikname has been in existence, we have always made it a point of honor to exchange with the community. Indeed, we believe that it is thanks to your feedback, but also to your mobilization,...
Many of us have gotten used to connecting to our favorite websites with a single click. The buttons offered by the web giants are very convenient for this. Even though most of us are aware that...
A great milestone has been reached. 4th of May 2020 the Unikname’s blockchain, uns.network, is up and running with its 23 delegates. The LIVENET network becomes live after more than 6 months of...
As you know, the crisis and containment situation due to the COVID-19 epidemic has led to an intensification of remote working. Internet privacy and safety are still our priority so we wanted to...
On March 24, 2020, the new version 5.0 of UNS Core is released! This version is a major update for the community since it introduces the token economy of the uns.network blockchain! On this post we...
The recent data breaches from web giants only contributed to the overall decline of consumer trust. For 86%, data protection is a priority when choosing online services (Dark Reading). Have...