Have you suddenly been locked out of your email or bank account? Is activity going on that you don’t remember initiating? If so, you may have been the victim of a phishing attack. There are many types of phishing attacks and ways that you can protect yourself against identity theft or malicious activities from scammers.
What exactly is “phishing”?
Phishing is a sophisticated method of trying to get information that can be used to commit fraud or identity theft. Phishing schemes usually hinge on trying to trick you into replying to a message or clicking on a malicious hyperlink and then giving out personal identifying information (PII).
Phishing dates back to the 1990s when email was just starting to be used widely. Hackers and scammers would fish for information and try to trick users into revealing their login credentials. This practice became known as “phishing” or “spear phishing attacks.”
Today, phishing continues to be one of the most effective tools hackers use to extract information from unwitting consumers or corporate employees. Phishing is considered a cybercrime, and there are legal consequences for phishing attempts or illegally using phished information.
What information do “phishers” want?
Phishers and scammers want any type of personal identifying information they can obtain. This can include but is not limited to:
- Your full name
- Your address
- Your Social Security or driver’s license number
- Bank account or credit card numbers
- Login information, including usernames and passwords
- Old street addresses or phone numbers
- Names of family members, friends, teachers, or pets
Cyber criminals and dedicated phishers can build a complete profile on you and use that information to gain access to various accounts. They can then reset passwords, lock you out, and spend your money or use your PPI to steal your identity. Phishers may also try to get you to download a malicious link or file that will infect your computer or server with malware, making it easier to hack into remotely.
Is there a difference between phishing and spam?
Spam is a form of mass marketing using emails sent to a list of addresses. A spammer’s goal is to make sales. Phishers are more likely to offer a giveaway or falsely warn you that your information has been compromised in an effort to gain information from you.
Do phishers only use email, or is there another form of phishing?
Originally, phishing was done almost entirely by email. However, there are many different phishing scams and several types of phishing attacks that don’t rely on email at all. Phishing attempts may be made via:
- “Vishing” is a call warning you of legal action and demanding PII to stave off a warrant
- A text message or SMS (also known as “smishing”), often posing as a security alert
- A direct message on a social media site that looks like it comes from a friend or follower
- An ad or post on social media that looks like it was posted or shared by a legitimate website or contact when in all actuality it is a fake website
Any or all of these may be used in addition to or instead of emails to trick people into handing over their PII.
How is a personal phishing attack accomplished?
A personal phishing attack is usually aimed at getting you to divulge a specific piece of information or taking a specific action. You may be asked to visit a website that looks like it is your bank or credit card company and enter your account number. This is called clone phishing.
Alternately, you could be asked to send money with a promise that you will be reimbursed and also receive much more money in time. Or with deceptive phishing, you could be asked to provide bank information for a deposit into your name from a “long lost relative” or “legal settlement.”
How is a phishing attack on an organization accomplished?
A more significant type of email phishing attack is aimed at an entire organization. This type of phishing attack usually has three steps:
- Baiting. At this stage, the phisher penetrates an organization by targeting an employee. Often the initial email will look like it comes from with the employee’s own company or from a trusted vendor. It may seem like an email account update, or an invoice, and might ask for a username and / or password to be confirmed or reset.
- Hooking. At this stage, the phisher observes the account and email traffic to get to know more about the organization and prime points for attack and exploitation. They will particularly watch for any emails from HR or the finance department.
- Catching. Finally, once enough information has been gathered, the final attack can be launched. This will usually be in the form of a new phishing email that has been carefully personalized so the recipient will automatically trust the sender and will promptly click on a link or provide highly sensitive information. This leads to malware being installed that can spread throughout the organization and paves the way for theft of financial information.
Which are the top “phished” brands?
Many phishing scams base their approach on impersonating a well-known brand. They will copy or “clone” a well-known legitimate company’s website, create a similar email address, and send out emails, post on social media or send out phishing messages as the brand. Some of the most frequently impersonated brands include:
- Google / Gmail
- Facebook / LinkedIn / WhatsApp
- Microsoft / Apple / Dropbox
- PayPal / Chase / BOA
- Ray Ban / Nike
How to detect a phishing attempt?
Look carefully at email addresses. In many cases, phishing attempts begin with an email that looks like it comes from a reputable company. On closer inspection, there is a misspelling, or the domain name has an added word:
Other red flags are offers that seem too good to be true, like $49 Ray-Ban ads on Facebook.
How can I protect myself from phishing attacks?
Be aware that no financial institution or large company will ever ask you for PII or your account information via email, text, or over the phone. You can always contact the company directly using a trusted contact email to verify if you are not sure an email is legitimate.
Set up multi-step authentication on your accounts. This adds extra layers of protection and makes it harder for your account to be accessed even if a hacker has managed to obtain information for one type of login. Use passphrases instead of easily guessed passwords and change your passwords regularly.
What should I do if I have been a victim of a phishing attack?
If you believe you have been phished, you should immediately secure your accounts by changing your passwords and initiating multi-step authentication. Have your computer scanned for malware or viruses. If phishing was accomplished by mimicking a trusted organization, contact that organization and let them know so they can warn others.
By being aware of common phishing ploys and protecting your PII and logins, you can reduce the chances of being phished. If you are victimized by a phishing attack, you can take prompt action to secure your accounts and devices and report the attack to the appropriate organization.
When you have questions on whether a URL is malicious, you can use the CheckPhish URL scanner. Just enter the URL, and in seconds you can determine if the URL is a malicious website, counterfeit, and other suspicious threats. Whether you have one URL or need to scan multiple URLs, CheckPhish is your anti-phishing solution.