Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
You may already be familiar with this kind of attack; it’s certainly one of the most well-known. But it’s also one of the most effective. Learn to identify the common signs of a Phishing attack and it’s targeted relative, Spear Phishing.
New Terms:
- Phishing -- An message attempting to trick a person into revealing sensitive information.
- Spear Phishing -- A targeted phishing attack intended for a specific person.
- Domain -- The main, or root, portion of the URL. It’s the “google.com” part of the
“https://google.com/search?q=treehouse”
URL. - Sub-domain -- One or more prefixes before the domain. It’s the “drive” part of the
“https://drive.google.com/”
URL. Phishing emails may disguise the trusting part here, e.g.http://gmail.secure.com
is not related to Gmail in any way. - Credentials -- Typically a username and password, your credentials are whatever information you use to login to a site or service.
Now we'll start talking more
specifically about some common attacks.
0:00
And we'll begin with perhaps one
of the most well known, phishing.
0:04
The word comes from the term phreaking,
0:08
a form of hacking that attacks
cell phone communications,
0:10
combined with the word fishing,
since it involves baiting the target.
0:13
Phishing attacks are often email messages,
0:17
instructing you to confirm your user
name and password on an external site.
0:20
But phishing really could be any attempt
to trick you into providing sensitive
0:25
information to an unauthorized party,
including phone calls,
0:29
text messages, or even in person requests.
0:34
I'll point out some red flags or
hints that should raise some suspicion for
0:36
when you're reading messages like this.
0:40
Then you'll be able to better identify
phishing attacks and prevent falling for
0:43
them yourself.
0:47
Here is an example of a phishing email.
0:48
This may look innocent enough and
0:51
many people have fallen victim
to attempts much like this one.
0:52
Let's take a closer look at
some of the warning signs.
0:56
The first thing to notice is that
the sender email address is suspicious.
0:58
This looks like it's meant for
the lehigh.edu students,
1:04
but the sender has an @udd.cl account.
1:09
Another suspect part is that it's
addressed rather generically,
1:12
dear account user.
1:17
Usually, important emails include
valid personal information.
1:18
There's an urgency to the email, and
1:22
a risk of losing access if you
don't follow the instructions.
1:25
That should sound some alarms for
you as well.
1:28
There's a grammatical error here,
it may seem minor but
1:31
genuine emails are typically
much more professional.
1:34
There's a misleading link to click on.
1:37
A valid link should come
from a trusted domain,
1:40
which is the main part of
the URL just before the .com.
1:43
The subdomain, or the prefix here before
the domain looks like it is associated
1:46
with the institution.
1:51
But in fact,
1:53
whoever owns the jimdo.com website can
add anything they want as a subdomain.
1:54
The email is asking for
your credentials at all.
1:59
You should almost never be
instructed to enter your login
2:02
information from an email.
2:05
I would even advise calling
the institution directly
2:07
to verify if you think the message
still may be legitimate.
2:10
Now, you may have recognized many
of these red flags right away.
2:14
If so, that’s great, the better
everyone is at identifying phishing
2:17
attacks the less likely they will occur.
2:21
Of course,
not all of them have this many red flags.
2:24
The reality of phishing attacks is
that they require almost zero effort
2:27
to create and send out to targets.
2:31
And all it takes is one or two people,
2:32
often out of the thousands who
receive the message to fall for it.
2:34
Because the effort to reward ratio so
heavily favors attackers,
2:39
many experts don't expect phishing
scams to go away any time soon.
2:43
Spear phishing is a variation of
phishing but quite a bit more insidious.
2:48
It gets its name from being
pointed at someone specific.
2:52
So it's a message meant to trick you
into providing sensitive info, but
2:56
there is a deceitful familiarity to it.
3:00
It may look like it's from a friend or
3:03
someone that knows details
about your personal life.
3:05
Here's an example, and
we'll go over the suspicious aspects.
3:08
Note the sender email again.
3:11
More grammar mistakes.
3:14
Of course,
authentic messages contains mistakes too.
3:15
Refer to the attached document.
3:19
Attachments could potentially
contain viruses, or
3:21
otherwise infect your computer.
3:23
Do not open, unless you know and
trust the sender.
3:25
To recap, here are some common
red flags for a phishing attack.
3:29
Email or domain doesn't match.
3:33
Careful of subdomains.
3:36
Spelling or grammar mistakes.
3:38
Incredible offers or rewards.
3:40
Inconsistent context.
3:43
Requests for money.
3:45
Urgency, threats or unrealistic risks.
3:48
Government agencies.
3:51
Includes suspicious attachments,
asks for your credentials.
3:53
Now that you've seen some examples of
phishing and its targeted variation,
3:58
spear phshing, you'll be better able
to identify these types of attacks and
4:02
prevent falling for them yourself.
4:06
You need to sign up for Treehouse in order to download course files.
Sign up