[Internet Safety] Phishing Attacks

in #safety7 years ago (edited)

There are many dangers and scams lurking on the internet, schemes designed to snare and entrap even the most tech-savvy amongst us. This is the fourth in a new series of articles geared towards internet safety, scams and schemes with the aim of spreading awareness about the many different traps around. Many of the discussed schemes are just modern incarnations of age-old scams. This weeks topic is Phishing.



What is Phishing?

Phishing is a form of cybercrime where an attempt is made to obtain sensitive information (such as usernames, passwords, email etc., by disguising themselves as a legitimate organisation or person usually in the form of an electronic communication. Phishing emails, phone calls and websites are nearly always malicious in their intent, and the information is then used to gain access to your accounts and can often result in identity theft and financial loss.



Some Common Features

  1. Too Good To Be True - Eye-catching statements or seemingly lucrative deals are designed to attract your attention immediately. Maybe you’ve won a prize or maybe your action is needed urgently. Whatever it is, don’t click on any suspicious links.
  2. Sense of Urgency - Creating a sense of urgency is a favourite tactic of the cybercriminal. It’s an attempt to cause you to act immediately without having chance to think things through. The majority of reliable, trustworthy organisations will give you ample time to respond, for example freezing an account that they suspect of fraud to prevent further access until you can contact them.
  3. Hyperlinks - Links may not appear to be what they appear to be. This applies to everything on the internet really. A malicious link can be hidden within a seemingly innocent tag. Look at the following anchor tag; http://www.facebook.com it looks like it’s going to take you to Facebook, but oh no! It’s google. This is how they trick you into going to their sites, made only to steal your information.
  4. Attachments - If you see an attachment in an email that you weren’t expecting (no matter who it’s from) do not open it. They will often contain payloads of malware or ransomware.
  5. Unusual Sender - Often emails will come from an unusual sender, but no matter who it comes from, if anything seems unusual or out of the ordinary, just don’t click it.



Phishing Techniques

There are many different ways for a criminal to try to steal your information, and we’ll go through a few of them here. This is by no means an exhaustive list of techniques, with these people constantly trying to outdo countermeasures and improve their methods. Unlike many scams that are intended only to appeal to the naive or gullible, phishing attempts are made on all of us and can get you no matter how experienced you are.


Email Forgery

This is probably one of the most common attempts at phishing, with these emails being designed to look like they are from a trustworthy institute. A very common scam is the PayPal email, where they will often ask you to confirm your details with them after spotting some unusual activity on your account. These days, it can be very hard to tell the difference from a genuine and fake email, as they are very well designed and often look exactly like their legitimate counterparts. A common method Phishers use to avoid anti-phishing filters is to use images instead of text to make it harder for those filters to detect them. In response, the filters now utilise OCR (optical character recognition) to optically scan the images and filter them. The battle between Phishers and Security services rages on.


Website Forgery

So, let’s say a victim has clicked one of those suspicious links and finds themselves on a web page that looks like it’s what they were expecting i.e. PayPal login screen. Unfortunately, the deception is not over. These pages look exactly like the page you’d be expecting, and will often ask you to sign in first or confirm your personal information. These days some even use JavaScript scripts in order to alter the address bar to look like the legitimate site.


Social Engineering

Social engineering is the psychological manipulation of people into performing certain actions or divulging confidential information. This could include causing outrage with a fake news story, and asking people to click something, or maybe attempts via social media to check something out.


Phone Calls

Phishing phone calls can take the form of a incoming call that uses a fake caller-ID to appear to be from a trusted organisation, or even convincing victims to call a certain number regarding problems with their bank account.


Steemit

Phishing attempts seem to be on the increase on the Steemit platform. I’m seeing more and more compromised genuine accounts being used to spread fake links, which is so sad to witness. The comments these compromised accounts leave can take many forms, with the first one that I came into contact with stating that another user has plagiarised your posts, click here to see it. The community was quick to respond, but there’s no doubt that some people were caught out.

If they acquired your master password, they can then empty your account and use it to spread the scam to your followers. As the Steemit platform grows, and the value of both Steem and SBD increases so will the number of attacks, so it’s more important than ever to be vigilant online.



Preventing Attacks

There’s a few things you can do to prevent attacks, and I think the most important thing on Steemit is to never use your Master Password for “normal” logins. Never give your Master Password to anyone, or any service. Instead, you should use your Private Posting Key as much as you possibly can. Using your Private Posting Key instead of your Master Password means that attackers can’t access your money, they could only post.

Try to avoid clicking links on Steemit, or any platform unless you 100% trust the person and you’re confident their account hasn’t already been compromised. If you are buying the vote of a bot, avoid situations where you are told to send funds to a trading site, as it is most likely a scam. If you’re unsure, ask a smart friend you trust to check things out first.

Whenever you received an email, phone call or pop-up window and feel uncertain whether it is from someone you can trust, don't take the risk. Reach out to someone and ask for help. I also recommend using an adblocker like AdBlock Plus or uBlock Origin, as these days advertisements online just cannot be trusted and should be phased out. Platforms such as Steemit have new and better ways of paying for content and services, so let's give advertisers the middle finger for being so damn bad.


Reporting Phishing Attempts

As far as I am aware, there isn’t a way to report users on Steemit. There are bots and other such services set up to tackle spam, scams and phishing attempts but they can only do so much. Outside of Steemit, you can report phishing attempts to the organisations that are being imitated, or phone calls to one of the following:

In the United States, use the FTC Complaint Assistant form.

In Canada, the Canadian Anti-Fraud Centre can provide support.

In the UK, you can report fraud as well as unsolicited calls.



A little late, but this post has been entered into the recent contest @simplymike has posted. You can read more about it, plus the many other entries here: https://steemit.com/contest/@simplymike/20sbd-contest-protect-people-from-the-ongoing-phishing-scam

I hope you found this helpful, and if you have any further tips or advice for combating phishing then please let me know in the comments down below, and let me know your thoughts too. We all need to band together to tackle the current issues facing Steemit, not just limited to Phishing and compromised accounts. As always, make sure to follow me for the latest Cryptocurrency, Internet and Pop Culture updates, and until next time, I'll see you in the comment section!



Sources
How to recognize phishing email messages, links, or phone calls (https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx)
Brief look on how to avoid being scammed by @apsu (https://steemit.com/steemit/@apsu/brief-look-on-how-to-avoid-being-scammed)
PayPal Phishing (https://www.paypal.com/uk/webapps/mpp/phishing)
What is Phishing? (http://www.phishing.org/what-is-phishing)

All images are used without the express authorisation of the copyright holders. They are used under what's known in British law as "Fair Dealing" or under US law as "Fair Use" exceptions. For example, exceptions relating to research and private study, criticism or review, or news reporting. For more information visit the UK Gov website or the US Gov website.

Sort:  

@johngreenfield! Thank you for this! Resteemed!

I did not know about the SteemIt Phishing scam of plagiarism! Scary!!!

Thank you so much!
It seems to be becoming more prevalent, they're just figuring out ways to circumvent the bots.

Well said John. great advice and a reminder. Internet is way too dodgy.
Believe or not most of original Phishing Attacks were and are done by our lovely governments and private corps (fb twits etc) trying to sell every trash on the planet and so forth. Be safe keep your eyes opened :P

Excellent post John! Do you recommend to me to change my master password? I am using the first one that steemit give me automatically (the long one with characters and numbers). Thank you!
giphy-downsized.gif.

There's no need to change it unless you feel you might have used it somewhere a bit dodgy, but if you click on Wallet, then go to Permissions, you can view your different keys, including the Private Posting Key. I realise I've not made that bit very clear, I'll think about how I can reword it and include some clear instructions.
Edit I love that joey gif so much! :P

Thanks :-) Have a nice day! John , do you read my answer about what type of yoga is better for you? I am waiting your feedbck about it yet, I sent you a lot of info... mabe you ignored it without noticing

I'm so sorry, I must have missed it! I'll go find it now and get back to you =]

do not apologize, I understood that you would not have read it yet, so I thought about telling you because It could be useful to you. A hug

Good read mate. Is this for the contest? Im going to write my article about phishing in the coming days.

Unfortunately when there is money involved people go to crazy lengths to steal it - this is why it seems new to alot of people who migrated from Facebook where there is no incentive for people to steal accounts.

We need to work together as a community to fight this

There's a contest? Do you have a link to it? Sounds interesting!

I couldn't agree with you more, it's partly what motivated me to write my Beginner's Guide. There's quite a few bad "Facebook habits" that have jumped platforms, not giving credit is definitely one of them.

I'm toying with the idea of making my own curation bot/service, although I just don't have the Steem Power to support such an undertaking, so far anyway.

https://steemit.com/contest/@simplymike/20sbd-contest-protect-people-from-the-ongoing-phishing-scam#

Yeah we have to be careful. I think people most likely make mistakes early on here - you get more wise the longer your on here!

Nice! You might have to look into getting SP delegated to you...

Thank you so much for that, can't believe I missed it. I normally catch posts from @simplymike

I've thought about getting some SP delegated, but it's a big responsibility! Gotta be ready for it

Very informative post, @johngreenfield.
Thanks for dubmitting it to the contest.

I see you mention Paypal. Years ago they released some security warnings that would allow you to detect a fake email.
It was a long time ago, and the one thing I remember is that real Paypal messages always start with ‘dear youractualname’.
Not with ‘dear customer’ or ‘dear client’
Nevertheless, I never click links in emails. I just go to the correct site I bookmarked in my browser and log in there...

Thank you so much!

I can't remember the last time I opened an actual PayPal email, wouldn't surprise me if they all just went to spam now. You know, not clicking links in emails and going to the actual site is probably the simplest and easy to follow advice. I tend to do the same, although I get a bit lazier when it comes to using mobile devices.
Thanks for reading, and it's such a good idea for a contest, you've no doubt helped spread awareness here.

I truly hope so, although I’ll still be only be able to reach a small part of the community. I addressed some of the bigger guys, asking them to review, give feedback and maybe resteem - just hoping to reach as many members as possible. I still come across people who don’t even know there is a phishing scam going on...

I guess all you can hope is to be able to help those around you, and in turn hope they do the same to their circles. It's heartbreaking to see so many compromised accounts, getting drained and then flagged to hell. It's hard for me to comprehend people are still unaware at this point, at least you're doing your part to help!

Good stuff mate. Very well written!
Luckily Steemit itself seems quite secure.
I recently wrote some articles about it: https://steemit.com/security/@gaottantacinque/steemit-security-check-iframe-tricks
Thanks :D

You got a 2.83% upvote from @postpromoter courtesy of @johngreenfield!

Want to promote your posts too? Check out the Steem Bot Tracker website for more info. If you would like to support the development of @postpromoter and the bot tracker please vote for @yabapmatt for witness!

Your Post Has Been Featured on @Resteemable!
Feature any Steemit post using resteemit.com!
How It Works:
1. Take Any Steemit URL
2. Erase https://
3. Type re
Get Featured Instantly & Featured Posts are voted every 2.4hrs
Join the Curation Team Here | Vote Resteemable for Witness

You just planted 0.24 tree(s)!


Thanks to @johngreenfield

We have planted already 3697.37 trees
out of 1,000,000


Let's save and restore Abongphen Highland Forest
in Cameroonian village Kedjom-Keku!
Plant trees with @treeplanter and get paid for it!
My Steem Power = 18665.68
Thanks a lot!
@martin.mikes coordinator of @kedjom-keku
treeplantermessage_ok.png

As a friendly reminder, the upvote fee is $0.08 SBD ($0.081 for incognito). Current 300%+ upvote is now $0.24+ SBD.

That being said…

BOOOOOOOOOM!!!

The ground shakes as incredible power lights the sky. The thunder tests the quality of your post and deems it worthy, rewarding it with a 300% upvote, comment and resteem from @thundercurator.

Increase your chances of a 100% upvote and support the project by:

Investors who delegate SP to @thundercurator are entitled to 75% of @thundercurator income after curation. Get on-board early and grow with us!