PHISHING
How not to get tricked in cyberspace?
What’s the lesson about?
Deceiving, manipulating, and cheating a person is cheaper, faster, and overall more advantageous than trying the same with variously secured technologies. For these reasons, phishing has become one of the most popular methods used by cyber attackers.
The module contains five parts:
- We will discuss what phishing means and why it concerns you. ⏭️
- We will explain the principles to adhere to in electronic communication. ⏭️
- We will show what phishing can look like in your inbox. ⏭️
- And what to do if you encounter phishing yourself. ⏭️
- In the conclusion, you will try out in a quiz how you would fare against a real attacker. ⏭️
EXTRA 15 MIN
1 CHALLENGE
1 tutorial
1. What is phishing and how does it concern me?
Phishing is a technique where attackers use seemingly legitimate emails, SMS messages, or websites to deceive victims and prompt them to take some action, such as downloading a file, sending information, or entering a password on a fake website.
You can no longer say at first glance when you’re reading a fake e-mail. The sender, content, and visual appearance will look trustworthy as if the school, bank, or another institution sent them. You open the attachment or enter login credentials, and that’s it, they got you. You may notice the consequences immediately, but it often takes weeks.
It's important to realize that if we have time and peace to examine the content of the message, we can often recognize phishing. However, in the usual work rush or under the pressure of various crisis situations, our vigilance may wane. And given that phishing concerns everyone, it's only a matter of time before a fraudulent email appears in our inbox. Therefore, it is crucial to always be vigilant when handling emails.
2. What to watch out for and how to detect phishing?
Detecting phishing doesn't have to be complicated. The key is to develop a habit of regularly checking a few basic elements in your emails.
-
#1 Sender
🟡
Attackers use various methods to mask their identity, aiming to appear trustworthy. This includes manipulating email addresses, using misleading names, or mimicking the visuals of organizations.🟡
Therefore, it's crucial to check the sender's address to notice even the smallest changes, such as replacing the letter "u" with "v". The difference between "@mail.muni.cz" and "@mail.mvni.cz" is immediately noticeable in spoken form, but in written form, the difference is almost imperceptible at first glance. This is a common trick used by fraudsters to pose as trustworthy sources. -
#2 Links
🟡
Check the appearance of links in emails. Every link could represent a potential risk, so if you're unsure of its origin, it's better not to click on it.
🟡
Therefore, hover your cursor over a shortened link without clicking on it. Depending on your email client, the full address will be displayed at the bottom of the screen. Again, watch out for slight letter substitutions! There is a big difference between "id.muni.cz" and "id.munl.cz." -
#3 Attachments
🟡
Always be skeptical and never open suspicious attachments. If you have any doubts, do not hesitate to contact the sender or the relevant institution to verify the authenticity of the attached content in another way, such as by phone.
Always be alert and critical if an email contains a request formulated to create a sense of urgency, curiosity, desire, fear, envy, or is otherwise suspicious.
Phishing in SMS Messages
Phishing can take many forms and doesn't only come in the form of an email. Imagine receiving an SMS from a carrier stating that you need to pay a delivery fee for a package. Be careful, as this also can be a trick to extract sensitive information from you. This technique is called smishing, and here too, attackers work with a sense of urgency and demand immediate action from you. It's important to first verify the message carefully before you do anything. How to do this?
-
Do not be fooled just because the SMS appears from a local number and the contact name is a carrier or other supposed authority.
-
If in doubt, always use verified contacts from official websites, not the number provided in the message.
-
Just like with an email, it's crucial to check any link to ensure it doesn't lead to a fake website.
-
Another useful step is to verify the order number mentioned in the message with the carrier. If the order does not appear as valid, it's likely a smishing attempt, and you should ignore the message.
Call from an Attacker?
Manipulation can also occur over the phone; this insidious technique is called vishing. The attacker disguises themselves, for example, as customer support or the IT department and informs you that you need to take some action (provide a password, transfer money, download an application). Here, the pressure on you is even greater than with other techniques because the attacker is communicating with you in real-time.
Would you recognize something like this immediately? Maybe, but attackers have their methods well-mastered and can be very convincing. So how do you defend yourself in this situation?
- Do not be fooled if the name of your bank or the police appears on your phone's display. Attackers can easily fake this.
- If the caller is putting pressure on you, hang up and call back. When you call back, you are likely to reach the actual institution.
- Always take time to verify and contact the institution directly through their official channels.
4. How to Act When You Detect Phishing?
Just as important as detecting phishing is reporting it. At MUNI, thanks to your report, the cyber team can intervene to limit the spread of phishing, for example, by blocking the fraudulent site linked in the email. Additionally, we can warn other users.
Did you receive a strange email from the dean? Does the login to the IS look suspicious? Speak up, even if you're not sure whether it's any form of attack.
Evaluating the threat is the job of specialists. So-called incident handlers deal with hundreds of reports and false alarms annually. Often, it is a user report that alerts to a security threat. Thanks to your awareness and reporting, CSIRT-MU can react swiftly, create security recommendations, and alert other users.
And how to do it? In the case of Outlook, click on “Report phishing attack” or contact us through the form here:
How to report phishing outside the university environment?
If the phishing message appears to come from a specific organization (e.g., a bank, social network, payment system, etc.), inform that organization.
Most large organizations have an email or a form to report phishing. Platforms like Gmail allow users to report phishing directly within the email interface.
Golden rule: it’s always better to report rather than not to.
5. Quiz: can you recognize a phishing e-mail?
Can you spot a fraudulent phishing email that appeared in your inbox? Let's find out in our quiz!
Challenge: Phishing Quiz
We have prepared a quiz for you where you can test how well you can recognize fraudulent emails. This quiz includes both real phishing emails that were sent to university employees and fictional examples demonstrating possible phishing attacks.
The quiz consists of a total of 10 questions in the form of email samples. During the quiz, you will find out whether you correctly identified an email as phishing or a legitimate message. If you manage to answer at least 8 questions correctly, you will gain access to bonus content. Good luck!
After clicking on the preview, the image will be displayed in full size.
-
Remember that detecting phishing may not be easy. It is crucial to remain vigilant and critically question the requests made in emails, even if they look legitimate.
-
Remember to verify the sender, links, and attachments. Make sure you have the peace and enough time to perform these checks.
-
Just as important as detecting phishing is reporting it.
Bonus for curious users
Stories of social engineering
Although phishing is one of the most common attacks, it is certainly not the only one. Therefore, we have created another course titled "Stories of social engineering," where you will learn about other types of attacks that use one of the most sensitive methods – psychological manipulation – through our natural human vulnerabilities, such as curiosity, fear, or inattention.
Ransomware
Why should you never open attachments? Because of possible viruses and other harmful files collectively referred to as malware. And what type of malware is the worst? Ransomware is perhaps the biggest threat. Imagine it as a cybercriminal that takes your data hostage and demands a ransom. This malware penetrates the system, encrypts files, and blocks access to them, thus paralyzing the activity of a user or organization. In other words, all data stored on the computer will be inaccessible. The attackers then demand payment, usually in cryptocurrency, for the key needed to decrypt the data.
"Browser in the browser" technique
This is a new phishing trick where attackers create fake login windows on fraudulent sites that precisely mimic real browser windows. These fake windows are designed to make users believe that they are entering their login details into a legitimate service. Attackers then capture this information. To protect yourself, it is recommended to thoroughly check URLs, use two-factor authentication, and generally be vigilant when entering sensitive information online. Watch the video below to learn more about this technique.