Phishing is an attempt to obtain sensitive information, such as usernames, passwords, and credit card details, often for malicious reasons, by disguising oneself as a trustworthy entity in an electronic communication. Even though most people are aware of this type of attack and they already know that they should not be opening emails or clicking links coming from untrusted sources, the fact is that, in most attacks, cyber criminals pretend to be someone you already know/trust. This is because, previous to the phishing attack, they gather intelligence about the target such as what he/she likes, with whom he/she communicates by email the most, and so on.

The following is one of my tests, in which I created a phishing email that was specially crafted to look as if it is was shared being by me (a trusted person in the company). I chose the title Organization Scheme since it would persuade every single person in the company to read it:

Believe it or not, even the most experienced people in the company clicked the link and provided their Dropbox credentials, which were directly emailed to me (the attacker in this case). Only one person out of 20 contacted me, but unfortunately, it was to ask what was wrong with the document since he was not able to view it!

This was actually the point when I realized how effective phishing attacks could be. If I was able to trick my own employees with a single interesting email created in 30 minutes, what could a seasoned attacker do?

The reason this test was so successful was not because the people clicked the link in the email I sent, but it was about the website address they were directed to after clicking the link. The address I used was http://www.dropbox.ssl.login.authentication.identify_ctx_recover_lwv110123_securefreemium.ebilgilendirme.net, which was more than enough to persuade them it was the legitimate Dropbox website since they only paid attention to the first part of it, rather than looking at the full address. The following is a screenshot of what you would see in your address bar and taskbar if an attacker uses this kind of address:

So, anyone looking at the address bar or taskbar would immediately think that this is the legitimate Dropbox website, but, for an experienced user, this is just a subdomain of a random website that can be created in minutes.

To sum this up, online safety is all about educating users regarding the types of tricks and attacks used by cyber criminals. Educating users is much more important than investing in software or hardware solutions.

As a final note, here is my quick list for staying safe online:

1. Always use a modern OS and software. Out-of-date systems will be vulnerable to exploitation.
2. Use up-to-date security software, including antivirus, anti-exploit, anti-phishing, and content-control features for preventing known, bad content. This will guard you against most of the attacks, but do not forget, security software is just a layer not the solution.
3. Do not open suspicious-looking emails.
4. Always check the target address of clickable content in emails and make sure the target website is known to you.
5. Always check for the SSL indicator on websites before providing your personal information.

6. Use a VPN to prevent cyber criminals eavesdropping on your network traffic.
7. Disable macro execution in your environment and do not click the Enable Macros button, even if the document you are viewing say to do so.
8. Read pop-up dialogs or warnings carefully before accepting them.