Phishing relies on the art of persuasion. It exploits the human tendency to trust those in positions of authority or familiarity.
Understanding the nature of phishing is crucial to mitigating its potential impact. You can avoid falling prey by recognizing the telltale signs of phishing scams.
How Does Phishing Work?
In 2016, the CEO of an Austrian aerospace company was the target of a whaling attack. The CEO received an email requesting a transfer of €50 million to a bank account in Hong Kong. It appeared to be from the head of their French parent company.
The CEO authorized the transfer without verifying the request, only to find out later that it was a fraudulent message. The company lost €42 million as a result.
The art of deception, however, is not limited to this kind of tactic. Here are some phishing techniques used by attackers:
- Voice phishing is also known as vishing and is a growing trend. It relies on the good old-fashioned phone call.
- Smishing involves targeting victims through text messages. These messages contain links or attachments that install malware or steal personal information.
- Social media phishing is a technique where cybercriminals use social media platforms. They lure victims into clicking malicious links or providing personal information.
- Pharming involves the rerouting of traffic from a bona fide website to a counterfeit one. The aim is to purloin sensitive information, like usernames, passwords, and financial data.
Let’s examine the common targets of phishing attacks.
- Financial institutions. Phishers trick customers and employees of banks and credit card companies into divulging login credentials or account information.
- Government agencies. Phishers may target the SSA, DMV, and the IRS among others. They hope to gain access to personal data, like tax records and social security numbers.
- Healthcare organizations. Phishers target hospitals, clinics, and insurance companies. These organizations often hold medical records and other sensitive information.
- Small businesses. Small businesses have weaker security, making them an easy target for phishers. Phishers may try to hack business accounts, data, systems, or networks.
Phishers can target anyone with an email address, phone number, or online account. Some may be more susceptible to phishing attacks than others.
What are the Signs of a Phishing Attack?
Attackers are getting smarter, and their tactics are evolving. Here are a few warning signs to keep an eye out for:
- A generic or strange greeting. It may say “Dear Customer” or “Hello Friend” instead of your name. That’s because attackers often send out mass emails and don’t have your name on hand.
- An offer that appears excessively appealing. Be wary of messages about a lottery win, a gift, or a discount coupon you did not sign up for.
- An unusual or public domain sender address. They may use john@example.com or mary@freeemail.com instead of a legitimate company domain.
- Suspicious links or attachments. The links may have random characters or different domains than the sender’s address. The attachments may have unusual file extensions, such as .exe, .scr, or .zip.
- Subtle differences in the design, layout, logo, or URL. Phishing websites may look like legitimate websites. Pay attention to the tiniest details.
- Asking you to provide personal or financial information. For example, the sender may ask you to update your password or enter your credit card information.
- Poor security indicators. They may be missing a padlock icon in the address bar or an invalid SSL certificate.
- Psychological tricks to manipulate you. They may use emotions like fear, curiosity, urgency, greed, guilt, or sympathy. Urgency is especially common to make you act without thinking.
- Impersonating someone you know, like a friend or a family member. They may use details from your online activity to be more convincing.
How Do You Protect Yourself from Phishing Attacks?
Reduce chances of phishing scams, protect personal and financial info with these best practices:
Email Security:
- Set email filters to block or flag suspicious messages.
- Always check the sender’s email address, subject line, spelling, and grammar.
- Don’t click links or attachments in suspicious emails. Type the URL into the browser or use a trusted bookmark.
- Report any phishing emails to your IT department or email provider.
Two-factor authentication and password management:
- Enable 2FA for your online accounts. It adds a layer of security by requiring a code besides a password to log in.
- Use unique passwords for each account, and change them often. A password manager can help you store and generate strong passwords securely.
Security software, firewalls, and other apps:
- Enable firewalls on your devices and networks. These can help prevent unauthorized access and filter out malicious traffic.
- Use a VPN to secure internet traffic, hide IPs, and enable a safe connection. VPNs make it harder for attackers to launch personalized phishing or social engineering attacks.
- Use secure cloud storage services with end-to-end encryption, two-factor authentication, and zero-knowledge privacy. Store files online and access them quickly without relying on email attachments or links.
Report any suspicious messages:
- Report any suspicious messages to your email provider or phone carrier.
- Forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org or phishing text messages to SPAM (7726).
- If you become a victim of a phishing attack, report it to the FTC at ReportFraud.ftc.gov.
Staying safe from phishing attacks requires constant vigilance. Following these tips can protect you from phishing scams.