What is phishing? How to recognize and avoid phishing scams

 

Phishing may seem like a very modern phenomenon but it relies on many of the same techniques that con artists have been using for generations.

Like any good confidence trick, a phishing attack uses social engineering to get people to do something that isn’t in their best interest. Usually, that involves the victims parting with their money, secrets or privacy.

Phishing attacks achieve this by gaining your trust, using misdirection to lower your defences or by setting up a scenario that’s designed to make you react in a pre-planned way. These scammers often pose as a trusted entity like a bank, offer you a chance to make easy money, or prey on your fears to get you to do what they want.

Common forms of phishing attacks include fake emails that try to get you to share sensitive data or your financial information. Other phishing emails will try to entice you to click on a malicious link that will infect your device with malware.

It’s common for these scams to create a sense of urgency so you’ll panic and follow the instructions. A phishing email might tell you that your account has been hacked and tell you that you need to immediately follow its instructions. These cybercriminals are clever and know the right buttons to press to get you to do what they want.

These tried-and-tested scams can be carried out over a variety of platforms and they’re designed to exploit our trust, fears, greed or anxiety. Because of this, even the smartest people or biggest organisations can fall victim to these scams.

Phishing works. If it didn’t, this type of scam wouldn’t be as popular as it is with unscrupulous cybercriminals.

It’s easy to laugh at a phishing email that contains typos or poor grammar but many scammers rely on sheer volume to achieve their goals. It’s simply a numbers game. If they’re sending out thousands of emails or text messages, they only need to trick a small percentage of their targets for the scam to be successful.

This type of cybercrime may be nearly as old as the internet itself but it has continued to evolve to adapt to new technology and our changing online habits. Phishing campaigns are becoming increasingly sophisticated and ambitious in their scope. These days, a phishing attack can be part of a larger ‘long con’ that could have a severe impact on you or even your employer.

In July 2020, Twitter was forced to stop all its verified accounts from tweeting after a major security breach saw hackers take control of around 130 prominent Twitter accounts that included Barack Obama, Jeff Bezos, Elon Musk and Bill Gates. Hackers targeted Twitter employee accounts with a phone spear-phishing attack and used the information gained to access the company’s internal support tools.

As a result, they were able to take control of the celebrity accounts, which were then used to tweet out a further phishing scam. The hackers responsible walked away with over $100,000 worth of cryptocurrency.

What are examples of phishing?

Why is called phishing, you might ask. The term was coined in the mid-nineties by hackers who were stealing AOL accounts and passwords using techniques that continue to be used to this day.

These early pioneers were ‘fishing’ by casting out emails to AOL users and seeing if any of them would bite. These scams worked on the principle that you’ll eventually catch something if you throw out enough bait. And like their modern day counterparts, these early hackers often used different bait to catch different types of ‘fish’.

So what are the most common forms of phishing that you should look out for?

Email phishing

Most phishing attacks will be delivered by email and the scammer will often use an email address that looks like it’s been sent by a trusted source like a service provider.

What happens if you click on a phishing email? They might ask you to click on a link that can download malware on to your phone, tablet or computer. Or it might ask you to verify or update your information and direct you to fake page that will steal your sensitive information.

Perhaps the most infamous example is the Nigerian Prince scam, where victims receive an email from a ‘prince’ promising them a one-in-a-lifetime opportunity to make money… although they’ll need to make a small cash advance to facilitate it. Variations of this con have been traced back to the French Revolution but it continues to catch people out today.

Spear phishing

Although regular phishing emails are sent out to large groups of people, this type of cyberattack is targeted at a specific individual, business or organisation. This can make it much more effective than simple email scams and the Twitter breach we mentioned earlier shows how dangerous this type of phishing can be.

Scammers take time to research their victim or victims and tailor the cyberattack to them. Russian hackers reportedly used spear phishing attacks as one of their primary tools in the hack of the Democratic National Convention ahead of the 2016 US election.

Clone phishing

This can be a difficult one to detect as scammers use an email that’s almost identical to one that has already been received by the victim. Often they’ll have the same logos and design as an email that you’ve already received from a trusted provider. The fake email address can be very similar to the original sender’s address, so the recipient can easily miss that a capital ‘I’ has been used instead of a lowercase ‘L’.

The only difference is that the doppelganger email now has a malicious link that leads to a fake website or an infected attachment that contains malware. In 2019, Microsoft blocked over 13 billion malicious and suspicious mails, more than 1billion of which were URLs that were specifically set up to launch a phishing credential attack.

Whaling

This ambitious type of phishing is so-called because the hackers are going fishing for the big ones - the whales. It targets CEOs, COOs or other top-ranking people in an organisation so there’s usually a lot more research, preparation and effort required to achieve success. However, if successful, the hackers can get access to highly-valued company information or orchestrate some major money transfers.

One such cyberattack saw a company in Omaha lose $17.2 million after cybercriminals sent emails that appeared to come from the company CEO to its controller. The emails contained detailed instructions for the controller to wire the money to a bank in China and used a plausible story to cover the reason for secrecy.

Pop-up phishing

These cyberattacks use pop-up messages to trick users into sharing their financial details or downloading malicious software. These pop-ups can impersonate regular update notifications to get you to download something nasty or promise you incredible deals on the latest technology so that you’ll share your credit card details.

Some scareware attacks try to get you to do both, by warning you that your computer has been infected with a virus and urging you to buy fake antivirus software that will fix it. So not only will they have your credit card details if you fall for it, but your computer will become infected for real when you download the ‘antivirus software.’

Smishing

Now that everyone has a smartphone, scammers have adapted tried-and-tested phishing tactics to SMS messages or other messaging apps. The message will often say it’s from a trusted provider, pretend to be a government notice or claim that the recipient has won a prize. The most common forms of smishing ask people to click on an infected link, ask for sensitive information, or get them to call a number that will charge them a lot of money.

Following the outbreak of Covid-19, there was a surge in Coronavirus scams that attempted to exploit people’s concern about the pandemic. The World Health Organisation (WHO) warned the public that scammers were impersonating it in text messages and emails in an attempt to obtain money or to get them to click on links.

What are the signs of phishing to look out for? 

Luckily, it can be easier to identify phishing attempts once you know what to look out for and are aware of common tactics used by cybercriminals. If you want to know how to identify a phishing scam, consider whether it ticks any of these boxes.

1. It sounds too good to be true

Beware of emails promising you free money or strange websites that are selling incredible products at unbelievable prices. If it looks too good to be true, it probably is. 

2. A bank is asking for personal financial information

Banks won’t ask for sensitive information by email or phone. Never supply this information in response to an email.

3. Poor spelling and grammatical errors

If an email is littered with spelling errors or strange phrasing, this should always be a red flag. 

4. A generic greeting

If an email opens up with generic greetings like “Dear Sir or Madam,” it can be a sign that it’s a phishing template that’s been sent to multiple targets.

5. Emails from strangers

If you receive unsolicited emails from complete strangers or providers that you don’t use, it’s probably best to delete it. If you do open it, avoid clicking on any links or attachments.

6. It calls for immediate action

A common trick to get you to take action is to create a false sense of urgency. It might threaten that an account will be deleted or claim that you’ve been hacked but it’s just a way for scammers to get you to act without thinking.

7. Misspelled email addresses or domain names

If an email looks suspicious, always check the sender address or domain name for signs that it may be fake. It can be easy to miss these subtle details if you act on impulse.

8. It doesn’t make sense

If you get an email claiming that you’ve just won a lottery that you never entered, then something is obviously up.

Protect yourself against phishing

We all like to think that we’d be too smart to fall for these phishing scams but this type of social engineering attack is specifically designed to take advantage of a potential victim’s natural tendencies and emotional reactions.

The other difficulty with phishing scams is that they come in all shapes and sizes. A good antivirus protection will help if you accidentally click on an infected link but it’s not going to stop you from sharing your bank details with a fake email from ‘your’ service provider.

So how do you protect yourself against phishing when there is such a variety of scams to look out for? The good news is that common sense can go a long way. Here are some simple tips that you can follow if you want to stay safe.

Ignore those suspicious emails

If you get a mail from your bank with an alarming subject line like ‘You’ve been hacked!’ or ‘Urgent! Your account has been suspended!’ just delete it. If you still have a nagging doubt that it could be real, simply contact your bank directly.

Don’t click on dodgy links

If an email from a stranger tries to get you to click on a link, don’t even think about it. Whether it leads to a fake site that will try to steal your information or contains a nasty piece of malware, there’s generally no upside to clicking on suspicious links.

Don’t share sensitive information via email

If a provider or financial institution is asking you to do this, it’s a sure sign that something’s not right. This information could be used to carry out identity fraud or to try to gain access to another of your online accounts. Likewise, you should always be careful about what information you share on a work-related email unless you’re 100% sure that the sender is who they say they are.

Check the sender email address if you’re unsure

If an email raises alarm bells, checking the email address can be a simple way to identify a fraud. You should look out for addresses with spelling mistakes, emails that come from a fake domain, or emails that are supposed to be from a legitimate business that use an email address like @gmail.com.

Don’t click on pop-up ads

Ignore those flashing colours, dire warnings about your security, or invitations to get great prices on your favourite brands. The most likely outcome of clicking on these pop-ups is that you’ll infect your computer with malware. Some browsers offer the option to block pop-ups, which can help you to avoid any potential pitfalls.

Keep everything updated

Updates contain patches that can protect your devices from the latest cyberthreats and address any vulnerabilities that hackers might be able to exploit. Always make sure that you have the latest updates on your devices and apps so that your security system, browsers, and email client is all up to date.

Use spam filters

A spam filter can be a great way to help keep your inbox protected by filtering out suspicious or harmful emails. If you can’t see them, it removes the temptation to open them.

Avoid unsecured sites

You may have previously received a warning when trying to enter an unsecured site on the internet. The danger with unsecured or deceptive sites is that they can contain malware or be part of a phishing scam. Secure sites will have a URL that starts with HTTPS and have a closed lock icon beside the URL. Always make sure a site is authentic and secured before sharing any sensitive information.

Know the signs 

Knowledge is power when it comes to this type of cybercrime but these scams are constantly evolving and finding new ways to bypass your defences. Phishing attacks are constantly getting more sophisticated so the best way to detect them is to keep up to date with new phishing trends to ensure that you’ll spot the early warning signs.

Trust your gut

One of the best defences against phishing is common sense so if your ‘spidey sense’ is going off, listen to your instincts. If in doubt, don’t click on anything or share any personal information.

Don’t interact with phishing emails

Even if you know it is a scam, it’s never a good idea to reply to these mails. Some people like to tell the scammer that they’ve been rumbled but responding to a cyberattack could prove to them that they’ve targeted a valid address, possibly result in more cyberattacks on your account, or even provide valuable information like your geolocation.

Use a password manager

This helps keep all your passwords secure and make it easier to have complex, more secure passwords that would otherwise be difficult to remember. Plus, password managers automatically populate your login details when you go into a site. If this doesn’t happen, you’ll immediately know that you’ve been misdirected to a fake site.

Sign up for antivirus protection

Does antivirus stop phishing? It’s not going to stop hackers from sending you emails or messages but it can help protect your computer with strong, multi-layered protection. It could identify a malicious website or help prevent your device from becoming infected if you do fall for a phishing scam.

Try a scam detector

Norton Genie is an industry leading AI-powered scam detection tool. Upload a screenshot, or copy and paste a suspicious email, text, web address, or social media post and know in seconds if it could be a scam.

Stay one step ahead of phishing attacks

Cybersecurity experts often say that hackers don’t break in - they log in. That’s a testament to how successful phishing scams can be.

Phishing has been a constant cyberthreat since the early days of the internet and it’s likely to be a constant cyberthreat for as long people are falling for these scams. With people spending more of their waking hours on the internet and availing of more online services, we’re arguably more at risk than ever before.

The shift to remote working during the pandemic has also left us more exposed to cybercriminals’ attacks, who will try to exploit this opportunity for their own gain. It can be easier to fall for a fake email that claims to be from a work colleague when that colleague isn’t sitting directly across from you.

However, we’re also more educated about the cyberthreats that are out there and knowing what to look out for is your best defence against phishing. These cybercriminals rely on the element of surprise or on our emotions getting the best of us so it’s all about knowing how they work.

You now know the common types of phishing attacks, how to identify them and how to stay protected against them so you’re already better prepared for anything the internet can throw at you. Once you know how a con artist’s trick works, it’s easy to identify how they’re trying to manipulate you. That’s half the battle when someone is targeting you with a social engineering attack.

Luckily, technology is catching up with some of these tricks and malicious tactics. Having strong antivirus protection can also give you peace of mind against phishing attacks that try to get you to download malware. Think of it as an online safety net should one of these cyberattacks manage to slip through the cracks.

Browsers like Chrome and Firefox are also launching features that are designed to identify phishing attacks in real time, as part of ongoing efforts to protect users. These security features can support your own efforts to stay alert.

New types of phishing scams or strategies will always emerge but most of us are now smarter about our online security than we used to be. And many of these scams are simply more evolved versions of existing scams so you’ll soon be able to connect the dots if you’re alert to the common tricks that phishing attacks use.

So next time you get an email urging you to take immediate action or receive a strange message that sets off alarm bells, you’ll know what to do. A good rule of thumb is to use your common sense, think before you act, and to avoid taking immediate action if something looks suspicious.

Social engineering attacks like phishing are easily spotted when you know what you’re looking for, but it always pays to have a back up plan. If you do slip up, having a trusted solution like Norton 360 will help keep your devices protected against malware, spyware or other nasty cyberthreats.