Phishing attacks remain a popular way for attackers to compromise accounts. As noted by security firm Symantec, one of every 244 emails sent in 2014 contained malware.1 To combat this threat, many companies now use advanced detection systems and email scanning tools to prevent phishing attacks. When it comes to personal devices, however, many users lack the same type of safety precautions, and aren't sure how to prevent phishing or recognize the telltale signs of malware attacks.
What is malware? Any program or code that attempts to alter the function of your device without your consent. Phishing scams can convince users to click links or open attachments that download and run malicious applications. It's worth learning some of the red flags that accompany malware and phishing attack efforts.
Phishing flags include:
- Poor grammar or spelling: If you see misspelled words or odd sentence structure, chances are the email isn't really from your bank, Netflix or PayPal.
- MUST ACT NOW and other warnings: As noted by CSO Online, threats of dire consequences if you don't act immediately often accompany phishing emails, which prompts quick action over good judgment.2
- Odd links or attachments: Not expecting an attachment? See an email link with a mile-long URL? That attachment is probably loaded with malware, and the link may force an unwanted download.
Classic malware red flags include:
- Pop-ups while browsing: If you suddenly receive a pop-up that indicates your antivirus is out-of-date or that your computer has been infected, be wary. Malware makers often leverage these scare tactics to compromise devices.
- Strange behavior: Browsing a website and you're suddenly redirected? Notice that the website's URL doesn't match what you typed in or isn't spelled correctly? Chances are it's a malware attempt.
- Permission-hungry apps: Malware-filled apps have been making their way into mobile app stores and are prevalent across third-party "unofficial" app sites. One typical sign of malware in your new application? It wants permissions it doesn't need, such as access to your contacts, microphone, video camera and stored data.
Learn to recognize social engineering. Take a hard look at sender addresses and consider the supposed source. For example, agencies like the IRS or FBI will never contact you through email. Even if the email seems legitimate, never click on links that supposedly lead to your PayPal or Amazon account. Instead, go to the official website and login directly.
What happens once you're infected? Is there any way to recognize the signs of a malware or phishing attack in progress?
As noted by PC Magazine, pop-up ads are one indication that you've been infected with "adware," which may point you in the direction of more serious malware.3 If you start seeing multiple pop-ups every time you open your browser (or even when it's closed), you've probably been compromised.
Other common signs include:
- Browser redirection: You open your browser and it takes you to somewhere unexpected. You enter a URL and still get redirected. You've got malware.
- Strange posts or emails: Friends and colleagues contact you to say that they've been seeing strange social posts and getting strange emails from you. Chances are you're infected with malware that has compromised your email or social media accounts.
- Performance problems: Malware can impact device performance. If you notice your desktop or mobile phone suddenly acting sluggish or slow to load applications, run a malware scan to see if you're infected.
- You can't change things: You're worried that you have malware, so you go poking around your system tools and find them disabled by the "administrator."
Always update your desktop and mobile phone with the latest security and operating system updates. Often, these updates contain fixes for newly discovered vulnerabilities that hackers can exploit.
Ideally, you avoid device compromise altogether. Not sure how to prevent phishing and push back malware? Start with two-factor authentication: Get an app like the Google Authenticator, which requires both username and password along with a one-time code to access accounts. That way, even if hackers manage to breach your device, they can't access account data.
It's a good idea to check the security of your connection.4 Look for sites that use "https" in the URL and have the green padlock symbol, which means they're using encryption. In addition, use a combination of firewall, antivirus and anti-malware solutions to help detect and eliminate threats before they compromise your device.
Remember the golden rule: If it seems too good to be true, it probably is. Approach emails and website with a healthy measure of skepticism to limit the chance of malware infection.
Know the signs
Don't want to get hooked? Know the signs of malware infection and phishing attacks, such as strange app behavior and poorly worded emails. Recognize the signs of device infection, like performance problems and browser redirection. Then, step up your own security: Use two-factor authentication, check the security of your connection and don't fall for social subterfuge.
1) "Internet Security Threat Report" Symantec, April 2017. Accessed April 10, 2018. https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf
2) Florentine, Sharon. "5 ways to spot a phishing email." CSO, February 22, 2017. Accessed April 10, 2018. https://www.csoonline.com/article/3172711/phishing/5-ways-to-spot-a-phishing-email.html
3) Rubenking, Neil J. "7 Signs You Have Malware and How to Get Rid of It." PC Mag, September 14, 2017. Accessed April 10, 2018. https://www.pcmag.com/article2/0,2817,2416788,00.asp
4) Zamora, Wendy. "10 easy ways to prevent malware infection." Malwarebytes, August 26, 2016. Accessed April 10, 2018. https://blog.malwarebytes.com/101/2016/08/10-easy-ways-to-prevent-malware-infection/