Phishing: What Is It and How Can I Avoid It
Phishing is an easy way for cybercriminals to steal your personal information, such as credit card numbers and account passwords, even if they don't have the skillset to hack your network and steal that information. In most cases, scammers are able to convince or coerce their victims into giving over their information willingly.
It's extremely important to protect your personal information, especially sensitive things like your Social Security number. SSNs are nearly impossible to replace, and once a scammer has yours, they can use it indefinitely for a wide variety of crimes.
How it Works
Phishers may contact you through a fraudulent email, phone call, or a fake website. They often disguise themselves as reputable companies, such as a bank, cell phone service providers, or a social media account or website for a major brand, and try to persuade you into divulging your personal information.
They are often trying to collect personal details like your address, credit card number, passwords, phone numbers, and even your insurance numbers. Generally, phishers will claim the victim has won something, they are missing out on a limited-time deal or they are facing a final warning that an account will be removed if he or she does not enter their login credentials.
Recently, many individuals in the U.S. and Canada have been targeted by revenue agency scams where scammers claim the individual has unpaid tax debt. Too many people fall victim to these scams for one reason or another, usually out of fear for having broken the law.
Here's an Example
Say you receive an email from Amazon, a site you visit frequently for online shopping. The email is actually fake, but you don't realize it at first. After all, it looks official with the company logo in the corner, and the tone sounds a lot like other emails you've received from the company. When you click the link, the page even looks like Amazon's website. Even the checkout process is the same.
The message offers you an unbelievable discount on a laptop and provides a link to the buying page. You click the link to buy it, enter your credit card information, and complete your order.
However, you've just become a victim of a phishing attack. The product page was fake and disguised very convincingly like the real thing. Instead of placing your order, the website sent your payment details straight to a thief.
How Can you Recognize the Scam
In the stated case, there were three tell-tale signs.
- Once you log into your Amazon account to make the purchase, your payment method should be stored. Amazon rarely requires you to re-enter the number, unless you're purchasing a gift card or shipping the item to someone else.
- If you look closely at the original email, it likely came from a spin-off domain with typos, extra extensions, and other things that demonstrate Amazon wasn't the sender. For example, an email that's anything other than @amazon.com.
- Another sign would be the lack of links on the actual product page. Amazon is loaded with products, pages, and other content. Even if the phishers tried to make it seem legitimate, there would be no way for them to replicate that.
The 6 Most Common Types of Phishing
With the rise of things like the Internet of Things (IoT), smartphones, and social media, the number of opportunities for phishing has grown considerably. Attacks can now affect more than just banking. PayPal, eBay, and Amazon accounts have all reported incidents of phishing attempts on unsuspecting customers.
Watch out for these common types of phishing attacks:
Deceptive phishing is the most well-known lure. This strategy involves impersonating a legitimate business's website to steal data. It takes a phisher with strong knowledge in social engineering to pull this tactic off effectively.
Also known as "CEO Fraud," whaling occurs when a top executive at a company has his identity compromised. The phisher then orders employees to send funds to a separate account. Whaling can also affect other high-profile individuals such as celebrities and politicians. Plus, given its focused nature, whaling can be difficult to detect since many departments never have contact with company executives.
Phishing kits are basically collections of software utilities you can download by mistake. Once installed, these tools can launch large phishing campaigns and send mass emails to spread the phishing attempts.
Some phishers can personalize the fraudulent messages they send you to make them more believable. These might contain your name, workplace, and phone number gathered through websites like LinkedIn. In fact, 95% of all attacks on enterprise networks are the result of spear phishing. By its very nature, spear phishing is almost always used in whaling attempts and can involve the impersonation of acquaintances and the use of data from the victim's social media sites, such as Twitter and Facebook.
Pharming programs work through a bit of DNS trickery and automatically redirect your web browser to a malicious site even if you input the correct URL to a genuine site. Pharming was the culprit in a 2005 hijack of New York Internet service provider Panix, in which the website was redirected to another unrelated website in Australia. No losses were recorded, but the outcome demonstrated how dangerous pharming can be.
To fight back against pharming, make sure you only enter login information and personal data on URLs beginning with "https" which denotes a secured connection.
Pretending to be the login page for a major online service like Google Drive, for instance, is a common and effective tactic. Utilizing two-factor authentication (using two different authentication factors to verify yourself, such as a password AND facial recognition software) can greatly reduce your chances of becoming a victim as every login will require a second form of authentication to legitimize the login.
Common Phishing Lures
There are many methods phishers have developed to lure you into submitting your personal information and data. Knowing what to look out for puts you in a better position to detect and overcome these types of attacks. Some common phishing tactics include:
- An email claiming you've won a major prize or are at risk of losing access to your account. The message will prompt you to provide your login credentials or payment information to follow through with the prompt.
- A phone call. There have been reports of fake Microsoft employees offering technical support for Windows machines. Once the victim gives the phisher access to his or her machine, the victim's data is compromised.
- A fake website. One of the most common types of phishing involves a fake website made to look like a real login page, such as the one to your Yahoo! email account. Phishers can gain a lot from accessing a victim's email.
You should also be on the lookout for:
- Threats of Deactivation - You receive an email from your bank threatening to shut down your account unless you verify your credit card information on their website immediately. In this example, the link they give you will lead to a fake site.
- The "Too Good To Be True" Scams - A common tactic is the "Nigerian prince" email scam. Written in a poor, almost comical style, the extravagant story promises great riches should the victim send payment information. As many of the stories go, the fake prince's fortune has been locked behind a paywall. The scammer begs you to send money in order to restore access to this vast fortune, promising to pay you back many times over should you help. While it may seem ridiculous, the silliness of the message is intentional, as only the most gullible will fall for the trick.
- Fake FBI Arrests - A phisher wants you to act on impulse, and what gets you worried more than the threat of being arrested? In the United States, phishers might send fake emails, or even calls from the FBI or IRS, threatening arrests for random crimes like tax evasion or music piracy. Rest assured, the government will never send communication like this simply through an email and certainly won't request funds with it. This type of lure tends to come bundled with ransomware as well, so avoid opening them at all costs.
- Fraudulent Tech Support - Fake 1-800 numbers are easier to obtain than you think. These types of phishers will offer to inspect your machine for malware, pretend to find it, and send in a software package to help you "fix" it. The irony is these scammers who offer to clean your computer will actually infect it with malware, keyloggers, and other phishing tools to extract your personal information. Remember, a random tech support agent from a large corporation will never call you unless you have contacted them first.
- Text Message Phishing - Even our cell phones aren't safe anymore. SMS phishing solicits personal information through text messages in the same way an email or website phishing does, with the added concern of being unexpected. SMS Phishing can also result in vishing or voice phishing (telephone phishing).
Hunting the Job Hunters - Phishers may sometimes post phony job offers on the Internet, primarily targeting teenagers who don't know what they're doing. Hired hands are employed to help in money laundering operations. While they sometimes do get paid like a real job, they're also at risk of criminal charges as a result.
Search Engine Viruses - Search engine viruses are essentially a Trojan with a strong standing in the search engine results. A virus might be advertised as the perfect solution to a technical problem you might be facing. SEO optimization plays a big role in ensuring the site shows up in your search. Once you download and install the Trojan, relieved you finally fixed your technical problems, the malicious code takes over and your problems only get worse.
SWATting - While not a direct form of phishing, SWATting can be a dangerous consequence. SWATting occurs when the phisher steals the victim's phone number and calls in a fake bomb threat. Emergency or not, having a SWAT team around your house is a stressful and dangerous experience, and in some cases, it can even be deadly, as SWAT teams are trained to treat every operation with maximum severity. Thankfully, modern law enforcement is now aware of SWATting attempts and usually knows how to handle them.
How to Protect from Phishing
Phishing is clearly a serious issue every online user must address, but it still begs the question: "What can I do to protect myself and my business from a phishing attack?"
Knowing that a problem exists is the first step to fighting back. Careless Internet surfing can leave you vulnerable to phishing attacks.
Build good browsing habits, such as:
- Double-checking every link
- Never downloading unknown and untrusted attachments
- Always use different passwords for different accounts
- Changing passwords regularly
- Ignoring requests for file transfers, account transfers, or divulged passwords, even if they come from within the company
- Verifying all of the requests verbally before complying
Use Software to Defend your Devices Against Phishing
Your computer, when configured correctly, can protect itself. As a basic checklist, ensure that you have the following installed on every client machine:
- Email spam filters, especially ones that look for suspicious links and unverified attachments
- Powerful antivirus solutions with security updates
- Web filters to block out malicious websites (usually these are built-in to antivirus programs)
- Anti-phishing toolbars and browser extensions that display the reputation of a website before you click the link
- A firewall (many antivirus programs come with a built-in firewall)
- Pop-up blockers
- An up-to-date web browser supporting all the modern security features
Decide on your needs based on how much you are willing to spend and how much you expect to save by protecting yourself.
Other Miscellaneous Tips
- Disable HTML emails if possible. Text-only emails cannot launch malware directly.
- Encrypt your company's sensitive data and communications
- Check your bank account's activity routinely for suspicious charges
The Best Antivirus Programs with Anti-Phishing Protection
We'd recommend investing in a powerful antivirus that comes with a firewall to block malicious attacks, as well as making sure that these programs are updated regularly. Some popular options are:
- Norton LifeLock
- Heimdal Security
How to Avoid Phishing Emails
Like many types of phishing attacks, you can't prevent some malicious emails from entering your inbox. They're common junk mail. You certainly can, however, learn to recognize what's right from wrong and what to do when you're at risk.
Phishing emails might:
- Contain hyperlinks to suspicious websites with unrecognizable URLs.
- Contain attachments with ransomware, malware, and other viruses. Most file types can carry these viruses with the exception of the plain text file (.txt). Even Excel spreadsheets can contain malicious macros and code.
- Present a sense of urgency, such as a great deal on a product or a giveaway/lottery to call you to action.
- Refer to you as a "valued customer" without mentioning your name. Phishers, after all, don't know who you are.
- Contain spelling and grammatical errors.
- Have a strange sent time, such as 4 am on a Sunday.
- Have an irrelevant or weird subject line.
- Be sent by addresses you aren't familiar with, though keep in mind thieves can sometimes forge the identity of your coworkers to deliver a more potent phishing email. Check whether your acquaintances seem out of character in their emails.
How to Prevent them
- Spam filters are the most obvious solution. These usually come with most email clients and work by assessing the origin of the message and analyzing its content for spam-like characteristics. They aren't 100% reliable and sometimes give false positives but are still worth using.
- Check the URL for any hyperlinks and determine whether or not the site it leads to is fraudulent.
- Never open attachments if you suspect a phishing email.
- Don't click links in emails. At most, copy and paste the web address into your address bar.
- Simply be smart. Major organizations will never ask for your personal information directly through an email. They will more likely than not offer some form of verification in the email itself too, such as an account number.
- When in doubt, verify with the organization contacting you to ensure the communication is genuine.
How to Avoid Phishing Calls
Voice phishing, also known as "vishing," is a phishing attack via telephones and Voice-over-IP services.
Vishing can take many forms, but some common examples are:
- Fake charities advertising a fake organization website.
- Fake calls from the government and IRS demanding action to prevent a major fine or arrest.
- Fake calls claiming to offer tech support and requesting access to your machine.
How to Prevent them
- Ask the caller if he or she knows your name. Vishers are not likely to.
- Know that your bank will never ask for sensitive information such as your Social Security Number, PIN, or password over the phone.
- Don't be afraid to ask for verification that the call is not fraudulent. Legitimate businesses are happy to do so.
How to Avoid Phishing Websites
Often, you have the usual fake websites masquerading as genuine online services. Most of the time, a phishing email might direct you to one of these. Malicious websites designed for phishing can be hard to identify sometimes, as attackers have become good at emulating the appearance and functionality of real sites. However, a key giveaway is a URL. Phishing sites may use a slightly different web address containing a small mistake.
PayPal is a commonly masked URL as the lowercase L could be replaced with an uppercase I. Look for these subtle clues before you engage with the site.
How to Prevent them
- Enable your web browser's built-in protection settings. Many modern browsers will automatically block suspected phishing sites from opening.
- Report any phishing sites to the organization affected, such as your bank.
- If a website is asking for login credentials or sensitive information, ensure the site is legitimate.
- Contact the company beforehand to verify directly.
- Make sure the URL is both correct and contains the "https" heading denoting a secured connection.
- Use two-factor authentication whenever you can