Over the past 6 months, while in the human world a virus has caused devastation, another almost virus has plagued the internet.

Okay, I use the term virus when it comes to computers hesitantly. In the 1990’s computer viruses were the primary concern when it came to safety on the computer – of course at this point many computers weren’t even connected to the internet. A lot has changed – we now have various other terms such as “worms, malware, spyware” and the arguably the worst “ransomware”; however, we also have fewer reasons to install programs on our computers. As the power of the web browser has evolved, and more people are moving away from Windows, diversifying into Mac, Linux, or even replacing the computer with a Tablet, more and more can be achieved using websites that are cloud powered. Being cloud based, it’s far easier to prevent users from accidentally installing a virus – because, you know, those of us who maintain the cloud servers as a general rule of thumb simply do not allow our users to install things on our servers!

So I suppose on that note we can just say that everything in the IT world is solved, cloud computing has effectively vaccinated against computer viruses, computer hackers have become irrelevant, and we can all be happy that we are secure on our computers right?

No way. In fact things have often become much worse.

A new array of terms have come around – but as it becomes harder to gain access to a server, many hackers have shifted their focus away from trying to manipulate the computer, and simply move to manipulating that which is more susceptible. The end user.

If I want to get into a nightclub and the bouncer says “No chance mate”, I can say “Oh come on please” and the bouncer might respond with “…”… okay actually that was a poor example, but the human does have the ability to change their mind. If a computer says no – then, to quote Little Britain “Computer say Noooo”. You won’t change it’s mind easily. So the easiest way to gain unauthorized access to a computer system is, well, get someone who DOES have access to give you access! This is where phishing (it’s a ph unlike the animal) becomes a thing.

During the COVID-19 pandemic, we have unfortunately seen a massive increase in the number of phishing attempts – so what are phishing attacks and how effective are they?

Phishing attacks in their most basic form come in the sense of an email. The email will often say there has been a problem with your account, very simple to resolve, and just ask you to click a link to sign in to your account which will automatically resolve everything – here’s a few tips to avoid this.

  1. NEVER CLICK THE LINK
    If you are emailed a link to login to your account – be one step ahead. Most high security websites will these days avoid this anyway, for example should a bank ever need to email such a message, they will simply advise you to “Visit our website and log in to online banking”. You will know who you bank with, so they do not need to provide a link. Often these links won’t actually visit your banks website, rather a clone of your banks website where they can steal the password. So if you feel you need to check your account, open a new browser window, navigate to the website written on your bank card, and login to that. (You will most likely find there is no problem with your account!)
  2. I clicked the link – but I was logged into my bank so I know it was real
    This one is a clever trick. A lot of the phishing websites will copy the website they are trying to steal data from, so the website will look the same, but some of the more advanced sites will take things one step further. Let’s say I want to visit my-bank.com, but instead the phishing website is setup at my_bank.com, both websites look the same. So when I enter myuser and mypassword on my_bank.com, the phishing website makes a record of these details, but it doesn’t stop there. The website then navigates to my-bank.com and automatically enters the username and password you have just submitted. Suddenly, you have ACTUALLY logged in to your real bank – but the hackers have already gained your username and password
  3. Okay, but I can see the padlock – the padlock means it’s secure right?
    Let me start by directing your glance to the top of this page. We too have a padlock. Yes the padlock means “it’s secure”, but this means it’s secure between you and the sever. All information you send to the server will be encrypted before it is sent, and then decrypted by the server. While this is a sign the CONNECTION is secure, it does NOT mean the server you are securely connected to is who they say they are. All this means is that if someone was reading the bits being sent from your computer, they wouldn’t be able to get your details.
  4. If this isn’t really my bank – why has it come from their email address?
    Here’s an uncomfortable fact about email – email is really insecure. Like REALLY insecure. So when you create an email, you will enter your Subject – like a text field. Believe it or not, if you’ve ever setup an email server, you will have learnt that when you send an email, you also fill in the “From” field just like that. Literally just like that – you just tell the system who has written it and have no requirement to verify this. Nowadays, most email clients will look at the reputation of the server which hands them the file and you are likely to see big warning signs if they are questionable – but this also explains how we can use Pixel Mailer to send emails from your email domain without needing access to your email account. (And for that matter might explain why we require a verification process before we allow you to change email addresses!).

So if I just bury my computer – I can’t be the victim of a phishing attack right? Wrong. Again, vigilance is necessary, while my focus is mostly on the IT side, it’s worth noting that people can also play less sophisticated tricks. In many cases you may receive a phone call attempting to gain information, once again, if your bank ever did ring you (legitimately) and you advised your bank that “I cannot be sure this is really my bank so I am going to call the customer care number on my bank card”, then I can assure you that your bank would never be annoyed about you taking security very seriously! As a side note on this – I strongly recommend, especially if this call is taking place on a fixed line telephone, that you either call the bank back from another phone (such as your mobile), or place another call from your phone before calling the bank back. As a bonus fact, in some countries when a fixed line phone dials another fixed line phone, the receiving participant can hang up the phone for a period of time (usually 90 seconds), and the call will stay connected. The purpose of this might be, my home phone rings while I am cooking dinner so I answer the phone in the kitchen, it’s actually an important call so I agree to take it (my dinner can go cold), I place the phone back on the hook and walk to my study to take the call. A handy feature before most phones were cordless! This however means a witty scammer could hear you hang up the phone, play a dial tone over the call, hear you dialing the numbers for your bank, play some fake ringing sounds and then greet you as if you have just rung your bank! So placing another call first ensures the line is clear!

You may be wondering how effective all this is. Well, a lot of people have learned to identify and ignore phishing emails, and spam filters do a great job picking up common mistakes – like spelling errors. Additionally, some email clients support reporting phishing emails which allow them to place other emails with the same links under a big red banner advising that it is probably a phishing email, but a small percentage do work, and unfortunately with email, the difference between sending an email to 1 recipient and sending an email to 10,000 recipients is just the click of a button!

The moral to the story is this. If you receive an email that doesn’t seem right – contact the sender – but not via return email. A good idea is to pick up the phone and call them to verify they sent this message. When it comes to places like banks they should never be annoyed at you for asking the question; and if you are a Prudent Pixel client, (which some of you have asked me this question), I can assure you we will never be annoyed if you want to confirm an email with us! It takes on average less than 15 seconds for us to respond with: “Nope that’s fake” however the consequences of clicking on the link of a fake email might be much more time consuming!