How to prevent phishing attacks

How to prevent phishing attacks

Despite widespread knowledge that, no, you shouldn’t be giving your credit card details to long-lost princes in far-flung lands, phishing remains a very popular – and successful – type of cyberattack. More than 1 in 5 employees opened a phishing email in the past year, according to figures from a recent Verizon report.

The good news is that there are many things you can do to prevent phishing, protect your identity and keep your personal data safe. Read on to get more insight into some of the most notable phishing scams of 2018, how Emsisoft Anti-Malware handles phishing and some simple steps you can take to avoid falling victim to a phishing attack.

What is phishing?

Phishing a type of social engineering in which cybercriminals pose as a legitimate institution or individual in order to steal sensitive information such as usernames, passwords, credit card details and so on. A phishing campaign may involve mass distribution, or the criminals may choose to create a highly customized scam that focuses on a specific target.

Phishing scams are most commonly delivered over email. The classic scam involves a criminal impersonating a seemingly reputable company such as Amazon, PayPal or Microsoft. The sender asks you to verify your login credentials or banking details on a bogus website that appears, for all intents and purposes, to be the real thing. When you enter the information, it is sent directly into the hands of the bad guys. About 1.4 million of these phishing websites are created every single month.

There’s also a good chance you’ve been on the receiving end of an advance fee phishing scam, in which a wealthy individual promises you a veritable fortune in exchange for a small up-front payment. Spoiler alert: the fortune never comes.

While email is the most common delivery vehicle, it’s important to note that phishing scams can arrive through many other channels, including social media, text messages, phone calls and more.

Notable phishing scams of 2018

1. Airbnb GDPR phishing attack

In May 2018, the European Union introduced the General Data Protection Regulation, a new regulation designed to standardize data protection law across the EU. As you might be aware from the flood of emails you probably received around this time, just about every company that was affected by the GDPR sent out emails to their users informing them of changes they’d made to their privacy policies.

Some scammers capitalized on this opportunity by impersonating Airbnb and sending out phishing messages from @mail.airbnb.work (the real Airbnb email domain is @airbnb.com). The email claimed that Airbnb hosts would not be able to accept new bookings or message guests until they accepted a new privacy policy, and included a link to a fraudulent website where recipients could enter their login credentials and banking information.

2. Bogus FIFA World Cup tickets

Scams that revolve around current events can be more convincing to users who would usually be wary of receiving unsolicited messages. Cybercriminals took full advantage of one of the biggest events on the planet, the FIFA World Cup 2018, to launch a number of phishing attacks.

In the lead up to the tournament, many people reported receiving emails from scalpers selling tickets at inflated prices to events that were otherwise sold out. As you might have guessed, the tickets were never delivered and the buyers’ banking details were stolen. There were also a number of phishing scams that focused on luring in victims with promises of cheap travel visas, airline tickets, and accommodation services.

3. Netflix billing scam

With more than 130 million subscribers, Netflix is not only popular with film buffs and TV show aficionados – it’s a hit with cybercriminals, too. A number of Netflix phishing emails have circulated in 2018, urging recipients to update their payment information to avoid having their account suspended. The link in the email leads to a convincing looking website that steals the target’s username, password and payment information.

4. Voice phishing becoming more advanced

Voice phishing – the practice of impersonating a legitimate entity over the phone to extract sensitive information – is no new concept, but it has become noticeably more sophisticated in recent years. Thanks to advances in automation and voice recognition, attackers can now use a mix of robots and human callers to more effectively imitate well-known brands and contact targets more efficiently.

How does antivirus software prevent phishing attacks?

Many modern antivirus solutions offer a layer of protection designed to prevent phishing attacks. These products usually don’t stop phishing emails from ending up in your inbox; instead, they identify phishing websites and block the page from loading before you can access it and inadvertently give away your sensitive information.

But how exactly does the software distinguish between a safe website and a phishing website? Before we can answer this question, we first need to take a look at how HyperText Transfer Protocol Secure (HTTPS) works.

HTTPS is the communication protocol used to send data between your browser and the web server you’re connected to. The “S” in HTTPS means “Secure”, and indicates that the data being transferred on a given website is encrypted. You can tell that a website uses HTTPS by checking the URL or looking for a padlock icon in the address bar.

HTTPS adoption has shot up dramatically in recent years. Today, about 86 percent of all websites opened in Chrome in the U.S. are loaded over HTTPS, according to Google’s Transparency Report. Just two years ago, that figure was around 60 percent.

The widespread uptake of HTTPS has helped make the web a safer and more secure place, but it does pose an interesting challenge for some antivirus companies.

Why?

Well, many antivirus products rely on inspecting your web traffic in order to identify and block phishing attempts. However, as mentioned above, HTTPS is specifically designed to encrypt your traffic, meaning there’s no way for antivirus software to know whether a website is malicious with conventional methods.

This means that antivirus companies are left with three main options for preventing phishing attacks, each with its pros and cons:

1. Network traffic filtering

As mentioned above, HTTPS encryption prevents antivirus software from knowing which websites you’re visiting, meaning the software is unable to verify the safety of an HTTPS URL.

To get around this, there are a couple of different ways of filtering network traffic that is loaded over HTTPS:

HTTPS interception

Most antivirus products use HTTPS interception, which involves installing a local proxy server that effectively fakes all SSL Certificates (the bits of code that ensure communications between you and a website are secure) to create a man-in-the-middle attack. When you visit an HTTPS website, your outgoing connection is redirected to the local proxy server, which generates a new SSL certificate known as a wildcard certificate to impersonate the requested website before verifying its safety. If the website is deemed to be safe, it’s passed on to your browser and the website will show up on your screen. If the website is found to be unsafe, the proxy will send the browser a warning.

The problem is that your browser can’t verify the safety certificate of the real website, as it can only see the fake SSL certificate that the proxy server has generated.

While this approach can provide high block rates, it does introduce some significant security risks. Firstly, it could potentially leave you more vulnerable to malicious man-in-the-middle exploits. Secondly, re-encrypting your data with a fake security certificate means there’s no way for you to tell if your connection to a website is truly secure or not, which could potentially result in you sending sensitive information over an unsecured connection.

HTTPS interception also raises some questions about privacy. A blacklist of every known phishing URL would be hundreds of megabytes in size and would need to be continually updated, making it impractical to store the blacklist locally on your computer. Instead, antivirus products that use URL-based filtering store the blacklist on their servers and query the URL every time you visit a website. The fact that every URL you visit is queried server-side means that your antivirus company could potentially collect information on all the websites you visit if they wanted to.

Server Name Indication filtering

Another way of preventing phishing attacks is to filter network traffic based on the unencrypted bits of an HTTPS connection, such as the Server Name Indication (SNI). SNI is an extension to the TLS protocol that HTTPS is based on. When SNI is used, the client sends the hostname it wants to connect to during the initial TLS handshake. SNI is not encrypted so your antivirus software can see the host you want to access and thereby determine whether or not it is malicious. If your software deems the host to be malicious, it steps in and prevents the page from loading.

Network filtering can also involve blocking traffic to IPs that host phishing websites or even blocking IP ranges.

2. Browser extensions

Browser extensions are another common way of combating phishing. Browsers allow extensions to intercept connection attempts and access the content of web pages, regardless of whether the connection or web page are encrypted or not. Browser extensions are somewhat limited by the fact that – unlike the other methods on this list, which will happily work with all applications running on your system – they are only compatible with the specific browsers they have been developed for.

3. Intercept host name resolution

As you may know, every Internet-connected device has an IP address, which is a series of numbers that other machines can use to find the device. The Domain Name System (DNS) helps translate a device’s IP address into something that is a little more reader-friendly for humans. For example, it’s much easier to remember google.com than the IP address 173.194.32.195.

Hostname resolution is a process in which a hostname (e.g. google.com) is converted to its IP address (73.194.32.195). Some antivirus software prevents phishing by interrupting this process to stop malicious websites from loading. This can be achieved either by intercepting DNS packets or by configuring a DNS server that has appropriate blacklists (SafeDNS, OpenDNS, etc.).

How does Emsisoft handle phishing?

Emsisoft Anti-Malware uses network traffic filtering to prevent phishing, but we do NOT intercept and decrypt HTTPS traffic. Instead, our Web Protection module blocks traffic based on IPs and information we obtain from unencrypted traffic such as HTTP, or the SNI fields of TLS-based connections like HTTPS. This allows our software to work across all programs, unlike some phishing scanners that are limited to certain browsers. We use a local blacklist, which means that URLs are never queried on our servers, and our users can rest assured that we have no way of seeing the websites they visit.

While HTTPS interception may provide slightly higher phishing block rates, we don’t believe it’s worth encroaching on the privacy and security of our users. This is particularly true given that every modern browser has solid phishing protection built right into the software. A 2017 NSS Labs report on web browser security showed:

These figures suggest it’s very likely that any dodgy URL you might stumble upon will be automatically blocked by your browser. Emsisoft Anti-Malware – and every other antivirus software for that matter – is simply there to provide a second opinion and catch anything that might fall through the cracks. You can read more about our opinion on HTTPS interception in one of our previous blog posts.

What else can you do to protect yourself against phishing scams?

It’s important to remember that antivirus software is just one piece of the puzzle when it comes to phishing protection. There are many things you can do to avoid phishing scams, including:

1. Think before clicking

Be cautious when clicking on links in any emails, text messages or instant messages – even if they seem to be sent from a familiar or trustworthy source. Hover over links before clicking on them to check that the URL leads to a legitimate website and never divulge your password, PIN number or other sensitive data. If you’re in any doubt, double check with the sender before clicking anything suspicious.

2. Keep your browser up to date

Developers regularly release updates to fix known security vulnerabilities in their software. Always update your browser, operating system, and other applications when prompted, and enable automatic updates wherever possible.

3. Check that the website is secure

Before entering sensitive information (including your username and password) on any site, be sure to check that the site is secure. The simplest way to do this is to confirm that the site’s URL begins with HTTPS and that there is a padlock in the address bar. Some websites will also display trust seals to indicate that the site is secure. If your browser or antivirus software identifies a phishing website, it will alert you and block access to the site. Do not ignore these warnings unless you are 100 percent certain that it is a false positive.

4. Install anti-phishing browser extension

Modern browsers come equipped with fairly robust phishing protection, but you can take things to the next level by installing a dedicated anti-phishing browser extension. Microsoft recently released Windows Defender Browser Protection (the same technology it uses to protect Edge users), although it is currently only compatible with Google Chrome.

5. Familiarize yourself with phishing language

Phishing attacks can look scarily convincing. One of the easiest ways of identifying a suspicious email or instant message is to familiarize yourself with commonly used phishing language. This might include:

6. Type in URLs and use bookmarks instead of clicking links

Clicking on links in random emails can be a very risky game. Instead, simply open your browser and manually type out the URL of the company you’ve received an email from. Alternatively, you can bookmark your most frequently used websites and quickly open them from your browser when needed – just make sure the sites are legitimate before bookmarking them!

7. Remember that phishing doesn’t only affect online banking

Phishing is most commonly associated with online banking, but it’s worth remembering that phishing attacks can be used to impersonate just about any organization or individual – and the effects can be almost as devastating. For example, losing the login credentials to your email or social media accounts could have far-reaching consequences on your personal and professional life. Having your login credentials stolen on one site can also affect your other accounts if you use the same passwords for other online services.

8. Be careful around pop-ups

Thankfully, pop-up windows aren’t as widespread as they were in the past, but they are still used in some legitimate websites. Be very cautious when entering information into these windows as there have been many cases of phishing attacks occurring in pop-ups while masquerading as a legitimate part of the main website. Google Chrome, Firefox and Microsoft Edge all have built-in settings for blocking pop-ups.

9. Be mindful of other attack vectors

Email is by far the most common form of delivery for phishing attacks, but that doesn’t mean that other channels of communication are safe. Social media phishing attacks have become increasingly common in recent years, and researchers have even seen a number of malicious phishing apps make their way onto Google Play. This highlights the importance of being vigilant when transmitting data on any internet-connected device, regardless of the application you’re using or method of communication.

Fighting back against phishing

By preying on natural human weaknesses, phishing scams remain a common and effective type of attack. Antivirus products have an important role to play in preventing phishing attacks, but users do need to be mindful of how their antivirus software actually combats phishing and the security and privacy risks involved.

What do you think is the best way to deal with phishing? Should antivirus software be using HTTPS interception to block more phishing attacks, even if it means potentially risking your security and privacy? Or would you rather your antivirus software doesn’t meddle with SSL certificates, even if it means a slightly lower phishing block rate? Let us know your thoughts in the comments below.

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

Have a good (malware-free) day!

Jareth

Jareth

Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next