Phishing: What Is Phishing and What to Do About It
Phishing (not to be confused with the relaxing outdoor pastime) is fraudulent online activity. Criminals send messages to their victims to get personal information from them, such as credit card details or online account logins.
Like the actual sport of fishing, the goal of this crime is to use bait to “fish” for potentially valuable data. This bait can take the form of emails or text messages. In 1996, American hackers came up with phishing as a term because of the analogy. They simply changed f with ph to reference “phone phreaking” or the act of hacking telephones.
You may wonder if anyone falls for these tricks so you may be surprised to realise how widespread and successful it is. A 2019 study by Accenture stated that 85% of organizations experienced phishing, a 16% year-over-year increase costing victims over $1.4 million.
A survey of IT professionals conducted by software company Proofpoint also revealed that 55% of their respondents fell victim to at least one successful phishing attack during 2019.
But the victims are not totally to blame. People often get tricked because phishers create well-crafted, sophisticated emails or text messages that sound exactly like they’re coming from a legit company.
For example, scammers can pretend to be your bank by adopting the exact same look and feel of the emails you usually receive. The only difference may be the email address of the sender but, in some cases, phishers even use something very similar to the real one!
This is a cause for concern, so how do we catch on to their tricks and prevent them from stealing our personal information?
In this post, we’ll list the most common and latest phishing tactics criminals employ so you won’t be baited.
What is phishing?
Phishing is a criminal activity attempting to obtain private information such as login details or credit card details through malicious emails, calls, or text messages.
According to an article posted by the International Data Group, 56% of IT decision-makers said that their top security threat is phishing. In fact, according to the same report, 32% of security breaches involved phishing.
With this type of phishing, targets are pre-selected. Like spear fishing, it can be very focused in targeting a specific person or group of people.
Spear phishing targets are usually those who have a lot of money in their accounts or access to important company information. Other times, it can be a demographic more prone to phishing. For example, American senior citizens are statistically more vulnerable to phishing attacks, according to a 2019 study by the Aspen Institute's Tech Policy Hub.
Clone phishing often happens from the use of emails or websites.
As the name suggests, criminals clone a bank’s email or website. Then they try to send it to a list of bank customers to trick them into revealing their private information such as bank account login details or even credit card information.
If you’ve ever gone whale watching, or at least read Moby Dick, then you’ll know witnessing a whale in the flesh is really something. They’re harder to find but the payoff when you come into contact with one is equally huge.
Whales, in the phishing world, refer to people who are in the big league. They can be C-level executives like CEOs or CFOs who earn more than your average Joe and have access to company funds. If phishers ever get a hold of their details, then it can lead to huge pots of money.
Also known as in-session phishing as people are usually browsing or doing something on a website, when a pop-up appears asking for information.
The pop-up can be enticing to answer too as many announce you’ve won a prize. To claim it, you just need to input your mobile number or credit card details!
Vishing is a combination of the words voice + phishing and occurs when criminals call you to request private information. They can sound professional by pretending to be representatives of banks or insurance companies so you feel at ease sharing your personal data with them.
Using SMS (Short Message Service) or text messages to phish is called smishing. For smishing, look out for misspellings or typos. Unprofessional sounding messages are a red flag too.
What does a phishing email try to do?
Phishing is a form of social engineering that tries to manipulate people’s feelings so they give the scammer sensitive information. Social engineering simply means these con artists use social situations and take advantage of interactions to engineer a desired result.
This is quite different from pure hacking where theatrics aren’t involved. Hackers usually just try to access your accounts using their tech skills and don’t need to communicate with you to get your information.
In these social engineering scenarios or interactions with the phishers, the information they usually try to get includes:
- Full name
- full address
- date of birth
- bank account number
- credit card number and security code
- online account passwords
- answers to security questions, such as your mother’s maiden name
How do phishing attacks happen?
Phishers usually start with an end-goal. They know exactly what information they want to get from you so they try to come up with the perfect ruse or scenario to enable them to extract this precious data.
For example, if they need your credit card details, they can pretend to be your bank and ask you to update your account. They could send an email with fields requiring you to input your credit card number.
At times, they also try to target specific people or groups. So if they want to access the credit card details of a certain bank’s customers, they will try to find a list.
Sometimes it can be as easy as looking at the followers of a bank’s social media page. If your social media account is public and shows your email, then they know exactly where to send their phishing message.
What methods do phishing scammers use?
Phishers usually try several different ways to get the information they need. The most common methods are:
- posing as banks or credit card companies
- pretending to be someone you know. They might even pretend to be someone you know and ask for help
- scaring you into giving your information. For example, you may receive an email saying your account will be closed if you do not update your information. Banks do not usually do this, so be wary next time you receive an email attempting to make you panic and act quickly.
How do I identify an email as phishing?
Thankfully, there are ways to identify fraudulent emails.Here are the most common signs:
- Asking for personal information. Most banks don’t request sensitive information over email.
- Different or unusual branding. This simply means the look and feel of the email is different from a company’s usual correspondence. For example, the bank logo may be incorrect or the company colours don’t feature.
- Poor grammar. Authentic companies usually ensure any emails are proofed before sending.If you’re getting a badly-written email, this can be a red flag.
- Getting an email from a company you don’t have an account with. Think twice before opening an email if it’s from an unfamiliar company. There is no reason for anyone to have your email if you don’t remember registering with them.
- The URL doesn’t match the context of the page or domain when you hover over it. Did you know that you can find out where an email link takes you without actually clicking? Simply scroll over and put your pointer above the link without clicking on it.
- A box will appear showing the URL or website address. So, for example, if you receive an email from the Bank of Trust but the link is taking you to some dubious location like www.creditcardinfo.com,then send the mail to the Spam folder.
- They use generic salutations. A lot of companies now are sophisticated enough to invest in software capable of sending personalized emails. This means you are greeted with your name in your emails. A phisher sending a mass email will have a generic intro like “Hi customer” or “Hello there”.
- The company sending the email had a recent data breach. This is why you should always read the news. A company experiencing a data breach surely had their customer’s data (hint: email addresses) exposed so it’s available for phishers to access. Phishers can use this list to send those emails and profit from another company’s misfortune.
Of course, the signs posted above are just several examples of how you can recognize phishing. There are phishers who can be very sophisticated and fool you by sounding professional online.
If you’re uncertain about whether any of the messages you’re receiving are safe, it’s best to call your bank or credit card company to confirm if a message is from them.
What to do if you suspect a phishing attack
What if you accidentally clicked on that malicious link? Or if the phisher was so good, they fooled you despite all the warnings?
Fret not, here are some steps you can take to ensure that no further damage is done:
1. Immediately disconnect your device from the Internet. This is applicable if you have just clicked on the malicious link and are still being redirected to the dubious website.
2. Change the passwords of all your online accounts.
3. If you think your credit card is affected by this phishing attack, call your bank and cancel the card.
4. If your account was taken over, make sure you inform friends and colleagues about what happened.
5. Watch for warning signs of identity theft. Set up a fraud alert with your bank or any relevant government agencies.
6. Backup your files and reformat your device if needed.
7. Scan your device for viruses and malwares or malicious software.
How to mark an email as phishing
When you have identified an email as phishing, it’s time for payback. There are ways you can fight back to keep yourself more secure:
1. Mark the email as spam. This reminds your email provider or network to automatically direct emails from this address straight to the bin.
2. If the sender has a Gmail address, you can also report it to Google so they can deactivate the account. You can do this by simply clicking those three little dots for the “More” option beside the Reply button. There should be an option saying “Report as phishing email”.
How to protect your email from phishing scams
The bad news is that we can never completely be safe from phishing. The good news is, there are plenty of ways you can protect your email and personal information.
Here are a few practical pieces of advice to help you secure your email from phishing attacks:
1. Don’t click on any links. If your bank is asking you to update your information, it’s better to go to their website directly by typing their address into your browser.
As previously mentioned, phishers can copy emails or send legit-looking messages. But once you click on any links in those dubious mails, you are led to a website meant to capture your information. Worse, you may have downloaded a virus.
2. Don’t share sensitive/personal/financial details online. Banks and insurance companies never ask for these details over email so don’t fall for any fraudulent requests.
3. Avoid pop-up ads. Pop-up ads are like mushrooms. They pop up (almost everywhere!) and, while some of them are good for you, others can be dangerous.
4. Enable multi-factor authentication for your online accounts. Email providers and certain websites offer you the option to access your account after several authentication steps.
For example, if you want to sign into your Gmail account, aside from typing in the password, you can also request a PIN be sent to your phone. It’s tedious but it also makes your account harder to hack.
5. Avoid using the same email for all online accounts. Ever heard of the saying, “Don’t keep all your eggs in the same basket?” The same can be said for online accounts.
Don’t use the same email for all your online accounts with banks or social media profiles. If a hacker can get past your email, then they have access to all connected accounts.
6. Use a password manager. So you’re using different passwords for different email accounts, right? This is a good way to keep the hackers away, but we do know it is hard to keep track of your passwords sometimes.
The solution is a password manager. No, this isn’t a person that has a log book of all your passwords. It can be a website like LastPass or KeePass which securely keep track of all your data. With these apps, you can log in without keeping a physical copy of your passwords.
7. Browse securely with a VPN. When you use a Virtual Private Network, it means having a more secure connection compared to your usual public Wi-Fi. Having a VPN enables you to hide your location or transaction details by encrypting any information you send. It’s like sending a coded message to the Internet and only the intended recipient has the key to break the code. Because of that, phishers and other hackers can’t spy on your activities online.
8. Make sure you have the latest updates to your OS/browser. We know, we know. Updating your device to the latest version can be a bore. But updates are made for a reason. Apple or Windows may have found vulnerabilities in their system and created fixes.
These fixes can only be applied to your device if you update it to the latest version. So the next time a little window pops up telling you to update, just click yes.
9. Use security software. Having a handy security software just gives you that extra layer of protection and peace of mind.
* * *
Do you think you’re ready to differentiate phishing messages from the real ones now? The rule of the thumb is, if you smell something fishy with the messages you’re getting, then there must be something dubious about the sender’s intentions.
Of course, it doesn’t hurt to have a cyber security alert, which tells you if you’re possibly opening a phishing email. And with that peace of mind, you can enjoy browsing and surfing without having to worry about phishing trawlers...
We’d like to stay in touch.
We’ve got something special to share! Enter your contact details below to be among the first to find out about the exciting changes we’ve got in the works as well as to receive special promotions.
Thanks for your subscription!
You’ll be the first to know about our updates. Please keep an eye on your mailbox.