What Is Phishing? Plus How To Spot It and How To Prevent Becoming a Victim

To protect yourself from phishing, don’t open any suspicious emails, texts, or messages and never click on any links. Phishing scams often imitate trusted companies, like your bank, to trick you into giving away personal information for criminal purposes. They may ask you to enter your banking details or download an attachment with malware.

Definition of Phishing

Phishing is the act of sending fake and harmful emails that are designed to deceive people into falling for a scam. Usually, the ultimate goal is to obtain sensitive data such as financial information or system credentials from unsuspecting users.

Social engineering is a collection of techniques used by scam artists to manipulate humans. Phishing, in particular, utilizes techniques like forgery, misdirection, and lying. Phishing emails are designed to exploit human psychology by encouraging users to act impulsively without considering the consequences. Learn more about phishing according to the FBI.

How Phishing Works

A phishing attack typically involves a message sent via email, social media, or other electronic communication means.

Phishers utilize public resources, primarily social networks, to obtain personal and professional information of their targets including their name, occupation, and email address. Additionally, they gather information on their interests and activities. This data is then used to craft a highly convincing false message.

The victim usually gets deceptive emails that seem to be from a known contact or organization. The attackers use malicious links or attachments to harm the victim. They create counterfeit websites that look like ones owned by trustworthy entities such as the victim’s bank, university, or workplace. Through these fake websites, they try to obtain personal details such as usernames, passwords, or payment information.

Although some phishing emails can be spotted by their use of inconsistent fonts, logos, and layouts, others are becoming harder to detect. In fact, cybercriminals are employing advanced marketing methods to create authentic-looking messages that are increasingly difficult to distinguish from genuine ones.

5 Types of Phishing Attacks

There are a number of types of phishing attacks, however, there are five primary types to be aware of. These include email phishing, spear phishing, whaling, smishing and vishing and angler phishing.

Here are the five types of phishing attacks explained:

1. Email Phishing

Phishing attacks are often carried out through email. Attackers register fake domain names that look similar to real organizations and send thousands of requests to potential victims. To create fake domains, attackers may add or change characters (such as my-bank.com instead of mybank.com), use subdomains (such as mybank.host.com), or use the name of the trusted organization as the email username (such as mybank@host.com). Phishing emails usually create a sense of urgency or threat to persuade the recipient to take action without verifying the email’s source or authenticity.

The objectives of email phishing messages include tricking the user into clicking a link that leads to a harmful website, downloading an infected file that installs malware, making the user submit personal data after clicking a link to a fake website or replying to the message and providing personal information.

2. Spear Phishing

Spear phishing refers to targeted email attacks on specific individuals. The attacker usually possesses certain information about the victim, which may include all or some of the following details:

• Name
• Employer
• Job title
• Email address
• Specific information about their job role
• Trusted colleagues, family members, or other contacts, and samples of their writing

This information can enhance the effectiveness of phishing emails and manipulate victims into carrying out tasks like transferring money.

3. Whaling

Whaling attacks aim at attacking senior management and individuals in highly privileged roles. While sharing the same ultimate goal as other types of phishing attacks, whaling techniques are subtler. Senior employees typically have a lot of personal information available publicly, which attackers can use to create highly sophisticated attacks.

In whaling attacks, hackers do not use tactics like malicious URLs or fake links. Instead, they create customized messages using information they gather about the victim through research. For example, they may obtain sensitive information about the victim from fake tax return documents to create their attack.

4. Smishing and Vishing

This message is to inform you that there is a type of online scam called phishing that uses phone communication instead of written messages. Specifically, smishing involves sending fake text messages, while vishing involves fraudulent phone calls.

A voice phishing scam involves a scammer impersonating an investigator from a credit card company or bank and informing the victim that their account has been compromised. They then deceive the victim into providing payment card details under the pretense of verifying their identity or transferring funds to a secure account, which is actually controlled by the attacker.

Automated phone calls in vishing scams may deceive victims by pretending to be from a trusted entity and requesting personal information to be typed using their phone keypad.

5. Angler Phishing

The attacks involve the use of counterfeit social media accounts that appear to belong to reputable organizations. The attacker creates an account using a handle that imitates the name of a genuine organization (e.g. “@pizzahutcustomercare”) and uses the same profile picture as the real account.

Consumers are vulnerable to attackers who create fake social media accounts mimicking the brand’s official account. When consumers make complaints or request assistance through these fake accounts, they unknowingly provide sensitive information to the attackers.

Attackers may ask for personal information when they receive a request from a customer to identify the problem and respond accordingly. They may also provide a malicious website disguised as a fake customer support page.

What are the Signs of Phishing?

One of the most common signs of phishing is an email or message from an unknown sender. If a user receives a suspicious email or message from someone they do not recognize, it is important to take extra caution. Additionally, if the message includes links or attachments, it is essential to verify their authenticity before clicking on them.

Threats or a Sense of Urgency

It’s important to be cautious of emails that make threats and to also be aware of urgency tactics that pressure you into taking immediate action. Scammers use these tactics to make you feel rushed and less likely to notice any mistakes or suspicious details in the email.

Message Style

One way to identify a phishing message is by analyzing its tone and language. If the sender appears too informal, or unusually formal for their typical communication style, this could be a red flag. It’s important to remain vigilant and carefully examine any other signs that may suggest the message is a phishing attempt.

Unusual Requests

If you receive an email that asks you to perform actions that are not standard, it could be a sign that the email is dangerous. For instance, if you get an email from a supposed IT team that requests you to install software, but the IT department usually handles such installations centrally, the email may be malicious.

Linguistic Errors

If an email has spelling or grammatical errors, it may not be from the claimed source. This is because most companies use spell check in their email clients for outgoing emails. Therefore, you should be suspicious of emails with such errors because they could be phishing emails.

Inconsistencies in Web Addresses

One simple method to detect potential phishing attacks is by checking for inconsistencies among email addresses, links, and domain names. You can verify the authenticity of an email by comparing its sender’s email address with the one you received in previous communications.

To avoid falling for phishing scams, it is advisable for recipients to hover their mouse pointer over a link in an email and check to see the actual destination of the link. In cases where the email claims to be from Bank of America, but the email address domain isn’t “bankofamerica.com”, it is an indication that the email is likely a phishing attempt.

Request for Credentials, Payment Information or Other Personal Details

To trick people into giving away their personal information, scammers often use phishing emails that include phony login pages. These pages can look authentic and are often accessed through a link in the email. If the email is unsolicited, it’s best not to enter any login details or follow the link. Instead, it’s a good idea to go to the website directly through a reputable source.

6 Questions to Ask Yourself To Find Out If an Email Might Be a Phishing Scam

Recognizing possible phishing emails is becoming more difficult as the methods used are becoming more sophisticated. However, there are a few ways to identify them. Simply ask yourself:

1. Do you know the sender? A way to identify phishing emails is to check if the email address matches the sender’s name. If it doesn’t, you can hover your mouse over the sender’s name to see the real email address.
2. Did you sign up to receive this email? Receiving an email for a service you didn’t subscribe to is possibly a sign that it’s a phishing scam.
3. Are there any unusual attachments? Be cautious when dealing with emails that contain attachments, especially if you were not expecting the email. Malware can often be hidden in attached documents. Normally, official organizations will only send you attachments if you specifically requested them.
4. Does the email ask for personal information? Typically, organizations will request your personal information.
5. Does it use urgency or threats? Phishing emails try to create a sense of urgency in the hope that you will disclose your information and click on links without taking time to think.
6. Does it look like other emails you’ve received from this sender? Although there are exceptions with more advanced phishing attempts, official emails typically have a distinct appearance from phishing emails, which are becoming increasingly sophisticated.

Phishing Scams Do’s and Don’ts

Even the most wary of us can fall victim to a phishing scam, but there are few ways you can protect yourself and others.

Do not:

• Do not respond to any suspicious email or text message, as the more you engage with a potential hacker or phishing attempt, the more vulnerable you become to cyber threats.
• Refrain from clicking any links or downloading any attachments that may contain viruses or malware.
• Do not share any information with any individuals who contact you unexpectedly.
• Don’t enter your PIN online unless you are confident that the website is legit.

Do:

• Mark it as either ‘spam’ or ‘junk’ to let your email host know that it’s not a legit email.
• Regularly update your security software.
• To report the incident, please contact the relevant organization, such as your bank, credit card provider, or mobile phone network.

Bottom Line

Phishing is just one of the many ways in which hackers trick people into scams. It’s smart to be aware of it and how phishing happens to help avoid becoming a victim of phishing. It’s also worth familiarizing yourself with other forms of scams and types of identity theft, as well as taking precautions to safeguard your identity and credit. For example, freezing your credit or locking your credit can help prevent hackers from opening new accounts in your name. 

Frequently Asked Questions (FAQs)