BPI’s Data Protection Officer Jonathan John B. Paz shares tips on identifying phishing attacks and how to beat them
It has become easy enough to identify and dismiss e-mails from people pretending to be relatives who get in trouble abroad, or from do-gooders asking for help for victims of calamities. These “appeals” have been exposed for what they are—scams.
However, this, and the sense of security derived from advanced features in most mobile phones and messaging apps make vigilance against phishing even more relevant and indispensable. After all, scammers are experts at evolving with the times.
According to Internet security firm Kaspersky Lab, phishing attempts increased by 27.5% by third quarter of 2018, recorded at 107,785,069. The financial segment bore the brunt of the attacks, with over a third aimed at banks, payment systems, and e-commerce organizations.
Jon Paz, Bank of the Philippine Islands (BPI)’s Data Protection Officer and Enterprise Information Security Officer, explains the common phishing scams and shares some tips to protect against such attacks, especially during long weekends and holidays when criminals take advantage of increased activity online.
“Often, fraudulent e-mail will alert you to a problem that may be fixed if you ‘verified’ your information by clicking on a link, or ask you to support disaster relief efforts or even a political campaign by providing your information using a form embedded in the message,” Paz says.
Common phishing schemes to watch out for
Spear phishing – Social engineers target and focus on a specific individual or organization. They use information that is particular to the recipient, usually sourced from social media accounts, to appear legitimate and gain the person’s trust. Because these attacks are specific, their chances of success are generally high.
Malvertising – Derived from “malicious” and “advertising”, social engineers create a malicious advertisement which aims to spread malware that would later on damage the system. That way, social engineers can get access to sensitive information.
Whaling scam – Impersonating the name of the CEO or company executive is another way for social engineers to steal information. They send out emails to its victims using the name of the CEO or executive to make it seem like a genuine request.
Vishing – Also known as voice phishing, social engineers use fake caller IDs and ask the victim to key in his or her personal information.
Smishing – Social engineers would usually send out text messages containing a phishing website link to many different numbers with hopes of victimizing as many as they can.
Protect yourself against phishing
Make sure to double check e-mails from your bank and online sellers. “Banks will never e-mail to ask you to verify your personal information. If any action is requested by the bank through e-mail, you should contact the bank through their official channels,” Paz says.
Paz also cautions against posting personal information and updates on social media. These may be used by scammers already in possession of your log in credentials to steal your identity and pass security checks by your bank and credit card companies.
“Leave out your birthday, contact details, and even vacations plans on social media,” he says.
Those who think of themselves as wise in the ways of fraudsters may grow lax and in the process become easier targets for scammers and phishers, Paz warns. It’s always good to pause and check for the telltale signs of phishing, like incorrectly spelled URLs in e-mail links and requests for personal data and confidential information.
And if you receive an e-mail from a source that you know but it looks suspicious—for instance, the e-mail was unsolicited, it contains grammatical errors, or it redirects you to another site—write that source with a new e-mail, instead of just hitting reply.
“Vigilance is key to protecting yourself from phishing,” Paz says. “This way, we can stay a step ahead of scams and cyber-attacks.”