What is phishing and how do I avoid it?
Have you ever received an email from what you think is a trusted source asking for sensitive information, things like bank details, usernames or passwords?…
These emails often include a link which takes you to a website that will ask for your personal and private information.
But how do you know that this isn’t genuine? That it’s a scam? Well, put simply, your bank or any other similar organisation which holds personal information or manages your money will never send you an email like this. Instead, these are phishing scams created by cybercriminals trying to steal from you. Thieves use well-known names like PayPal, eBay or courier firms, creating official-looking emails in an attempt to scam unsuspecting victims.
Once you become a victim of phishing, scammers can run up bills on your debit and credit cards, or in the worst case, you could be a victim of identity theft.
So, let’s go into a little more detail.
What is phishing?
Phishing is a tool that cybercriminals use to attempt to fool victims into handing over sensitive information by disguising themselves as a trustworthy organisation. They do this by using a variety of different platforms and outlets, sending millions of fake emails and text messages in the hope that enough people will be tricked into sharing their personal data.
Usually the emails or messages will look unprofessional with grammatical errors and spelling mistakes throughout. Unfortunately, however, these cybercriminals don’t have to be too sophisticated. Their success relies upon the sheer volume of emails they send out, only needing a handful of victims to fall for their scams.
For example, in 2018 the Federal Trade Commission revealed one phishing scam that was targeting Netflix users. The email looked like it was sent from Netflix and included a link that asked users to update their billing information to continue using the streaming site. Instead of the link taking users to the Netflix website, it took victims to a scam website that was built by cybercriminals.
So, how do you protect yourself against phishing scams? You need to learn and recognise what these scams look like and never click on links in emails or texts that are purport to be from your bank or other well-known organisations.
How phishing works
- Firstly the cybercriminal will start by outlining their target victims, creating strategies to collect the data that will be used in the attack.
- They then create the method, such as the scam emails or messages intended to lure their victims into sharing sensitive information.
- The attack begins when they send these scam messages or emails out to their chosen victims.
- The scammers will then monitor the attack and store any data that has been collected.
- Finally, the cybercriminals will use this data to make illegal purchases or commit fraud.
Whilst this is the most common route taken by phishing scammers there are variations with phishing scams often being cleverly disguised in other ways.
5 most common types of phishing
- Email phishing – As mentioned above, this is the most common form of phishing. An email is sent by fraudsters pretending to be a legitimate company, usually a bank or financial institution. They will usually include a link that will take you to a fake webpage which asks for your details. Alternatively, when clicked, that link may automatically install malware on your device.
- Spear phishing – Unlike regular phishing emails which are sent out to large groups of people, spear phishing is a more personalised approach. They are specifically targeted to certain individuals, businesses or organisations. Clearly, this means that the hackers will have carried out detailed research on their victims. Sometimes known as social engineering, the hackers will send emails that look like they’re legitimate. For example, customers who had recently purchased something from a website may receive an email that looks like it’s from the same company with the subject line ‘Your order has been dispatched’, including a link that could download malware on your device.
- Clone phishing – One of the most difficult to detect, clone phishing is when a scammer builds an identical version of a message or email they have already received.
- Whaling – This is when cybercriminals target high ranking professionals or government officials. The aim is to fool the most powerful people into sharing very sensitive corporate or government data. These kind of attacks are much more sophisticated than your average phishing scam and require more research.
- Pop-ups – Finally there’s pop-up phishing, a scam during which ads pop up and try to trick users into installing viruses on their devices. These ads can sometimes be disguised as anti-virus software trying to protect your computer from an attack when, in reality, if you install them they’ll end up infecting your device.
Tips on how to protect yourself
- Never provide sensitive information in response to an email or message including a link. Webpages or emails may look legitimate, but you never know! If you didn’t initiate the communication you should never pass your information on.
- If you think the correspondence could be legitimate, it’s always best to contact them directly and ask.
- Never give out your full password over the phone or in reply to a strange request online. A bank or financial organisation would never ask for these details over an email or phone call.
- Always check your account statements and verify the transactions were authorised by you. Online banking allows users to view their transactions in real time making it much easier to catch cybercriminals.
- Don’t click links in emails that claim to be from financial institutions or well-known sources like Amazon or eBay. These URLs may look legitimate but they’ll usually contain subtle differences that will direct you to a fraudulent site.
- Look out for the common phishing language. Scammers will usually use similar language across their fraudulent emails and text messages. They’re also usually littered with bad grammar and spelling mistakes. Common phrases are ‘verify your account’ saying you need to act urgently, warnings that your account has been hacked or enticing messages offering you cash rewards or prizes.
- Check the email address it has been sent from. If it doesn’t match the company it’s sent from (e.g. @companyname.co.uk) you should be immediately suspicious. These messages will also usually not be addressed to you directly. Most legitimate correspondence will use your first and or last name.
- Always use authenticated webpages when inputting personal and sensitive information. To check the authentication click on the padlock within the address bar. This should show you the name of the organisation that applied for the SSL (security) certificate.
- Don’t click on pop-up ads and never download anything from them.
- Install anti-virus software and use spam filters.
For companies that are looking to stop employees falling for these phishing scam, one of the best things to do is start using anti-phishing software. There are plenty of options on the market, each offering solutions such as identifying and neutralising malware attachments, handling zero-day vulnerabilities, detecting spear phishing emails and many more. This software is especially designed to stop phishing scams reaching you and your employees inboxes.
For more information on phishing and how to protect your business, get in touch with our team today!