Phishing scams work by fooling you into clicking foreign links or attachments that either contaminate your computer systems with malware or redirect you to another page. The phony website is intended to steal your personal information.
Every month, there are over 100,000 new phishing attacks reported. Surprisingly, more people still get scammed even with the information at hand. The fraudsters are getting smarter, and anyone can fall into their trap.
To help you learn how to prevent phishing, let’s get to the basic types of phishing and how to identify them.
Types of Phishing Scams
#1 Deceptive phishing
It is the most widely recognized phishing trick. The type many people refer to when they hear “phishing.” Deceptive phishing strikes unsuspecting victims. They assume control over a perceived email address (or mimicking a recognized one) to gain access to sensitive information.
These emails often demand that you: make an installment, key in your logins or password, request that you change your password or to verify account information. We’ll discuss more on how to prevent phishing in this article.
2. Spear phishing
Recently, spear phishing has been on the rise. It is more of a personalized attack, unlike deceptive phishing. The hackers trick you into believing that you have a connection with them. They try using your full names, job position, phone numbers, address, or any other relevant information. Once you take the bait, the fraudsters have access to your accounts and can do whatever they want.
Whaling is a scam targeting the executives of directors of an organization. It’s also known as CEO fraud. Hackers target these officials because they are more vulnerable. Unfortunately, this kind of scam is more successful since they don’t undergo the same cybersecurity training on how to prevent phishing as their subordinates.
Web-based attacks are the most common form of phishing scams, but phone-based phishing scams have increased over the last few years. In these scams, phishers call and attempt to present themselves as a legitimate organization, such as your bank or credit card company to gain information. Typically, the calls begin by volunteering easily-researched information like your name or address to build trust. From there, phishers will drill down further by asking personal information such as passwords or bank account numbers for “verification purposes.”
4. Advanced-fee fraud
An advance-fee scam is a type of fraud that involves promising the victim a significant share of a large sum of money in return for a small up-front payment. If a victim makes the payment, the fraudster will either invent a series of new fees for the victim to keep paying or will disappear.
5. Google Docs Phishing
Utilizing the suites that many people now rely on for work, these phishing scams are conducted via shared documents. In past phishing scams, Google and Dropbox have even unknowingly hosted these scams in the past with SSL certificates, meaning these scams appeared 100% legitimate.
The most recent example making waves was a phishing email that appeared as Google Docs. It urged users to permit the app to view the document through a genuine Google Sign-in screen. These permissions allowed a malicious third party web app to access your email and contacts, in turn spreading the phishing email to your contacts.
Redirects traffic from a legitimate site to a malicious one without your knowledge. Any personal information you enter into this page is going directly to the scammers. These pages are usually reached via links shared in deceptive phishing emails, Skype chats, and social media ads.
7. Software Targeting
Webmail and SaaS products were the top targets of phishing scams by the end of 2018. This may seem surprising, given that Office and G Suite credentials do not offer the same immediate profitability as a user’s bank details. However, if a scammer can obtain an employee’s details, they can gain access to files of an entire organization.
How Can Scammers Get My Email Address?
There are multiple ways scammers can obtain your email address, the most prevalent of which are listed below:
- Buying it illegally
- Dishonest “subscribe” boxes
- Harvesting programs (which use bots that crawl and scrape sites for email addresses)
- Data brokers
How to identify a phishing scam
- General Greetings – most companies, will address you by your first and last name or company name, not “Dear user” or “Hello member.”
- Money problems message from “PayPal” – Look closely, you’ll notice a shady message stating your money is on hold until you complete an action. Before you send money or click on a bogus link, log into your PayPal account, and see if the payment is there. Another one is “The Billing Problem” stating your credit card is expired, or billing address wasn’t correct. If you click on the provided link, it takes you to a spoofed website and asks for updated payment/shipping information.
- Urgent requests – phishers like to use a link in emails to hide actual URLs, which takes you to a fake account. You need to know how to prevent phishing attacks happening to you. A trusted company will provide you with the full URL in the text, not a link. Your best, safest route is to open a new browser and type in the URL vs. clicking a link. For instance, restart membership, you missed a Delivery, confirm Your account, Your account Has Been Locked, Suspended account, tax refund, Refund Due to System Error, or update Your official Record.
- Expiration Date – the email states your account with (company name) is about to expire, and you must sign in as soon as possible to avoid losing all your data. The link in the email takes you to a malicious login page.
- Bank Notices – you may receive a fake notification posing as your bank stating a specified amount(s) is withdrawn from your account that exceeds the limit. If you have questions about the withdrawal(s), click on the link that takes you to a website form asking for your bank account number “for verification purposes.” Rather than clicking on the link, CALL YOUR BANK with a known number.
- Misspellings and Poor Grammar – these are warning signs. Similarly, the same applies to URLs. Legitimate companies use copywriters to check their emails for such.
Unknown Attachments – they are a common phishing scheme used to spread viruses and malware, and they can damage your files or steal passwords from your computer. Do not open them.
- Logos and Email Addresses – logos can be easily copied, and fake “From” email addresses can be made to look like they come from trusted sources. Don’t be fooled by email display names either. They can be changed easily to mask the real email address.
- Virus Alert – the email states your computer has been infected. To avoid losing your data and infecting your computer, you are instructed to follow the provided link, or download the “antivirus” attachment.
- Contest Winner – these emails claim you have won something or have an inheritance from an unknown relative. To claim your prize or inheritance, you have to click a link and enter your information.
How to prevent phishing attacks
Be cautious when clicking on links in any emails, text messages, or instant messages – even if they seem to be sent from a familiar or trustworthy source. Hover over links before clicking on them to check that the URL leads to a legitimate website and never divulge your password, PIN or other sensitive data.
Update your browser
Developers regularly release updates to fix known security vulnerabilities in their software. Always update your browser, operating system, and other applications when prompted, and enable automatic updates wherever possible.
Double-check if the website is safe
Before entering sensitive information (including your username and password) on any site, be sure to check that the site is secure. The simplest way is to confirm that the site’s URL begins with HTTPS and has a padlock in the address bar. Some websites will also display trust seals to indicate that the site is secure. If your browser or antivirus software identifies a phishing website, it will alert you and block access to the site. Do not ignore these warnings unless you are 100 percent certain that it is a false positive.
Install anti-phishing software’s
Modern browsers come equipped with reasonably robust phishing protection. But you can take things to the next level by installing a dedicated anti-phishing browser extension. Microsoft recently released Windows Defender Browser Protection (the same technology it uses to protect Edge users). Although it is currently only compatible with Google Chrome.
Social media attacks
Email is by far the most common form of delivery for phishing attacks, but that doesn’t mean that other channels of communication are safe. Social media phishing attacks have become increasingly common in recent years. Researchers have even seen several malicious phishing apps to make their way onto Google Play. This highlights the importance of being vigilant when transmitting data on any internet-connected device.
By preying on natural human weaknesses, phishing scams remain a common and effective type of attack. Antivirus products have an essential role to play in preventing phishing attacks. But users do need to be mindful of how their antivirus software combats phishing and the security and privacy risks involved.
You need to learn how to prevent phishing attacks before it’s too late. Phishing attacks can look scarily convincing. One of the easiest ways of identifying a suspicious email or instant message is to familiarize yourself with commonly used phishing language. This might include:
- Typos, grammatical errors, and phrasing that sound unprofessional or off-brand.
- The language that creates a sense of urgency.
- Requests for you to verify your account, address, banking information, and other sensitive information.
- Salutations that address you as “Customer” rather than using your real first or last name.
Type in URLs and use bookmarks instead of clicking links
Clicking on links in random emails can be a very risky game. As you try to block all attacks and learn how to prevent phishing, don’t be reckless with random click baits. Instead, open your browser and manually type out the URL of the company you’ve received an email from. Alternatively, you can bookmark your most frequently used websites. That way, you can quickly open them from your browser when needed – make sure the sites are legitimate before bookmarking them!
Phishing attacks are advancing
Phishing is most commonly associated with online banking. But, it’s worth remembering that phishing attacks can be used to impersonate just about any organization or individual. Hence, the effects can be almost as devastating. For example, losing the login credentials to your email or social media accounts could have far-reaching consequences on your personal and professional life. Having your login credentials stolen on one site can also affect your other accounts if you use the same passwords for other online services.
Watch out for the pop-ups ads
Thankfully, pop-up windows aren’t as widespread as they were in the past, but they are still used in some legitimate websites. Be very cautious when entering information into these windows as there have been many cases of phishing attacks occurring in pop-ups while masquerading as a genuine part of the main website. Google Chrome, Firefox, and Microsoft Edge all have built-in settings for blocking pop-ups.
What to Do If You Suspect a Phishing Attack
If you get an email or a text message that asks you to click on a link or open an attachment, answer this question: Do I have an account with the company or know the person that contacted me?
If the answer is “No,” it could be a phishing scam. Go back and review the tips in How to recognize phishing and look for signs of a phishing scam. If you see them, report the message and then delete it.
If the answer is “Yes,” contact the company using a phone number or website, you know is genuine. Not the information in the email. Attachments and links can install harmful malware.
What to Do If You Responded to a Phishing Email
If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost.
If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a scan.