Phishing attacks are one of the most commonly used cyber-attacks and have been around for decades. The term phishing is a portmanteau of “phone” and “fishing” and is derived from fishing to indicate the act of casting bait to catch fish. Phishing attacks are cyber-security attacks that rely on manipulation and deception to get the target to reveal sensitive information to the hacker. For cryptocurrency enthusiasts, it is doubly important to stay vigilant against such attacks. To prevent them, you need to understand what is a phishing attack, how it is carried out and the available measures to deal with such attacks.
The nature of phishing attacks
Phishing attacks are designed such that they deliver a message that increases one’s sense of urgency. For instance, the message could inform you of your child’s accident and request that you download a document with details on informed consent after which the document would install malware on your device.
The value of the message increases depending on the target. For instance, regular targets usually receive messages with vague information, without official verification and such. However, in the case where the victim is targeted for a specific reason, the information contained in the message would be more realistic and believable. The reason behind the difference lies in the effort put behind the message. Single-target attacks are well thought out, and the target is usually the subject of an investigation by the hacker before the initiation of the attack. Alternatively, regular attacks target multiple people and have no real need to include specific details because the hacker doesn’t know the targets. Such variations are what lead to there being different types of phishing attacks.
How to prevent phishing attacks
Since phishing attacks rely on the manipulation of human behavior, they fall under the category of social engineering attacks. Therefore, aside from dealing with the technical aspects of the attack, you also have to consider the psychological aspects and defend against them.
Protection against social engineering attacks
Defending against social engineering attacks is a lot like psychological warfare. Since the attacks prey on emotions, you should always avoid making decisions while under emotional strain. However, before that, you need to increase your knowledge of social engineering attacks. Only by raising your awareness of the nature of the attacks can you protect yourself against them. You should always confirm the identity of the sender before replying or taking action on any message you receive. However, keep in mind that it is also possible to fake one’s identity on emails and caller IDs.
When you are sure that you are prepared to deal with the psychological aspects of a phishing attack, the next consideration would be the technical aspects, the first of which is device security. Part of the reason you get phishing messages is because of poor device security, but that can be easily improved by employing the necessary cyber-security measures. For instance, you should install antivirus software which blocks harmful or suspicious messages from being sent to your device. It also protects you from malicious links and malware. Additionally, you should avoid handing over your device to random and unknown people to prevent them from tampering with the security.
To avoid your account being compromised, proper account security is a necessity. Passwords are one of the most vulnerable points of access when it comes to account security. Therefore, you need a deep understanding of password vulnerability and security to protect your account. For safety measures, you should install a password manager to prevent password mistakes. You should also make a habit of using bookmarks of manually entering links instead of following links attached to emails or texts.
If the account offers Two-Factor Authentication (2FA), it’s highly recommended you enable it. Yes, it’s one extra step during login, but it takes less than 10 seconds and exponentially increases your overall account security. If given the option, always choose an app-based 2FA instead of using text message. There was recently a case where a phishing attack against AT&T allowed a hacker to steal 24 million USD in cryptocurrency from some poor sap. I’ve personally used both Google Authenticator and 2STP (which I highly recommend). If you want to go the extra mile, a dedicated Yubikey device (A Ledger Nano S or X hardware wallet can also provide this functionality) will ensure there’s no way you can be compromised, at least from the digital realm.
I’ll also take this opportunity to reiterate, “Not Your Private Keys, Not Your Coins“. If your coins are stored on an exchange, you technically do not own them and are at the mercy of exchange hackers and/or unscrupulous CEOs. Keep your cryptocurrency in your own wallets, where only you control the private keys. “Not Your Private Keys, Not Your Coins”
Phishing is a threat that cannot be ignored primarily because the attack is challenging to defend against. The best preparation you can have to protect yourself against such attacks is increasing your awareness of the nature of the attacks. Don’t blindly click links, rather hover over them and make sure the domain name is legitimate. Just like you wouldn’t trust a PayPal email from “email@example.com”, don’t trust a supposed Bank of America link from http://bancOf23fksdf.us.
Beware that hackers are always coming up with new ideas so it’s never ending arms race between baddies and an (often complacent) general public. Always keep your passwords strong, information updated, and coins in your own wallets.