Phishing is one of the most pervasive cybersecurity problems. Believe it or not, phishing attacks have been around since the early days of the internet. The first recorded phishing attempt was conducted by a group of hackers in the mid-1990s. They used the America Online service to steal log-in details and credit card information from AOL users.
Unfortunately, threats have only been growing in number and complexity in the past few years. Using data from social media, hackers can easily personalise phishing emails, making them appear more convincing.
Without a good understanding of phishing attacks, anyone is vulnerable to security breaches and data breaches. We are sharing this guide to increase awareness about phishing attacks. We hope this encourages you to implement crucial security solutions that can minimise your cyber risks.
What is Phishing?
Phishing refers to a wide array of fraudulent activities that are accomplished through social networking techniques. No one knows for sure how the term came to be. However, some argue that it is derived from the word “fishing” since phishing does encompass methods to fish for credit card information and other personal details.
In a phishing attack, hackers will send a fraudulent email containing malicious URLs and attachments that collect confidential information. The methods that hackers use can vary greatly depending on their skills, targets or goals. However, phishing attacks usually just have two objectives: steal sensitive information or send malware.
How Phishing Works
Phishing relies heavily on social engineering tactics to convince targets to perform malicious actions. Although there several types of phishing attacks, in general, hackers will pretend to be from a reliable source of some kind. They’ll impersonate either a trusted entity or someone you know. They’ll send fraudulent communications via email, social media or phone.
Some phishing messages may contain malware disguised as harmless attachments. If you download and access the attachment, it can activate a virus that can steal your personal information.
Others may contain a malicious link to a fake website. Since many of these domains appear very convincing, they can easily trick unsuspecting users into entering their bank account details.
Even though modern phishing attacks still involve simple, old-school social engineering tactics, the techniques are becoming increasingly sophisticated. Some hackers are even using professional marketing techniques to help them create the most effective types of email messages. Simply put, you have to keep up with the ever-evolving threats to secure yourself from phishing attacks.
Types of Phishing Attacks
Phishing comes in many forms. By knowing the most common types of phishing attacks, you’ll know what threats you need to protect yourself against.
Email phishing is arguably the most well-known and common type of attack. Cybercriminals will create a fake domain, mimicking a legitimate organisation. They’ll send mass phishing emails, containing either links to malicious websites or malware-infested attachments.
Spear phishing is a targeted attack, designed to steal sensitive data from specific individuals, businesses or organisations. Similar to other phishing scams, spear phishing attacks involve fraudulent communications from hackers pretending to be legitimate entities.
Hackers will use open-source intelligence (OSINT) to collect publicly available information. This enables them to mention real names, job functions and other contact information, making the phishing emails appear to be requests from someone within the organisation. In doing so, targets are more likely to perform the specified actions in the spear phishing email.
Whaling is a highly targeted phishing technique directed toward high-profile individuals, such as celebrities, senior executives and politicians. It is also called CEO fraud because senior executives are common targets for this method.
Instead of sending mass emails, hackers target specific individuals. They’ll leverage OSINT to look for names and job positions of other senior executives that they can impersonate. Like the usual phishing methods, hackers will send phishing emails, posing as a trusted entity.
Voice phishing, also known as vishing, occurs when hackers call up your phone to make the scam more convincing. They might pretend to be someone they’re not. They might pretend to be associated with a particular company, organisation or government agency to steal sensitive data or funds.
The targets for voice phishing ranges from call centre agents and customer service representatives to company employees. Sometimes, hackers will impersonate in-house tech support to convince their targets to reveal company data.
Smishing is an SMS phishing technique. In an SMS, the scammers will appeal to your emotions to create a sense of urgency and entice you to respond immediately. These phishing messages might also contain links and attachments that lead to a malicious website or a virus.
Like vishing and smishing, angler phishing uses social media features like direct messaging and notifications to entice unsuspecting victims to perform specific actions. Even if the link appears to be legitimate, you should avoid clicking links that strangers share with you via instant messages. They could lead to a phishing website or install a malicious software.
Clone phishing is another targeted email attack that exploits the services you’ve used before to prompt a specific action. In this case, hackers will copy the format of legitimate emails. Instead of the original links and attachments, they will lead to fraudulent websites or malware-infested attachments.
Again, hackers will send mass emails to a large group of people. They’ll simply wait for recipients to take the bait. If someone clicks on the link, hackers will be able to forward the same email to the recipient’s contacts.
Hypertext Transfer Protocol Secure is an authentication protocol used for securing transmitted data across the web. Many businesses and legitimate organisations use HTTPs. Unfortunately, hackers have caught up with this. Often, they’ll use HTTPs in the links inside phishing emails.
For security purposes, avoid clicking shortened links and hypertext, especially if the email is from a sender you don’t recognise.
As the name suggests, pop-up phishing leverages fraudulent communications that “pop up” when you’re browsing the web.
In this method, hackers will add malicious codes in notification boxes, which are the small pop-up messages you see when you visit websites. Often, these messages will warn you about a security threat or a technical problem. They can prompt unsuspecting website visitors to act fast.
A newer pop-up phishing attack might leverage the notification feature. For instance, you might visit a website and receive a pop-up message, saying “www.preventphishing.com wants to show notifications.” If you click Allow, that pop-up can add malicious code to your computer and company network.
Watering hole phishing
Watering hole phishing is a more complex cyber attack that relies heavily on research around the browsing habits of company employees. Scammers will find out the websites that employees frequent and infect them with malicious code. These websites can range from industry news pages to third-party vendors websites.
Once employees visit the infected website, scammers are able to install malware or other viruses into their systems. Without proper security solutions, this can lead to disastrous consequences, such as data breaches.
Phishing Attack Examples
A phishing attack can come in many guises. These are some of the most common scams that you need to be aware of.
There’s a widespread vishing scam in the US, where scammers pretend to be working for the Internal Revenue Service (IRS). Since scammers target older people or immigrants, who might not be familiar with the law, they can create a sense of panic and fear. They can trick their targets into revealing personal data, such as social security numbers.
Compromised credit card
In this scam, cybercriminals leverage information about your recent online purchases. Say, you bought a new iPad on credit. Scammers will use that to their advantage. They’ll send you a phishing email, which has been tailored to look like it was sent by Apple’s customer support. They’ll tell you that your account has been compromised. Then they’ll ask you to confirm your credit card details.
Social media DMs
Social media makes it so much easier for scammers to get unsuspecting targets to click on malicious links. They won’t even have to create a fake email to do it. They’ll simply slide into your DMs and send you a link. It might appear to be a link to a website, video or other digital content. If a curious social media user clicks on it, your computer and network could be infected with a virus.
Scammers will create fake versions of legitimate websites to trick people into entering their login credentials. From PayPal and Amazon to Microsoft, scammers usually spoof websites of well-known brands. They could also target banks and other financial institutions.
A phishing email for this kind of scam might inform you about an update on their website. Then, the sender will tell you to click on a link and verify your account again.
Aside from consumers, company employees are a common target for scammers. Posing as in-house tech support, these scammers will try to get the employees to install malicious software. They’ll use a spoofed email, resembling the real one. For instance, instead of firstname.lastname@example.org, they’ll use email@example.com.
Why Does Phishing Increase During a Crisis?
Online fraud is flourishing amid a global health crisis, according to the Federal Bureau of Investigation’s 2020 Internet Crime Report. To be specific, the FBI International Crime Complaint Centre (IC3) received 28,500+ complaints involving the COVID-19 outbreak. From email phishing attacks to fraudulent websites, scammers spread malicious attachments and links to gain access to information systems and sensitive data.
Opportunity is driving the exponential boom of scams during this crisis. The COVID-19 pandemic has forced many employees to work outside of a cyber secure working environment. Using only video conferencing services and other remote tools, employees are now more vulnerable to a broad range of threats.
In a time of financial uncertainty, many are desperate and willing to take financial risks. Scammers exploit these fears and weaknesses by promising immediate financial help, rewards or high investment returns.
What Are the Dangers of Phishing Attacks?
A phishing attack can lead to a wide range of consequences for individuals and brands alike.
Damage to personal reputation
If scammers are able to get their hands on your log-in credentials, they can use that without your permission. They can log into your email and social media accounts. They can hurt your personal and professional relationships by scamming other people using your name. You could potentially lose your job if they affect your work. If you run a business, you could lose your clients.
The scammers can use your name to commit crimes, forcing law enforcement to arrest you. Clearing your name will take time. Until then, your arrest record might appear on background checks for job prospects, housing options and more.
The financial consequences of phishing depend mostly on the type of data scammers can get their hands on. If they steal credit card information, you can tell your bank. You can get a new account number and have the fraudulent charges removed.
However, if scammers steal your Social Security number and confidential information, they can pretend to be you. They can drain your accounts and steal your tax refund. As mentioned, they can open new credit cards in your name and continue to run up your debt.
With your Social Security number, scammers can use your insurance. If you have a medical emergency and you no longer have your medical benefits, you might end up with a lot of debt.
Recovering your finances and restoring your reputation after a scam is just half the battle. Identity theft is a devastating crime that can easily overwhelm its victims. Many have to learn how to cope with a range of emotions – anger, loss, embarrassment and helplessness to name a few.
The financial consequences of scams can take a huge emotional toll on the victims. After all, these scams can affect your child’s education, your mortgage and even your retirement plan. Often, victims, who are suffering mentally and emotionally from scams, have to seek the help of medical professionals.
What Are the Signs of Phishing?
There was a time when you could tell a legitimate email from a scam simply by its spelling and grammar errors. Scammers, unfortunately, have gotten better at correcting these mistakes. If you know what signs to look out for, you can recognise phishing attempts and avoid them before it’s too late.
One of the first things that you should look into when you receive a suspicious email is the greeting. If the email appears to be from a person or brand that you’ve engaged with before, you can expect that message to be personalised. It should, at the very least, have your name. Thus, if you receive generic greetings like Dear Sir/Madam or Dear Account Holder, that should be a red flag. It could easily be a phishing email.
Inconsistencies in contact information, URLs and more
Cyber criminals will create new email addresses and contact information that look nearly identical to the original ones. Some will even go as far as creating fake websites to make the scam more convincing. If a link has a different URL, which you’re unfamiliar with, it must be a veiled threat.
Another tell-tale sign of a phishing scam is an offer that is too good to be true. It could be a promise of high investment returns along with little to no risk. All investments come with risks.
Calls for immediate action
Scammers leverage fear to manipulate people into doing what they want. Whether in pop-up messages, unsolicited emails or voice calls, scammers may invoke fear to prompt immediate action. You should be wary of calls to action like “click here, immediately” or “send your contact details within 24 hours.”
Then, they’ll swoop in with a solution that can get rid of the problem. They’ll prompt you to click on a link, download a file or enter your account details to access their solution.
How to Protect Against Phishing Emails
There isn’t an all-in-one solution that can protect you from all kinds of phishing threats. However, you can make yourself a harder target by promoting cyber security awareness and implementing a few security measures.
Contact the sender directly
Don’t feel intimidated by an unsolicited email, suggesting horrible consequences if you don’t provide your financial details immediately.
If you’ve received a suspicious email, particularly from a business or organisation you’re familiar with, make sure to contact the sender directly. However, never use the phone number or website listed on the email. Instead, do a quick search on Google to find legitimate contact details. If the sender’s email address and contact details don’t match the information you’ve found online, it’s most likely a phishing email.
In case you’ve received suspicious messages from a person or company you haven’t engaged with, it could be a veiled threat. Look for the tell-tale signs of a phishing emails to confirm it.
Don’t share personal information
Never share confidential information like your bank details and social security number online to someone who calls, emails or texts you.
There are legitimate organisations that might need your social security number to identify you. However, always remember that banks and other trustworthy entities will never ask you to provide such sensitive data over a call, email or text.
Never click on links and attachments in phishing emails
If you receive unsolicited emails, refrain from clicking on links or downloading attachments. These can infect your computer with viruses that can steal your personal data.
How to Prevent Phishing Attacks
Taking a proactive approach to cybersecurity can help you reduce your online threats and prevent the costly repercussions of data breaches.
Improve cyber security awareness
People are the key targets of phishing attacks. By promoting cyber security awareness training, companies of all sizes can turn their weakest link into their first line of defence against all kinds of cyber threats.
Training can raise awareness of online threats and reduce the risks of potential attacks. For organisations, training must be as engaging as it is informative to ensure that the staff fully understands their role in safeguarding sensitive company data.
Use security software
Aside from knowing potential threats, you need to set up security solutions to address your vulnerabilities. Install reliable security software that can monitor and block potential online threats. Make sure to use features like vulnerability scanning, malware detection and patch management. In addition, you should keep your systems and programs up to date.
Use multi-factor authentication
Make it harder for hackers to access your account by using multi-factor authentication. Even if they do get your username and password, they won’t be able to access your account if they can’t provide the rest of the credentials, such as a fingerprint or face scan.
Verify authenticity of unsolicited communications
Be sceptical of phishing emails with questionable origin. Before responding, make sure to verify the authenticity of the emails, texts and phone calls.
Whether it is by call, text or email, never give away your sensitive information to unsolicited requests. Again, legitimate sources will not ask you to disclose highly sensitive information online for ordinary transactions.
Restrict internet access
Using access control lists, you can prevent unintentional access to malicious websites. Creating access controls for your networks can restrict access to certain types of websites and web-based applications. Also, ACLs can block unwanted users and traffic from accessing your networks.
Take down fake websites
Companies in the financial and healthcare industries are some of the most vulnerable to a phishing attack. If you are aware of spoofed versions of your websites, you should hire security agencies that can take care of the problem for you. They can take down fake versions of your website on your behalf.
In doing so, you can prevent your employees and customers from giving away their login credentials and other sensitive information.