Are you sure it was your bank that just emailed you? Can you feel confident that you’re clicking on a safe link? Or are you about to become the latest victim of a phishing scam?
Phishing is a creative attack that's been fooling people for years. A successful phishing attack can put your data and your money in the hands of criminals and leave your devices riddled with malware and viruses.
Here’s everything you need to know about how to spot phishing scams and how to protect yourself against them.
What is phishing?
You can probably guess where the name comes from. The word “phishing” is a reference to the way in which the scam is carried out: baiting, luring, and reeling in a victim. The criminal is holding the rod, and yes, you’ve guessed it – you're the fish.
There are several different kinds of phishing techniques. The most common methods involve email, although in more elaborate phishing attacks, that is just the start.
For phishing emails, disguise is essential. The criminal will pose as a trusted contact, a friend, or a legitimate company. They'll dress their message up accordingly, with an eye-catching subject line and all the trappings of a genuine email.
Types of phishing
Here are three of the most common types of phishing.
Perhaps the most famous iteration of direct extortion is the so-called “Nigerian Prince” scam. It relies on the criminal starting a conversation with the victim and eventually convincing them to transfer money. This often involves the attacker, in the guise of a wealthy man overseas, promising a massive payoff in return for a “small” investment of funds.
In recent years, some criminals have started targeting people through dating apps. After gaining trust and convincing the victim of their genuine interest, phishers can create a false scenario in which they urgently need money.
Admittedly, awareness of these scams has increased in recent years, so fewer people are falling victim.
In some phishing scams, that initial email is just the starting point for a more elaborate crime.
The setup is the same as the dangerous link email, but in this case, the link will take potential victims to a webpage specifically designed by the criminal. This page will use the same theme and disguise as the email. If someone is pretending to be your bank, asking you to reset your login details, the page will mimic the colors and layout of that bank.
Then, if you end up inputting the requested data – passwords or card credentials – the information will be unencrypted and visible to the criminal.
Types of phishing attacks
Phishing attacks come in a variety of shapes and forms. The main difference between most types of phishing attacks is the medium over which they are carried out. Here are some of the most common types.
Email phishing is arguably the most common type of phishing. As the name suggests, the attack is carried out via email. Usually, emails crafted by bad actors imitate legitimate sources to fool unsuspecting users into giving up their sensitive information.
The essential difference between spear phishing and other types of phishing attacks is that in a spear phishing attack, the bad actors focus with high precision on a single target. In most instances, the targets are specific people or organizations.
Whaling, sometimes referred to as CEO fraud, is a type of attack that — much like in instances of spear phishing — focuses on a single target. However, whaling attacks usually aim to exploit high-ranking officials or other senior members in the organization to gain unauthorized access to sensitive financial data or computer systems.
Vishing and Smishing
The main thing that separates both Vishing and Smishing from other types of phishing attacks is that both are limited to a potential victim’s phone. Vishing refers to voice phishing. Think about scam calls impersonating a bank or offering lucrative investment opportunities. Smishing, on the other hand, is limited to text messages, but the aim of the attack, and the way it is designed is very similar to regular email phishing.
Today, phishing attacks are among the most common and dangerous types of cybercrime that businesses and individuals alike face on a daily basis.
A recent ESET study found a 7.3% increase in email-based phishing attacks between May and August 2021. Another study carried out by IBM discovered a 2% increase in phishing attacks between 2019 and 2020. The 2021 Verizon Data Breach Report noted that phishing attacks are involved in one way or another in about 36% of all breaches.
Over the years, phishing attacks grew not only in frequency but also in sophistication. While researchers at Tessian found that 76% of phishing emails did not contain malicious attachments, SonicWall’s 2021 Cyber Threat report discovered a steep increase in the numbers of malicious PDF and Microsoft Office files between 2018 and 2020. The increase likely corresponds to the fact that most people have a tendency to trust PDFs and MS Office documents. This trust is reflected in the fact that Microsoft is one of the most impersonated brands according to Check Point, which found that up to 43% of faux emails impersonated the tech giant. Other frequently impersonated organizations include DHL, Amazon, and LinkedIn.
Verizon’s report notes that in most instances of a phishing attack, the top compromised types of data are: credentials such as passwords, pin number, and usernames, and personal information such as full names and email address as well as medical information, which includes insurance claims and social security numbers. The report also highlights that the median loss of a business email compromise stands at $30,000.
Cisco’s 2021 cybersecurity threat trends reports took a look at the most targeted industries and found that the financial services industry is at the top of phishers’ target list. Other often targeted industries include retail, manufacturing, food and beverage, research and development, and tech.
What are common indicators of a phishing attempt?
A large part of phishing scams focus on exploiting fear. Often a phishing email will inform users that there has been some kind of an issue with their account. To solve the fake problem, the user is usually asked to click on a malicious link or download an attachment. As a result, unsurprisingly, most phishing emails use urgency in the subject line.
Attackers also focus on creating domains that can be very similar to a reliable brand’s domain. Bad actors will include branded logos to further fool unsuspecting users.
Catching a phisher
There are some typical red flags to look out for in most phishing emails.
The first thing to notice is whether the email uses your real name or not. If it addresses you as “dear customer” or “to whom it may concern,” you should be on the alert.
Phishing scammers will often send out huge batches of identical emails without targeting specific individuals. If a legitimate company reaches out to you, they'll almost always know your name.
The language used in phishing emails can also be a giveaway. Keep an eye out for odd turns of phrase, poor grammar, or obvious misspellings. A genuine email from your bank will not contain these kinds of errors.
Of course, the email sender’s address is also important. Check to make sure it looks legitimate. If there’s any doubt, check it against other emails you've received from the organization.
Lastly, be wary of urgency in the email. If someone demands money or presses you to click a link “before it’s too late,” that’s not a good sign. Criminals will often attempt to make the victim panic or rush to action without stopping to look closer at the email itself.
What happens if you click on a phishing link or download a malicious attachment?
If you happen to fall victim to a phishing scam, one of the things you can be almost sure of is that the attackers will let other scammers know that their attack on you was a success. In turn, you will most likely experience even more phishing attacks coming your way.
Falling victim to a phishing scam could also result in the loss of personal data such as your name, address, phone number, and other personally identifiable information, which in turn could lead to ever more issues such as identity theft.
A successful phishing attack on a business could result in a full-on data breach, which today could very well mean the end of the company.
How to prevent phishing
Slow down and think.
This is essential. Never hurry through an email and follow its instructions. Is someone urging you to immediately follow a link to collect prize money? Are you being told to go to a website to change your passwords as soon as possible? Slow down and make sure that the email is genuine first.
Don’t follow links directly.
Most phishing emails will ask you to click on a link. That could open the door to malware, viruses, and ransomware. Avoid this problem altogether by never following email links, unless they’re from a trusted, verified sender.
If you’re in doubt, open a new tab and navigate to the real company’s page. To be certain, you can even email or call the organization directly and ask if they contacted you recently.
Don’t trust your spam filters for everything.
Your email will filter spam and junk mail into a separate box to be deleted later, but it doesn’t always catch everything. Don’t assume that something is automatically safe just because it hasn’t been caught by the filters. Errors like this happen all the time, so be careful.
Ask yourself whether you’ve had previous contact with the sender.
If a bank you’re not with emails you asking you to log in to your account via its email message, that’s a sure sign you’re being targeted. Most phishing emails are sent in the hopes that you’ll click on the link without thinking. Ask yourself if you actually have any account or relationship with the company the sender claims to represent. If the answer's no, ignore or delete the message.
Phishing emails can be highly effective, and they’re one of the oldest internet scams in the book. The best defense against them is vigilance and some common sense.