Salutations Steemians,

In this post I'm going discuss what phishing is, why it exists, and also give you some tips to avoid being phished. Considering the amount of value the Steem platform is generating, I think it's likely we could see phishing attacks attempting to capture the credentials of Steemit users. I'll also discuss a free tool my employer just launched to the public today that can be used to simulate phishing attacks and assess how at-risk your organization is to phishing, and the potential impact of a data breach.

![The Phisherman](https://ipfs.pics/ipfs/QmWjfdT3w9mSsc6mdKSuZjykN3GUoqRVTbtFDbWwbWu5N8)
[*Image source*](https://duo.com/blog/introducing-the-access-of-evil)

## What is phishing?
Phishing is a social engineering attack that exploits people's willingness to click on links, open attachments, or approve permissions in order to deliver drive-by malware or trick people into giving up their account credentials. Phishing is an especially effective method of compromising accounts, and it works because it takes advantage of human factors, such as greed, fear, curiosity, and human error in order to trick people into giving up the goods. 

A targeted phishing attack that is crafted to breach a specific person is known as spear phishing.

## How can you identify a phishing attack?
The best behavior to adopt in order to mitigate phishing is to **always check the URL domain**. You can do this by hovering over the link, then verifying the domain isn't different by looking in the bottom left corner of your browser. The most common phishing vectors are email and social media messaging. A swath of different phishing approaches exist. Next, I'll go over a few of the major types.

### Impersonation
![CEO phishing](https://ipfs.pics/ipfs/QmPrM1yHVa85J44jvoae479BqaKLPAEFhaBRfdYoEeAnXP)
Image source: Phishme

On the internet, people aren't always who they say they are. It's okay to trust, but always verify! Just because your email client tells you an email was sent from someone, doesn't necessarily mean that it was. It's possible to spoof the sender's information to trick people into believing they are receiving an email from someone that they trust.

### Disguise
LastPass
![LastPass](https://www.seancassidy.me/images/lastpass_login.png)
LostPass
![LostPass](https://www.seancassidy.me/images/lostpass_login.png)
Many phishing pages look exactly the same as a trusted page. This password manager phish is very convincing. Can you spot the difference? This is a common method used to capture credentials by impersonating login pages.

### Ransomware
![Ransomware email](http://cdn2.mobilesiri.com/wp-content/uploads/2016/02/locky-ransomware-email-with-attachment.png)
Don't download attachments that you don't expect without verifying authenticity out of band, even if they appear to originate from people you trust. They could encrypt your files and hold your data for ransom!

These are just a few examples, there are many others.

## Tips and tricks to prevent succumbing to a phishing attack
1. Employ a [web of trust extension](https://www.mywot.com/) to provide a signal as to the authenticity of a website.
2. Always double check the URL domain of websites before you visit them. Watch out for domains that are intended to look similar to a real domain, but are actually fake. Some techniques that these domains employ include:
    * **Bitsquatting**, which anticipates a small portion of systems encountering hardware errors, resulting in the mutation of the resolved domain name by 1 bit. (e.g., zteemit.com).
    * **Homoglyph**, which replaces a letter in the domain name with letters that look similar (e.g., steernit.com).
    * **Repetition**, which repeats one of the letters in the domain name (e.g., steemiit.com).
    * **Transposition**, which swaps two letters within the domain name (e.g., tseemit.com).
    * **Replacement**, which replaces one of the letters in the domain name, perhaps with a letter in proximity of the original letter on the keyboard (e.g, steenit.com).
    * **Omission**, which removes one of the letters from the domain name (e.g., stemit.com).
    * **Insertion**, which inserts a letter into the domain name (e.g., steeemit.com).
    * **Missing dot**, which removes a dot from the domain name (e.g., steemitcom.com).
    * **Singularization or Pluralization**, which adds or removes “s” at the end of the domain name (e.g., steemits.com).
    * **Vowel swap**, which replaces a vowel within the domain name (e.g., steamit.com).
    * **Wrong TLD**, which replaces the top-level domain suffix (e.g., steemit.co).
[Read more about domain variations](https://zeltser.com/domain-name-variations-in-phishing/)
3. Sound the alarm. If you detect a phishing attack, tell others in your organization so they can avoid it.
4. Use [DMARC](https://dmarc.org/) to prevent your domains from being used in a phishing attack.
5. If you're prompted for account permissions, double check that you're on the proper website. 
6. Beware of emails that sound too good to be true (No, you didn't really win $10,000 and you aren't really going to get a free annual gym membership).
7. Keep your browser software up to date to patch it against the latest security vulnerabilities. Chrome tries to automatically handle this for you (sometimes you need to go to Settings > About Chrome to complete the update).
8. Un-install browser plugins, such as Flash and Java, that have a [history](https://helpx.adobe.com/security/products/flash-player.html) of being vulnerable. This reduces the likelihood of installing drive-by malware by a lot!

## Quantify how at-risk your company is to phishing with Duo Insight
Duo has just launched [Insight](https://insight.duo.com/) to the public, which is a free tool that allows companies to assess how susceptible they are to data breach by means of phishing. This tool makes it quick and easy to set up a phishing campaign, and the quantitative report it provides is a good way to build a case for implementing stronger security controls and practices in your organization. We'd love to hear your feedback about this tool. You can read more about it [here](https://duo.com/blog/now-available-duo-insight-a-tool-to-help-organizations-identify-phishing-risks). Duo Insight does not store any credentials captured during phishing campaigns.

**DISCLAIMER: I work for Duo, but my personal opinions on Steemit.com are not representative of Duo's views. This post is intended to inform the Steemit community of a potential attack vector they may face in the future.**

#steemit #phishing #duo