The email may look genuine, and the link it includes is hard to resist: a package held at customs, a notice from the bank about a credit card charge… maybe even a price we won. Phishing cyber attacks are a real threat, one that takes advantage of the weakest link in the chain: people.
The scam works through deception. The attacker creates emails or text messages that look virtually identical to those of the company they are trying to impersonate, usually urging the recipient to either click on a link or open an attachment; the former to harvest credit card or banking data, the latter to introduce some kind of malicious software into the system.
AI to escalate the attacks
In terms of the quantity and accuracy of the phishing attacks, the outlook is not good. “Advances in artificial intelligence will cause a frenzy of identity theft,” explains Francisco Arnau, regional vice president of cybersecurity firm Akamai for Spain and Portugal. “Looking forward, we can expect constant advances in artificial intelligence, such as those seen in systems like GPT-3, to make targeted phishing more compelling, scalable and common.”
These systems allow for the generation of “millions of email or text messages, each tailored to an individual recipient, and each with compelling human-like qualities,” Arnau continues. This will pose a significant challenge to existing anti-phishing technologies and “will make it much more difficult for people to detect suspicious messages.”
How to protect yourself from a phishing attack
The first thing to understand is that these attacks can target anyone. They make no distinction between individuals or companies, and are launched en masse – with devastating consequences for those who fall for them.
The numbers are overwhelming: it is estimated that around 15 billion emails from these features are sent every day, a third of which are opened. This technique is also responsible for 90% of all security breaches in the world. So how can you protect yourself from a phishing attack?
Suspicion is your greatest ally
“When you receive a very tempting offer, it is better to doubt,” explains Fernando Suárez, president of the General Council of Official Colleges of Computer Engineering in Spain. This expert appeals to the most important protective barrier, one that can save the user from serious consequences. “A bank will never ask us to change the password through an email or by clicking on a link.”
Kevin Mitnick, a famous former hacker, explains to EL PAÍS that “people tend to trust unless they have already been the victims of a cyber attack, or if they have been taught about the threat of phishing.”
Never click on a link, and ask before opening an attachment
All phishing attacks include one of two essential elements: either a hyperlink or an attachment. The goal of the attackers is to obtain valuable information from the recipient (to get their way with their checking account or credit card) or to install malware with even worse intentions.
“If you receive a hyperlink and it leaves you in doubt, it’s best to manually type in the URL of the company it claims to be from,” Suárez points out, noting that those links usually be maliciously manipulated. In any case, the general rule should be to never click on a link or open an attachment that comes in an email. For the latter, the recommendation is to contact the sender by other means to verify the source of the attachment, either with a phone call, a WhatsApp message or an SMS. But never respond to the email.
Check the “From” field
Cyber attackers are becoming more sophisticated when it comes to crafting emails, but they can’t always camouflage them completely. One clue to spotting the scam lies in the domain of origin: if you come across senders with domains like “microsoft-support.com” or “apple-support.com” (similar to the authentic ones, but not quite), you are looking at a phishing attack. In any case, and when in doubt, it is best not to communicate with that email.
The same applies to text messages, explains Suárez, who warns of an additional risk: on mobile phones we are less careful and act more impulsively than on computers. Shipping companies are collateral victims of cyber attacks, especially during periods of high activity, such as Christmas. A cryptic message demanding the payment of a customs charge for a parcel will be phishing in disguise: “a bank or other large entities will never demand an immediate payment by mobile phone,” explains Suárez. The problem isn’t so much the payment, which is usually low, as the fact that when you make it, you’re handing over your credit card information to scammers.
What time was the message sent?
Mitnick’s experience in this area is invaluable. The expert provides a telling sign that can help identify phishing: the time the message was sent. Be wary of a message sent before sunrise demanding payment or an answer. Internet users usually associate with environments in their own time zone, so any activity outside of that should be cause for suspicion.
In the same way, the “Subject” field can be a sign of an email’s intent: Is the language too informal? Do they address you with your email address instead of your name? Additionally, if the subject field shows a “Re:” indicating a reply to an email you never sent, you’re seeing another camouflage technique used by cyber attackers.
Beware of requests for urgent action
Another technique hackers use when carrying out a cyber attack is to convey a sense of urgency. This is evident in the messages in which purported shipping companies warn you that you have a few hours to pay a fee or a package will be returned. These kinds of companies usually do not send these types of messages, and in any case, the first step you should take in this situation, if you want to confirm the truth of the message, is to contact them in another way.
Your guiding principle should be to “never click or enter your username and password in a conversation you did not initiate; a simple rule that everyone should follow,” states Mitnick.
Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition