Phishing is a cyber crime scam that’s been around since the 1980s and is used to trick victims into sharing personal information via email, phone call, or text. Scammers typically focus on passwords, account numbers, and Social Security numbers. They use stolen information to gain access to email, bank, or other accounts that result in identity theft or financial loss. They pose as legitimate organizations to gain trust and lure victims into their scheme. Phishing attacks are launched daily. They can cost companies a tremendous amount of money and can also cost them customers and business.
The term phishing is a play on fishing, since attackers and scammers are putting lures in many different places and hoping that someone will take the lure. The term was coined in 1996 by hackers who were stealing AOL Internet accounts by scamming passwords from unsuspecting AOL users. Since hackers have a tendency to replace “f” with “ph”, the term phishing developed.
Common phishing techniques
Phishing comes in many different forms:
- Whaling targets senior executives. An attacker impersonates another high-level person in the business, sometimes the CEO (this is often known as CEO fraud). A request for money seems more urgent when it comes from a senior member of the company. Businesses have compromised their systems and finances by falling prey to whaling, which takes its name from a senior employee being a “big fish” in the company ladder.
- Clone phishing is cloning previous emails sent by reliable sources with the replacement or addition of a malicious attachment.
- Voice phishing, or vishing, prompts victims to enter personal information over the phone.
- SMS phishing, or smishing, urges victims to call a number, click a link, or email a specified address sent via text message.
Attackers may also overtake a DNS server. This allows them to change IP addresses that connect to domain names that users request. The attackers can then route Internet users to their own fraudulent website.
A more recent and sinister example is spear phishing, where scammers target a specific person or company. Spear phishing is a specific attack in which the scammer has made concentrated efforts to learn details about the person and company they’re targeting. They have probably observed or spied on previous company communications, so they know what emails look like. They may have even searched the person’s social media so that they can add personalized details to their communication.
Spear phishing is often more advanced than other scams. A fraudulent email might be fashioned like a standard company email and may include executive credentials that look convincing. These emails might also masquerade as an IT request, thus giving hackers credentials to company accounts.
How to spot phishing
Phishing scams often have similar features that are easy to spot. These include:
- Too good to be true announcements or attention-grabbing statements that offer something unbelievable. These phishing scams announce you as the winner of a lavish prize even though you didn’t enter any contests. If something seems too good to be true, it probably is.
- Messages with a sense of urgency that tell you to act fast because a deal will expire in a few moments or an account will be suspended if your information isn’t updated immediately. Most reliable organizations give you plenty of time to respond and never ask for updated personal details over the internet.
- Hyperlinks to popular websites with slight misspellings in the URL. A way to combat this common tactic is to always hover over a suspicious hyperlink before clicking.
- Grammatical errors, strange phrasing, or strangely constructed email addresses. Phishing scams often have misspelled company names or awkward phrasing and word choice.
Ways to avoid phishing scams
Being highly aware of social engineering tactics is the best way to initially protect a business from phishing. We’ve listed just a few suggestions for avoiding phishing tactics here.
- Host training sessions in your company so that all employees are aware of common social engineering techniques. If they are aware that emails masquerading as an urgent CEO request aren’t legitimate, they’ll be more likely to avoid them.
- Don’t open any attachments from unknown senders or unexpected emails as a good rule of thumb. These attachments typically contain ransomware or other viruses. The only file attachment that would be safe to click is a .txt file.
- Avoid opening emails from unknown or unusual senders or even from senders you do recognize but something seems off.
- Hover over a suspicious hyperlink and view its true domain name at the bottom of the page. The link in the email may not be the true link you’ll follow if you click it; hackers can change this. If you think the link could be legitimate, type it (as it appears in the email, assuming you recognize the link as a website you visit) into your browser instead. Then you’ll bypass any malware or fraudulent sites.
- Delete an email with a suspicious link immediately if you don’t recognize the link or the sender.
You can also prevent phishing scams by turning on spam filters, changing browser settings to only allow reliable websites to open, changing passwords frequently, and having different passwords for different accounts. Security software also provides solutions for filtering and identifying phishing and other scams.
What to do if you’re the victim of a phishing scam
Head to IdentityTheft.gov if you responded to a possible phishing scam and shared personal information. Update your computer’s security software and run a scan if you clicked on suspicious links or attachments. You can report phishing scams by emailing email@example.com and filing a complaint with ftc.gov/complaint. Some local authorities may also take measures against phishing, depending on where you live, and you could also contact the Federal Trade Commission. Lastly, you can also send details of a phishing scam to the Anti-Phishing Working Group, which has a repository/database of common scams to help inform people of the risks.
If your credit or debit account has been compromised, you should call your bank and immediately lock your account and try to prevent an attacker from using your money.