After the click

What really happens when you click on a phishing link.

By IT Security

We’ve all been told to “think before you click” and have heard about the dangerous consequences of phishing. But do you know what happens if you click on a fraudulent phishing link and how your personal information can be immediately put at risk? Below we will walk you through how fraudsters get access to your username and password and what they can do once they have it.

Without you knowing an attacker can steal usernames and passwords to your account in three simple steps. 

First, a legitimate-looking fake email is sent to you that typically includes an urgent request to complete action through a web link embedded in the email.

fake-email.jpg

Second, when you click the link embedded in the message, you are presented with a replicated webpage that appears to be a legitimate website. The only way to authenticate the page at this point is to check the web address listed in the address bar - notice this is not a usask web address? 

At this point, if you enter your username and password, and hit “sign in,” you have just voluntarily provided your confidential account information to a fraudster giving them complete access to your account. 

log-in.jpg

Now the third and last step of the scam once they have collected your information they instantly send you to the real login page. Most users are unaware that anything has happened or left thinking they have mistyped their password and you simply attempt to login again - notice the correct usask web address in the address bar? 

correct-web-address.png

At this point, the fraudster can start searching through your mailbox, and files, targeting both institutional and personal data to gain access to other online accounts, access direct deposit information or online banking and even sell your account information to other cybercriminals.  

Once fraudsters gain access, they are free to come back and search through your personal information at their leisure hours, days, or even weeks later! With no indication that someone has stolen your account login and password, you would have no reason to suspect anything is wrong and continue on as normal. Very few victims can recall the email which caught them. 

The simplicity and ease with which fraudsters are able to pull off phishing attacks make them extremely common and knowing how to detect and avoid being a victim of phishing is an essential skill when many of our essential day-to-day activities occur online. Take the time to complete our IT security training courses and learn more ways to protect yourself against the threat of online attacks.