What Is Phishing and How Do I Avoid It?

最后的编辑: 2021年9月21日
What Is Phishing and How Do I Avoid It?

2022年的钓鱼指南

你知道吗? a new phishing website is launched every minute? But phishing attackers don’t just use websites to fool their victims. All sorts of methods are used, including 短信, email, social media, and more. 没有人是安全的. Even high-ranking officials can fall victim. 在下面的文章中, 你会学到什么是网络钓鱼, 它怎么能伤害你呢, and how you can protect yourself and your loved ones from its reach.

什么是钓鱼?

网络钓鱼是一种诈骗,攻击者伪装成有信誉的组织或个人.

目的是欺骗受害者 通过分享密码和信用卡信息等敏感信息,或以虚假的名义说服目标发送金钱或安装含有恶意软件的软件. 网络钓鱼影响着全球成千上万的人和企业,是最常见的网络犯罪形式之一.

Similar to the sport of fishing, cyber phishing criminals 把受害者诱入陷阱. 这种类型的攻击是 主要是通过电子邮件, but cybercriminals have also been known to use 短信 texting, 即时消息, and voice calling to lure their victims. 事实上, no operating system is truly safe from phishing — Windows, Mac, 安卓, or iPhone users can become victims of this type of fraud.

Even though phishing is a technologically simple form of cyberattack, it’s still highly effective and dangerous; it’s much easier to trick someone than to penetrate a computer’s defenses. 攻击者发送 数以百万计的欺诈电邮 every day, hoping that someone will eventually take the bait.

APWG — Phishing activity doubled in 2020 compared to 2019

来源: APWG’s Phishing Activity Trends Report

一个典型的网络钓鱼例子 当用户从看似来自熟悉公司的可信电子邮件中收到含有错误链接的欺诈性电子邮件时,会是这样吗. 攻击者为用户点击链接(诱饵)提供合理的解释. Once the target has clicked on the link, malware is downloaded (and sometimes installed) onto the user’s device. 经常, that malware is actually spyware that’s designed to steal a user’s data.

根据 美国联邦调查局2020年网络犯罪报告, the Internet Crime Complaint Center (IC3) received 791,790 complaints from American civilians and businesses in 2020 — a 69% increase from 2019. In addition, IC3 recorded more than $4.2020年损失10亿美元. 这比3美元的价格高出很多.2019年达到40亿. 在所有报告的事件中 phishing and similar scams were the most common.

FBI — Types of Internet crime by victim count in 2020

来源: 美国联邦调查局2020年网络犯罪报告

...phishing affects hundreds of thousands of people and businesses worldwide each year.

Remember, the attacker wants you to:

  • 透露个人信息

  • 下载恶意软件

  • 把钱存入一个账户

幸运的是,你可以避免 钓鱼式攻击 一旦你知道了警告信号.

如何识别网络钓鱼

Most 钓鱼式攻击 follow the same pattern, making them easier to detect for those who remain vigilant. Here’s how you can recognize phishing scams:

  • 它模仿了一个知名品牌. Attackers often send fraudulent emails that impersonate famous brands, 比如苹果, 亚马逊, 或信誉良好的银行服务, to convince their victims that emails are genuine. 你知道吗?, 根据检查点, 在2020年初,苹果是被模仿最多的网络钓鱼攻击品牌? In the second quarter, however, Google and 亚马逊 phishing emails were more prevalent.

    网络钓鱼攻击者复制真实公司的标识和品牌特征,使他们的电子邮件更难被发现. Attackers also use a technique called “spoofing” to lure unsuspecting targets. 欺骗是通过复制实际发件人的显示名称、电子邮件地址和域名来实现的. 虽然黑客可以模仿一家公司的电子邮件地址,但他们永远不能使用官方地址.

  • 发送者不熟悉. If the sender is someone you don’t recognize, you should be suspicious. 考虑删除邮件, or, 如果你想看的话, just don’t click on any links or attachments.

  • The sender is familiar, but the message looks fishy. Other times, you may recognize the sender, but it’s not someone you usually talk to. 如果是这样的话, then that person’s email or 即时消息 account may have been breached, and an attacker is using it to send you messages laced with malware.

  • 他们使用通用的问候语. Most scam emails will not be addressed to you specifically. 经常, 它们被发送给成千上万的人, 在这种情况下, the attacker probably doesn’t know your name. 相反,这些邮件会包含诸如“亲爱的先生或女士”或“亲爱的顾客”这样的短语.

  • 它充斥着语法错误. Phishing emails often contain obvious grammatical and spelling errors. Formatting, design, and image placement may also appear to be clumsy.

  • 有一种紧迫感. 营销人员经常使用一些策略来吸引他们的目标受众迅速采取所需的行动. Cybercrooks also use these tactics, but in a malicious way. 例如, 他们可能会声称,如果你不立即更改你的银行证书,你的账户将被暂停(使用电子邮件中提供的链接). 其他时候,短信可能会鼓励你给遇到问题的亲戚寄钱.

  • 这个提议好得令人难以置信. 有时, phishers will claim that you’ve won something very attractive, such as a new laptop or an exotic trip — these are classic scams. Don’t be deceived by them, even if they look irresistible.

  • The links or attachments are suspicious. Almost all phishing messages contain a malicious link, attachment, or both. Some of these links may appear to be genuine at first glance, 但仔细一看, 他们会怀疑. Simply hover over a link to inspect it, but whatever you do, never click on it! Watch out for subtle misspellings (such as “Anerica” instead of “America”). Also, don’t download any attachments if you’re not sure that they’re safe.

Attackers often send fraudulent emails that impersonate famous brands, 比如苹果.

网络钓鱼攻击的类型

Phishing scams have evolved and grown in 数字 over the years. The methods presented below are so efficient that they’ve lasted for decades.

批量电子邮件诈骗

Most phishing emails are sent to millions of users across the globe. Although they don’t usually target a specific person, sometimes victims are selected based on the services they use. Example: groups of people that use the same bank, social media, or other accounts.

Keep in mind, the messaging contained in phishing emails varies. 例如, an email may ask you to:

  • Click on a link to update your payment to a website

  • Download a program that promises to speed up your computer

  • Send money to a friend that has suffered an accident

Most phishing emails are sent to millions of users across the globe.

克隆钓鱼

克隆钓鱼 might be the most difficult scam to detect. 这是因为攻击者发送的是受害者所熟悉的几乎相同版本的电子邮件. 例如, an email that notifies you about paying your next Netflix bill.

The scammers use the same body (header, fonts, colors, design, language, etc.), but change the link to a malicious one. The exact email address of the sender will not be the same, either. Only the official sender can use the real address.

鱼叉式网络钓鱼

这种形式的网络钓鱼是大规模网络钓鱼的反义词,鱼叉式网络钓鱼以特定的个人或组织为目标. 经常, the message is explicitly written for the target victim. 因此, attackers first research their victims to uncover names, 头衔, 的同事们, 以及其他私人细节.

鱼叉式网络钓鱼的一个例子是攻击者冒充公司老板或管理工资的人. The phisher may direct an employee to send money to a vendor using a fraudulent link. 骗子利用紧急和具体的信息,欺骗员工交出他们的钱.

捕鲸

Similar to spear phishing, whaling also targets a specific individual or business. The difference is that whaling focuses on big targets, such as CEOs, wealthy people, celebrities, or politicians. 由于受害者都是高价值的目标,所以他们披露的数据非常敏感. 攻击者花费无数的时间来研究他们的目标,并创建详细的电子邮件来成功地欺骗他们的受害者.

尽管捕鲸的目标是重要的人,他们中的许多人成为这些攻击的猎物. 例如, 约翰·波德斯塔, 希拉里·克林顿的竞选主席, was duped into providing his Gmail password to scammers, leading to the Clinton email scandal in 2016. 另一个著名的捕鲸例子是“fappening”攻击(2014年名人裸照泄露)。, where multiple celebrities were conned into sharing their iCloud accounts.

...捕鲸主要针对大的目标,比如首席执行官、富人、名人或政客.

短信诈骗

Smishing(短信钓鱼)的缩写. 你可以想象,这是 same thing as email phishing but done via 短信 texting. 这些文本还可能包含恶意链接,当你点击这些链接时,它们会安装恶意软件,或者说服你提供敏感信息.

Vishing

Vishing是语音钓鱼的缩写. 顾名思义, instead of sending fraudulent emails or text messages, the phisher calls the victim, claiming to represent a bank or another authority. 从这里, 受害者会使用恐吓战术来说服受害者,如果不交换个人数据或金钱, they risk facing a substantial punishment.

What to do if you're a victim of a phishing attack

If you’ve been the victim of a phishing attack (or have come close to being one), the steps below will help you mitigate the damages.

扫描你的设备

If you’ve downloaded something from a suspicious email to your device, 它可能被恶意软件感染了. 如果你的杀毒软件没有给你任何警告,那就彻底扫描你的设备. If you currently don’t own a 可靠的防病毒程序, then be sure to purchase a full-featured one, 比如Bitdefender或者McAfee.

报告攻击

下一步是 report the attack to your email provider, impersonated entity (such as a bank), and your country’s anti-fraud commission (the Federal Trade Commission if you live in the US). Reporting a scam helps prevent future attacks.

冻结你的信用

If you’ve given away banking and credit card information, 提醒你的银行 尽快. 告诉他们你是网络钓鱼诈骗的受害者,想冻结你的账户以防止未经授权的付款. Afterward, check your credit report for any unfamiliar activity in your name.

改变你的密码

If you suspect that malware has been installed onto your device, then be sure to take the following precaution: change the passwords of all of your accounts; create new, 包含符号的复杂密码, 数字, and letters; and finally, 别忘了 实现多因素身份验证 为了增加一层安全.

...Create new, 包含符号的复杂密码, 数字, and letters.

如何防范网络钓鱼

按照下面的步骤来防止骗子接近你的个人信息, 包括你的银行账户.

忽略可疑的电子邮件

避免成为网络钓鱼骗局的受害者的最好方法是忽略看起来可疑的电子邮件. 打开钓鱼邮件是安全的, 但是要确保你没有下载附件或者点击任何链接——这就是你被恶意软件感染的原因. Once you’ve learned to recognize a scam (by following the above warning signs), you’re a big step closer to keeping your accounts and devices safe.

如果你碰巧打开了一封诈骗邮件, always be vigilant about clicking on any links or downloading attachments. 如果邮件里有银行或其他公司要求你做的紧急任务, 不要点击链接. 这些软件通常会带你进入网页,下载并安装恶意软件到你的设备上,或者说服你输入你的个人信息.

...always be vigilant about opening links or downloading attachments.

不要通过电子邮件发送财务数据

Banks and online payment sites will never ask you for your personal account details, 信用卡号码, 或者通过电子邮件输入密码. 如果你遇到这样的要求,忽略它,并直接云顶集团用户登录银行澄清.

A phishing email that looks like it’s from PayPal

来源:伪

选择有信誉的电子邮件服务

Gmail is the most popular email provider globally, with a user base of over one billion. We recommend it for personal and professional use; still, if you want to use another email service, then opt for a reputable one like Outlook or Yahoo!. 有很多电子邮件提供商可能没有这些服务那么安全可靠.

Additionally, you could try an email service that’s focused on security, such as ProtonMail, which is protected by Swiss privacy laws.

Free webmail providers used in BEC (Business email compromise) attacks in Q2 2020

来源: APWG Phishing Activity Trends Report, Q2 2020

定期更改密码

Another way to protect your accounts is to change your passwords regularly. Some banking services force you to do this once in a while, but others don’t. For best results, make changing your passwords a habit. Use strong password generators and make sure to use letters, 数字, and symbols.

使用著名的防病毒解决方案

几乎所有的防病毒解决方案都配备了电子邮件保护功能. However, this option is often only included with premium versions. 看看云顶集团用户登录 云顶集团指南 to help you find the best antivirus solution for all of your needs. We highly recommend a top antivirus solution like Bitdefender or Kaspersky.

常见问题关于钓鱼

网络钓鱼有哪些例子?

Phishing attacks can come from email, 短信, 即时消息, or voice calls — the messages you may receive can vary. Attackers will often pose as your bank, boss, 的同事们, or friend. 有时 they’ll even pose as celebrities or well-known brands, etc. 

They may ask you for something urgent and provide you with malicious links or attachments. Should you click on these links and attachments, malware may be installed on your device, 或者你可能会发现自己在一个网页上被要求提供敏感信息.

一个可信的反网络钓鱼程序(诺顿就是一个很好的例子)可以帮助你防范网络钓鱼.

为什么它被称为网络钓鱼?

The word “phishing” was first coined in 1996. It’s similar to the word “fishing” because, technically, they’re similar activities. 黑客将诱饵投放到互联网上,等待着捕捉毫无戒心的猎物(互联网用户). The “ph” was added as a nod to an early type of hacking known as Phone Phreaking.

保持警惕,有一个 固体防病毒解决方案 can help you avoid the phisher’s net.

网络钓鱼是一种恶意软件吗?

No. 网络钓鱼不是一种恶意软件. Phishing refers to the method employed by the attacker to deliver malware. 它指的是受害者被骗去做一些事情,比如泄露敏感信息, 点击恶意链接, 或下载恶意软件.

如果你想通过网络钓鱼阻止恶意软件感染,安装一个信誉良好的反网络钓鱼解决方案.

Can you stop phishing emails from being sent to your device?

是的. You can stop phishing emails by using a reputable email provider or by purchasing a 可靠的防病毒程序. We strongly recommend Norton for its anti-phishing capabilities.

What happens if I click on a phishing email?

If you’ve clicked on a phishing email, don’t worry. Simply opening an email won’t download or install malware onto your device. 话虽这么说, 它确实增加了意外点击恶意链接或下载受感染附件的可能性. To avoid this, it’s best to avoid opening phishing emails altogether. 

To filter out any potential scam emails from your inbox, use an antivirus program specialized in stopping phishing threats. 这些应用程序的工作,以增强您的电子邮件提供商的默认电子邮件过滤器为伟大的反钓鱼结果.

Octav费 (网络编辑)

Octav is a cybersecurity researcher and writer at AntivirusGuide. When he’s not publishing his honest opinions about security software online, 他喜欢学习编程, 看天文学纪录片, and participate in general knowledge competitions.