Phishing attacks are very simple types of attacks that even moderately skilled hackers can execute. Though simple, these kinds of attacks are unfortunately effective. Hackers are often able to steal login credentials and nab customer login details by using not much more than email spoofing technology.
Here’s how phishing attacks work and how you can prevent them.
==> What Is a Phishing Attack?
Named after “fishing,” a phishing attack is when a hacker uses an email that looks like an official email sent from you to try and lure a password out of your customers.
For example, let’s say you run a business selling jackets online. The hacker might send your customers an email that looks like it’s from you. The email might say that an item they purchased was defective and they’re eligible for cash back.
In order to qualify, they have to login to their account to see if they’re due any money. As people hate to miss out on free money, it’s likely they’ll click over to your site to log in.
Though it looks like a link to your site, it’s in reality a link to a site that looks exactly like yours. Once the user types in their name and password, their credentials will immediately be logged and stolen by the attackers.
==> Email Spoofing Is Not Difficult
People often overestimate the difficulty of email spoofing.
How hard is it to send someone an email from “obama@whitehouse.gov” or “yourname@yourdomain.com?”
The answer: not all that difficult.
Where an email comes from is data that’s contained within an email’s header. There’s no official verification process than an email goes through to show that it really came from where it says it came from.
In other words, it’s not hard for a smart programmer to fake an email’s header data to say the email came from you.
==> Where Do Hackers Get Emails From?
If your service is large enough that everyone in a certain industry uses it, then they can easily just scrape emails from any website. For example, PayPal is so huge that hackers can more or less blast any list of emails with phishing emails and have a good chance of getting a PayPal customer.
On the other hand, if you have a smaller site, they might get it by scraping your forums for email or anywhere else where user data might be available. They could also potentially obtain a list by penetrating your server.
==> Combating Phishing
The best tool for combating phishing is to educate your customers. There’s not a lot you can do on your end, as a phishing email never interacts with your server. The end user opens the email, clicks a link that goes somewhere else and hands over their password. No matter how impressive your server security, phishing completely bypasses it.
Talk to your users about phishing. Let them know you’ll never ask for their password by email. Warn people about clicking on links in emails and encourage people to double-check the URL before giving away their personal data.