Over 50% of IT professionals agree that phishing attacks are one of the biggest cybersecurity concerns currently affecting both individuals and businesses. Lapses in cybersecurity protocols and weak infrastructure allow phishing attacks to access highly sensitive information, including passwords, financial details and personal information. Criminals are using every communication method at their disposal, including email, social media and phone calls, to ensure their victims. Their deceptions have also become sneakier and more convincing over time, pretending to be trusted friends, coworkers, institutions and even governments. Unfortunately, one click can be all that stands between your private data and a hacker. With over 90% of data breaches being attributed to phishing attacks, it’s only a matter of time before you or your organisation becomes an unwitting target. Therefore, it’s important to know how to prevent, identify and manage any phishing attempts.
How Does Phishing Work?
A phishing scam will attempt to persuade the intended target to undertake an action (such as open an attachment, click on a link, fill out a form, or reveal personal information), by posing as a trustworthy individual or reputable organisation. Once the action is completed, a number of consequences may result. A cybercriminal will most likely use a phishing scam to try to:
- Gain total control of your device and its contents by infecting it with malware
- Access private information that can be used to steal your money and/or identity
- Obtain log in details for your online profiles including email, social media, banking, online shopping and other platform accounts
- Trick you into willingly sending money or other valuables through deception
Phishing attacks can take many forms. Some are swift and encourage you to urgently complete a specific action, while others can be a long drawn out process, building a connection with the intended victim over an extended period of time. Only after a trusting relationship has been established (and the victim is lulled into a false sense of security) does the scammer take advantage of the situation.
Unfortunately, even if you exercise extreme caution, it can be the people closest to you who pose the most danger. If someone close to you has their email, contact list or social media compromised by a phishing attack, then the hacker may hijack their account. From there, it’s an easy feat for the hacker to spam friends, family and coworkers with phishing messages seemingly from an account they know and trust.
Types of Phishing Attacks
The sad truth is that cybercriminals who use phishing attacks are good at what they do. They’re savvy liars, who know how to craft believable stories and design legitimate appearing communications. They’re so good that over 40% of employees have admitted to not following best practice guidelines and engaged in some for of dangerous action while online (ie. clicking on an unfamiliar link, downloading a file or exposing personal data). If you’re an act first and think later kind of person, then you’re an easy target for phishing scams.
The good news is that phishing is much easier to recognise once you know what to look for. Although phishing attacks can take many forms, they most commonly fall into one of the following categories:
- Phishing emails are carefully designed to resemble a valid email address, individual, company or organisation. It may include personal information the cybercriminal has gathered about you (such as your name, employer or geographical location), in order to appear more legitimate. It will likely also include a request to follow a link, open an attachment, change a password, send a payment or reply with private information.
- Phone/Voice phishing (vishing) occurs when a scammer impersonates a person or company over the phone. They may use a number of methods to call your number directly, such as Voice over Internet Protocol (VoIP) technology. In other cases, a fisher might try to mask their own phone number by sending out an automated message that redirects the intended victim. In any case, the visher will say and do everything they can to keep you on the phone. The longer you talk to them, the more likely you are to fall into their trap.
- SMS phishing (smishing) is very similar to vishing, but will take place over text exchanges and messaging apps.
- Social media phishing involves cybercriminals either posting or directly messaging phishing links on social media platforms. The links can take a variety of forms: fake news articles, free giveaways or sketchy “official” charitable organisations with urgent requests. Referred to as “clickbait”, the links will be as sensationalised and dramatic as possible in order to entice people. If any of your social media contacts fall for the trap, then the scammer can then impersonate them and use their account to spread the nefarious link.
- Clone phishing takes place when an existing message from a legitimate contact is duplicated, with all of the original attachments and links replaced by the scammer. While this method most commonly appears in email attacks, it has also been used by social media and SMS phishing scams.
- Domain spoofing is a popular technique used to impersonate brands, businesses and organisations. Cybercriminals will mimic valid email addresses by using a domain that very closely resembles the one used by the real company. For instance @netflix.com may be modified to @netflix-support.com in order to fool Netflix subscribers. Alas, people who fall for this scheme may not realise their mistake until it’s too late.
- Email account takeover takes place when a cybercriminal acquires the email credentials of an executive member of an organisation. They use this to impersonate them and target any colleagues, team members, clients and customers who have dealings with this individual. The scammer capitalises on their high profile and position of authority, sending out phishing emails to other targets who report to and/or trust the original email account holder.
How to Spot a Phishing Email
Approximately 3.4 billion spam emails are sent out every day! While spam filters may stop many phishing attempts from reaching your inbox, there are bound to be some that slip through. Scammers are also continually updating their tactics, doing everything they can to disguise themselves and their intentions. Below are some red flags that can help you spot any phishing emails that have managed to slip into your inbox:
- Warnings of suspicious activity and/or log-in attempts that have been noticed on your account
- Claims that you have an outstanding payment and/or that you need to rectify your payment information
- Requests to confirm your account by disclosing personal information
- Attachments/downloads (such as fake invoices or receipts)
- Statements that you’re eligible for some form of government refund and/or scheme
- Offers coupons/vouchers for free items/services to be redeemed
- Spelling errors and poor grammar
- Unprofessional or amateur looking graphics
- Generic greetings instead of your name (such as Dear Customer or Dear Sir/Madam)
- Unfamiliar links
What To Do If You Receive a Phishing Email
Unfortunately, many of us don’t think twice when opening emails in our inboxes. In fact, one third of all phishing emails are opened by their recipients! While simply opening the email may not have any ill consequences, it drastically increases the probability that you’ll click on a malicious link or download, whether unintentionally or because curiosity got the better of you. For this reason, if you come across a suspicious looking email than we recommend you follow these simple steps:
- Delete the email immediately without opening it. Not all phishing emails require you to click on or download something, some can infect your device just by being opened! It’s better to be safe than sorry.
- Block the sender of the email. If your email provider allows you to manually block incoming emails from specific accounts/domains then be sure to add the sender to your blocked list. If you are using a shared account or someone else has access to your inbox, then this is especially important.
- Consider purchasing extra security to help monitor for phishing emails, such as antivirus software.
Tips To Protect Yourself From Phishing Attacks
Even for the most cautious person can still fall victim to a phishing attack. As cybercriminals employ more sophisticated tactics and find new ways to create increasingly convincing communications, it’s more important than ever to take preventative steps to avoid becoming the catch of the day.
Here are some basic measures you can use to avoid being scammed:
Be cautious when giving out personal information
A good general rule is never give out your information to a person or website you don’t 100% trust. Be sure to thoroughly verify that every website and/or company you give your information to is both genuine and secure. If the URL of the website doesn’t start with “http” or have a closed padlock icon nest to it, then under no circumstances should you enter your details.
Never trust alarming messages
Phishing scammers are known for trying to scare their victims into handing over their information. No matter what a communication says, it’s important to remember that most reputable organisations (such as governments, banks, insurance companies, etc) will never request account or other sensitive information via email. If you receive a worrying email, delete it and contact the company directly to confirm whether they sent it.
Avoid clicking on embedded links
It’s generally not a good idea to click embedded links in emails, even when you know the sender. At the very least you should hover over the link to see if the destination is what it claims to be. However, in some cases the attack is so sophisticated that the destination URL is indistinguishable from the genuine site. Rather than click on the link, visit the site directly through use your search engine to find the site and visit it directly.
Don’t download any attachments
Never open an attachment from a suspicious or strange email. Many will be mislabelled as Word, Excel, PowerPoint or PDF file types in order to trick you into downloading malware or something else nefarious.
Install anti-phishing add ons
Most internet browsers these days have add-ons available that can discern malicious websites and alert users to known phishing sites.
Firewalls act as a shield between your device and a cyberattack. A combination of desktop and network firewalls is one of the most effective ways to reduce the chances of a phishing attacks infiltrating your environment.
Regularly update your software and operating systems
Look, we’re all guilty of ignoring update notifications at some point or another. However, patches and updates are necessary to ensure your device can withstand the latest cyberattack methods. Older operating systems and internet browsers some of the most common targets for phishing attacks, so make sure you update, update, update!