What is phishing?
Phishing is a kind of fraud used by cybercriminals to access their victims' computers, steal confidential information, extract money and more. Among their most common techniques are pretending to be an established organization, whether a financial institution, an ecommerce platform, an administration, a mail service or any entity likely to have private data.
In addition to pretending to be large organizations, phishing more generally involves manipulating victims and abusing their trust. Malevolent individuals may also write to you in the name of a friend, colleague, partner, supplier or an unknown individual.
In 95% of identified cases, phishing attempts were perpetrated by email – the remainder took place on websites, via text message or even by telephone. Most people targeted receive a message that very closely resembles a real one and are invited to open an attachment, go to a redirect page or click on a link, which obviously are all fraudulent.
How can phishing be detected?
Phishers are skilled at luring in Internet users. From the logo to the signature, malicious emails imitate virtually all the features of the brands, services or contacts with whom we regularly exchange messages. Some of these messages are even more deceptive because their content is very contextualized: they refer to a specific subscription, our income taxes in March or ordering items during the Holidays.
Messages may even be written with impeccable spelling and grammar. The presence of spelling errors, which previously could make you suspicious, is no longer always a reliable indicator.
What are the risks of phishing?
When you click on a fraudulent link, you are redirected to a page that, for example, looks like the interface of your bank, and prompts you to enter codes or card numbers, claiming that a verification or update is required. This is called data theft.
When you click on a fraudulent file, malware can install itself on your computer without anything necessarily appearing on the screen, leaving the user unaware. Victims are exposed to various risks, including:
- Intrusion into the computer of malicious software, particularly software able to steal personal data, collect banking information or intercept identifiers and passwords. Cybercriminals may want to resell these data on the dark web or use them to steal money.
- Cyber-ransom, which uses "ransomware" to block access to files, computers, or even complete networks and servers by encrypting them. The purpose of this type of attack is to cause damages to the victim or to extort money from him in exchange for promising to restore his data.
Oops! I clicked on something. What should I do?
Through a lack of attention, vulnerability or lack of knowledge of these practices, anyone can be tricked, and there is no need to be ashamed. Even after you've fallen into the trap, phishing is difficult to detect.
What should you do if you suspect your data have been stolen?
- Change the passwords, codes or user names you think have been compromised.
- Monitor activity in your bank accounts and your email account.
- Consider sign up for a protection service to restore your identity, ensure constant monitoring of your data and be warned in case of suspicious activity like an account opened in your name.
- File a complaint and follow instructions from the Royal Canadian Mounted Police.
What should you do if you are the victim of a ransom attempt?
- Disconnect your computer from the Internet and/or network.
- Don't pay the ransom so as not to encourage the fraudsters.
- Restore the computer and data with the help of a professional if necessary.
- File a complaint and follow instructions from the Royal Canadian Mounted Police.
How should you react to a phishing email?
The main advice to follow given a suspicious message is: be skeptical, stop and think. When a message intrigues us, you can feel compelled to click to find out more, and in your rush, forget to be wary. However, knowing when to be skeptical is an indispensable "survival" skill for going online. Although phishing emails are more and more carefully crafted, most of the time, there's something suspicious about them.
Read your emails carefully, and if you have the slightest doubt, take a few moments to analyze the context and ask yourself:
> Why am I getting a tracking number when I didn't order anything?
> Why am I being urged to act immediately?
> Why would I need to update confidential information?
> Why would they be threatening to close my account?
These are common examples but are far from an exhaustive list! Cybercriminals dream up all kinds of schemes, most of which appear unusual, unjustified, insistent or alarmist. Trust yourself. If a request seems surprising to you, that's probably a bad sign.
If you think that you've identified a phishing attempt:
- Be sure not to click! This will avoid any risk of contaminating your computer with malware. You can hover over the suspicious link with your mouse (without clicking) to check the web address that it leads to. If you do not recognize the URL, use your browser to access your account instead.
- Check the source yourself. Whether it's a business or a person, contacting the alleged sender of the message directly should remove the doubt. Be sure to use an official telephone number, not the one included in the message. Never disclose personal information if you are not the person who placed the call or made contact.
- Report the attempted fraud. Multiple authorities may have jurisdiction depending on the message received. You could report it as spam to your email provider, alert the company concerned or contact the Canadian Anti-Fraud Centre.
- Delete the message. There is no major risk in deleting an email. Most organizations acting in good faith will contact you several times if action on your part is required. Not having the message in your inbox anymore ensures that no one clicks on it accidentally.
And preventive measures are always essential:
- Protect your computers and mobile devices. If you haven't already done so, install good antivirus software to inspect your computer regularly. Also, get in the habit of updating your software, applications and operating systems with the most recent versions available, as security breaches may have been corrected.
The major difficulty with phishing is the multiple forms it can take. Being wary of a message about a big win in an obscure sweepstakes is easy but detecting a fake email from a site that you've visited quite recently is much less so. If you add to that the fact that malware can operate silently for months, it is clear that the best tactic is to simply not let yourself be trapped. Prevention requires vigilance from everyone including digital platform owners. Share these best practices with people around you and supplement your knowledge by learning how to protect your passwords and credit cards.
Several measures exist to protect you from fraud.