Cybercriminals are incredibly adaptable. They learn new security measures quickly and find new ways to steal sensitive information—often preying on individuals who aren’t familiar with the signs of common scams.
One of the most common techniques used to exploit web-users is the phishing scam. This article will cover what phishing is, the different phishing approaches cybercriminals use, and how to prevent yourself from becoming a victim.
What is Phishing?
Phishing is a type of social engineering scam most commonly hidden in a fraudulent email—but in some cases via text message, website, or phone call—where a criminal posing as a legitimate institution, such as a bank or service, tries to obtain sensitive information from a target victim.
If the victim ‘takes the bait,’ the criminal will use malicious links, attachments, or simple instructions to obtain sensitive information such as:
- Social Security Number
- Credit card numbers
Types of Phishing Attacks
- Bulk Phishing – Also referred to as deceptive phishing, is the most common phishing attack. Cybercriminals send fraudulent messages in bulk that make false promises: you’ve won money, qualified for a refund, or your account is delinquent and action is required. They send the same email to a large number of people, knowing that at least a few will become identity theft targets.
- Spear Phishing – The executors of this scheme have done their homework. To increase the cybercriminal’s chances of successfully tricking someone, they find out as much personal information about their potential victim as possible. Then, they use it to craft a message that seems especially legitimate to lower the target’s guard.
- Whaling Attack – This is a form of spear phishing where the attacker targets a company’s executives and tries to steal their login credentials. If successful, criminals can use this sensitive information to steal from the company or impersonate the executive to scam other company employees.
- Clone Phishing – This form of phishing is particularly deceptive and can be more difficult to spot. The attacker copies the contents of a legitimate message that the target has already received and replaces the original links in the message with harmful ones that lead to a fake website. In order to be successful, the cybercriminal will need to already have the victim’s login credentials in their possession.
Detecting and Preventing a Phishing Scam
Though cybercriminals will go to great lengths to make a message look authentic and official, many phishing emails share qualities that can be detected.
If you receive a message with any of the following red flags, do not follow its instructions, click its links, or download its attachments
Instead, call the institution who supposedly sent the email, and inquire about the message’s authenticity.
Phishing scams rely on deception, so being aware of common scam features can make all the difference in preventing yourself from being victimized. Avoid phishing by paying attention to the following:
Common Features of Phishing Emails
- Spelling & grammatical errors: This is the most common way to tell if you have received a fraudulent message. Rarely will institutions or companies, especially banks, send you a poorly written email with spelling or grammar errors.
- The message requests personal information: Any email requesting login credentials or personally identifiable information should be verified directly with the organization.
- The message is extremely time-sensitive: If you’ve received a message out of the blue that offers a deal, but only if you act now, it’s probably a scam. Especially if the message threatens to close your account, err on the side of caution by calling the institution for verification.
- The offer is too good to be true: The age-old saying applies as much here as anywhere else. Emails claiming that you’ve won just about anything, or that you’re being refunded for a purchase you never made are bad news. Ignore these.
- Sender’s email seems suspicious: Slight variations in the email address that attempt to look authentic but don’t quite hit the mark are common. For example, you may bank with an institution that normally emails you from “email@example.com,” but you receive an unexpected email from “firstname.lastname@example.org.” They may also try to alter one letter or character in the email address in hopes that the target won’t notice.
- Unexpected attachment: If you receive an email from an unknown sender that comes with an attachment you weren’t expecting, don’t click or download it. There’s a possibility that a scammer has sent you a malware or ransomware attack: to steal your information or take control of your machine.
- Hyperlinks from an unknown sender: Malicious links can be easily disguised with text that makes them appear harmless. Hover your cursor over the link to see where it leads and if you’re unable to do so, don’t click it—take steps to verify its authenticity.
- Something’s just not right: Trust your instincts. If you receive an email and something just doesn’t feel right, there’s a good chance you’re correct. It never hurts to verify authenticity, but it can hurt to ignore your initial hunch and treat the email as a legitimate one.
Additional preventative steps can be taken such as spam detection from your email service, browser settings that can be set to display a warning before entering a potentially dangerous site, and keeping a diverse set of passwords that you regularly change.
Popular Phishing Examples
1. This email from ‘Amazon’ is filled with red flags
The sender has a noticeably strange email address, one of the common phishing features mentioned above.
It doesn’t appear to be official, the message is poorly written and includes a grammatical error, it tries to play on the recipients fear and call them to action, and it has a misleading link that takes the user to a different location than the text implies.
2. This Netflix phishing scam is a common trick
This scammer has done a decent job of crafting a convincing email, but the sender’s address seems suspicious and the link in the message is a huge red flag, another common feature listed above.
It’s never a bad idea to go straight to a website and navigate through your browser instead of clicking an email link.
3. SMS text message examples of phishing attempts
Here, the sender tries to make it appear as though the recipient has received an automatic alert from Apple regarding their iCloud account:
The links are the first indication that these messages are fraudulent. They don’t direct the user to the official Apple website.
Secondly, Apple doesn’t send text messages asking for login credential confirmations. It’s best to ignore messages like these and block the number—call Apple instead.
Report a Phishing Message
Otherwise, taking an active approach to credit monitoring and identity theft protection can help you notice when your information may have been stolen.