There was a time, not so long ago, when computers, smartphones, and social media did not exist. It seems crazy—but it’s true. Before the creation of the internet, it was not possible to reach someone through text or email. You had to pick up the phone and call them if you wanted to have a conversation. If you were stuck in a project, you had to search through manuals and encyclopedias. There were no websites, no learning games, and no pictures on screens—only books, magazines, and other written papers. Information was much, much harder to find before the internet came along. It might seem like life was harder back then, and maybe it was a little. But life was also a lot simpler because we only had to worry about real-life dangers. Today, we still have to wear our seat-belts and look both ways before crossing the street, but we also have to be careful during our screen time. Why? Because we now live in two different worlds—the real one we can touch and the virtual one that lives on our screens. This virtual world is sometimes called cyber space. And just like in the real world, there are dangers in cyberspace. To stay safe, we need to understand more about cybersecurity. It’s a big word but it’s pretty simple to understand. Cybersecurity is about protecting yourself from online danger and crime. And one of the biggest dangers on the internet right now problem called phishing.

What is a Phishing Attack?

There are a lot of special words to remember when talking about cybersecurity and phishing. But one of the most important is vulnerability. If you are vulnerable to something, it means you are open to being harmed by it. If you walk out in the middle of traffic, you make yourself vulnerable to injury. If you sit out in the hot sun, you become vulnerable to sunburn. And if you are not careful about what you do on the internet, you may be vulnerable to cyber attack. One of the most common cyber attacks on the internet today is known as phishing, and it uses email as a weapon. But that might sound a little strange, so let’s back up a little bit.

Even in the “old days,” all human communications had a vulnerability. Smoke signals could be seen by anyone looking at the sky. Carrier pigeons with messages tied to their legs could become disoriented or lost. And secret codes created by the military could be “cracked” by clever mathematicians. Even the super-modern telephone had a vulnerability—you never knew who might be listening in on the wire. And today, attackers target the modern communication of email.

So, who are these “attackers” anyway? The truth is, you will probably never know. What you do need to know is their goal is to harm and steal what they can. And so, just like you watch out for strangers in the real world, you must also watch out for bad people on the internet. The most important word to remember is trust . Do not hand your trust out easily. It is something that should be earned by those around you, not casually given away. It doesn’t matter if it’s a sketchy email from a friend or a weird knock on the door—always think before giving anyone access. When it comes to the internet, think before you trust.

These scams look like real, honest email messages from someone you trust. Your boss. Your colleague from work. Maybe someone you don’t know but who sounds believable. When you read scam email, it is worded in a way that tricks you into believing the message is true. And because it seems like you’re communicating with someone trustworthy, you are likely to follow the directions of the message. You might think it’s easy to tell the difference, but a good phishing attack can be hard to spot.

Think about it this way. What if you received an email from your mom telling you she is out at the store and has forgotten her debit PIN number. She is hoping you can remind her. The message is short and to the point. It doesn’t really sound like your mom, but it’s hard to tell because it’s only a few sentences. She did use your name, and she did know your email address—so it must be her, right? Maybe. But maybe not. It could be a super clever phishing attack aimed at you. And when you email back to “mom” with her PIN number, the attackers on the other side of the screen have what they want.

Other times, phishing schemes actually use your own mind to trick you. It sounds crazy, but it’s a method of attack known as social engineering. As people, we all have certain natural personalities and behaviors—they make us unique. But there are also some characteristics we all share, like curiosity, excitement, or fear. If we see a child standing in the road, our first reaction is to pull them to safety. And if we see something shiny on the ground, we may not be able to resist picking it up. In this way, phishing scams use social engineering to predict what someone will do in a certain situation. If a scammer can make you feel curious enough or worried enough, they might get you to click that link or offer up some private information—whatever it is they want. In other words, these attacks are only successful if you play your part.

Let’s look closer. Say you sit down and open your email. Your inbox has one message from a gaming site you love to use. You really, really love this site. Their games are fun, not too expensive, and your scores are getting better every day. It looks like the website has sent you a message about a contest. You read more and see you have won something for being such a good player. What? You’ve won a free game of your choice for one year? No way! All you have to do is click the link in the email to claim your prize. What happens next depends a lot on your personality. Do you click the link? Do you stop, take a deep breath, and think “Hmm, maybe this is a scam?” Or do you click immediately, already planning which super fun game you will pick. Just remember—what you do next may have big consequences, so choose wisely.

NOTE: A HTTPS certificate or a secured lock symbol beside does not mean that the website is safe and not a phish. It is very easy to get a HTTPS certificate for a website.

Clicking some weird link in a silly phishing email may not seem like a problem, but it is for your computer. As soon as you click it, you give cyber criminals access to your computer and all of its information. Plus—you also allow malicious software, otherwise known as malware, to be downloaded onto your device. Malware is just a special word for bad software—you know, the kind that slows down your computer, uses up all your memory, and steals your private information. Malware is not something you want on your personal device. But hackers love it because it gives them access to most valuable thing on the internet—your data. This data can be details about your passwords, location, name, birthdate, even information about your family or your school. And cyber criminals can use this data to create bigger, badder attacks in the future. Because in the virtual world, information is like gold.

Let’s consider another scenario. What would you do if you receive this email?

what is phishing

This email comes from a scammer who is posing to be an IRS agent. The email address domain says irss.com and when you hover over the hyperlink you see http://irsss.com/tax-refund/credit-card . The IRS would not ask you for your credit card details.

Four Ways To Identify Phishing sites

  1. Check for the spelling. Most of such websites tend to mock the real ones. Just like irsss.com tried to be irs.gov.
  2. Try to stay away from the Pop-ups. They occur more frequently on a counterfeit site than a legitimate one. If you come across any click the x button.
  3. If the domain does not look familiar, use https://www.whois.net/ and google searches to see if it is legitimate.
  4. Advanced users can make use of Registrar, Updated date, Created Date and other information from sites like https://www.whois.net/ to make their decision. But be wary that most of the content is now hosted on services like AWS, GoDaddy, etc. which makes it highly difficult and cumbersome to check the authenticity of a domain. We suggest you to use RedMarlin’s https://checkphish.ai/ to check if the URL or a web page is a phish.