- What is phishing?
- How to recognize a phishing attempt?
- Suspicious activity or login attempts
- False invoices
- Links for payments
- Coupons or free offers
- Confirmation of personal information
- Refunds they don’t deserve
- “Problems” with your payment information or account
- Common Phishing Baits
- Deceptive phishing
- Spear phishing
- Clone phishing
- Angler phishing
What is phishing?
Phishing refers to attempts by hackers – or criminals – to impersonate a trusted communication partner in a digital communication via well-crafted but fake websites, emails or short messages. The goal of these scams is, for example, to obtain an Internet user’s personal information in order to use it to carry out further criminal activities, such as clearing out your account.
Think your business is safe from phishing scams? Please reconsider. Given the increasing sophistication and scope of phishing attacks, your company can’t afford to take cybersecurity for granted. Knowing how to prevent phishing scams is one of the most effective steps you can take in the fight against data breaches.
A 2020 study found that 85 percent of all businesses are affected by phishing attacks. This is due to the widespread shift to remote work without proper preparation and additional cybersecurity measures. Phishing scams have become one of the most common ways to obtain sensitive information and spread ransomware, resulting in the loss of millions of dollars on a global scale.
How to recognize a phishing attempt?
A phishing scam occurs when someone impersonates a trusted entity, such as your boss, a bank, or a credit card company, to obtain sensitive information. Commonly sought information includes:
- Username and password
- Social security numbers
- Financial information
- Account numbers
Phishing attempts usually create a sense of fear or urgency to get targets to act quickly rather than think carefully about giving out private information.
Although phishing scammers regularly update their techniques, there are some indicators that can help you spot a phishing attempt, so pay extra attention there!
Suspicious activity or login attempts
Many online services send emails to notify you when someone has tried to log into your account from a new device or location. If you don’t recognize this activity, it could be an indication of a phishing attempt.
Scammers sometimes pose as contractors or vendors to trick employees into paying fake invoices with company money. One scammer posed as a legitimate company to get Google and Facebook to pay him a combined $122 million.
Links for payments
Phishing scammers may try to trick users into clicking on links that lead to phishing pages disguised as authentic websites. After the user enters their username and password, the scammer uses the credentials to access their online account and lock them out.
Coupons or free offers
Some phishing attempts use free offers to trick people into opening suspicious emails, clicking on links or revealing personal information that can be used to access other online accounts.
Confirmation of personal information
Some phishing attempts manipulate people into revealing personal information. Fraudsters may use birthdays or social security numbers to answer security questions and “prove” their identity as an account holder.
Refunds they don’t deserve
Phishing scammers have even posed as the IRS and contacted people about an outstanding tax refund. The scam requires targets to provide personal information such as address, date of birth, driver’s license number or PIN for electronic tax returns.
“Problems” with your payment information or account
Phishing attacks can also trick users into revealing financial information by posing as an e-commerce website or online service and asking users to confirm their payment information.
Common Phishing Baits
About 22 percent of data breaches are due to phishing. A key step to avoiding phishing scams is recognizing different phishing attacks. Here are the seven most common types of phishing attacks:
Deceptive phishing is the most common type of phishing scam. A scammer poses as a legitimate source to trick people into giving up their personal information or login credentials. Deceptive phishing emails often use threats to scare users into revealing confidential information.
Pro tip: Deceptive phishing attempts typically contain generic greetings, grammatical or spelling errors, and redirected or shortened links that lead to phishing pages. You should always make sure that a sender is legitimate before clicking on a link or downloading attachments.
Spear phishing uses personalized information, usually collected through social media, to target specific users and achieve a higher success rate. In these phishing attempts, emails are tagged with the target’s name, location, and even phone number to make the target believe that the sender knows them. However, the goal remains the same: to trick the target into revealing personal information, clicking on a link to a phishing website, or downloading malware.
Whaling is a specific type of spear phishing attack that targets executives to access high-level corporate data and accounts. If a whaling attack is successful, a fraudster can perform CEO fraud. CEO fraud involves using a CEO or other executive’s account to authorize fraudulent wire transfers or request employee information that can then be sold on the dark web.
Whaling attacks are very successful because executives typically do not receive the same security awareness training as their employees. To combat the risk of CEO fraud, companies should require that executives participate in ongoing cybersecurity training.
Clone phishing attacks duplicate legitimate emails to appear trustworthy and replace legitimate attachments or links with malicious versions. Clone phishing emails often come from spoofed email addresses and reference a previous message or claim to contain updated information or files.
Tip: Users should always check links, even if they come from a seemingly trustworthy source. If in doubt, contact the supposed sender directly in a new email instead of replying to a possible clone phishing email.
Smishing, a combination of “SMS” and “phishing,” uses text messages to trick users into downloading malware or sharing personal information. In smishing attempts, scammers impersonate well-known companies (such as a vendor or your financial institution) to trick targets into downloading a malicious app or entering their personal information on a phishing website.
Smishing campaigns have posed as very trustworthy entities such as the Amazon, FedEx, and Apple. Users should be wary of messages sent from unknown phone numbers and call the organization directly to verify the authenticity of a message if they are unsure.
Unlike traditional phishing scams, pharming does not always target victims directly. Instead, pharming changes the domain of a legitimate website to redirect users to a phishing website. Some pharming attacks send emails that change the host files on the target’s computer and redirect all URLs to a phishing website where malware is installed or personal information is stolen.
Tip: Employees should only enter their credentials on HTTPS-protected websites and regularly update their antivirus software on all devices.
Angler phishing occurs when scammers impersonate a brand’s customer service account on social media. The scammer then contacts users who post complaints and shares a link that pretends to redirect the target to a customer service chat. However, the link usually leads to a phishing page that steals the target’s data or downloads malware to their device.
Tip: Users should verify an account before dealing with it or directly visit the brand’s customer service center to address complaints.