Attackers continue to target email primarily, but the growth of smartphones and social media has broadened phishing to encompass additional techniques. These can include smishing (malicious text messages) and vishing (phone-based phishing attacks).
The best defense is to be suspicious of any unexpected message from someone who usually contacts you differently. If in doubt, contact the sender through another method of communication to confirm.
Identifying a Phishing Scam
Phishing is one of the most prevalent forms of cyberattacks. It is also the most difficult to protect against, as attacks continue to evolve to bypass security filters and human detection. Identity theft, malware infections, including ransomware, data breaches, and significant financial losses for people and businesses can all be brought on by a successful phishing campaign.
Cybercriminals use phishing emails, texts, phone calls, and websites to trick victims into sharing personal or account information or downloading malware. It only takes a single victim to incite a large-scale phishing attack, and the data compromised by these attacks can include anything from email addresses and passwords to social media and online banking login credentials and credit card information. In addition to personal data, cybercriminals are after sensitive business data, including proprietary product secrets, confidential communications, and point-of-sale terminal passwords.
Standard email phishing is a common form of this attack, where attackers send out messages that appear to be from a trusted organization such as a bank or a government agency. By creating a sense of urgency, such as a warning that a vital account will be deactivated, criminals can entice victims to click on links or provide their login information.
More sophisticated phishing attacks can take months to plan and execute, with cybercriminals creating fake social media profiles, emails, and more to build a rapport with victims before launching an attack. Attackers may customize their messages to a particular individual or organization, a technique known as spear phishing.
Identifying a Phishing Email
Cybercriminals are constantly evolving their phishing attacks, and it’s getting harder to tell what’s fake from what isn’t. While some phishing attacks are blatantly obvious, others are very cleverly crafted and can be almost impossible to distinguish from real messages.
A threat actor, for example, may masquerade as a high-level executive inside your firm and send you a message requesting that you click on a link and supply information such as passwords, bank account details, or credit card data. This is known as spear phishing and can cause severe damage to your business.
These types of attacks are not limited to corporate environments, however. Individuals, families, and friends can also be the targets of these phishing attacks. Spear phishing is more advanced than mass campaigns and can target specific departments, individuals, or organizations.
To successfully launch a spear phishing attack, criminals must research the company or person they are targeting to create a message that appears legitimate and will trick recipients into opening an attachment or clicking on a link. A common tactic is to target a specific department, project, or team member and include a subject line similar to the original communication. For instance, an attacker could use a subject line that looks like the marketing director’s email template and includes a logo that matches the organization’s style.
Identifying a Phishing Website
A phishing or spoofed website is used to steal login credentials from victims. The attacker can then use these credentials to log into the victim’s real account and perform various illegal activities, such as data extraction, credit card fraud, or wire transfers.
Users can look for several red flags when visiting a suspected phishing website. These include spelling errors, poor grammar, clickbait headlines, and low-resolution images. They can also identify if the site uses a free certificate and check its origin through Certificate Transparency.
Cybercriminals may also use shortened URLs or redirects to conceal the true destination of a website, making it difficult for users to discern between legitimate and fraudulent sites. This is why looking at the full website address and examining the top-level domain is essential to ensure that it is not a look-alike.
Attackers can also impersonate help desk staff to request passwords or other sensitive information under the guise of updating software or verifying identity. They can even create a spoofed help desk that looks like the company’s internal network provider.
Identifying a Phishing Phone Call
Many cyber criminals are now using phone or text messages (known as “vishing” and “smishing”) in addition to email and web-based systems to steal money and personal information. Calls from unknown numbers or spoofing of the caller ID are common tactics.
Vishing scams attempt to trick victims into sharing their personal information, sending money, or allowing them remote access to their computers. They use various methods, including phony calls from your bank or the IRS, claims of winning a prize, or high-pressure tactics to get you to act now.
Scammers can also spoof your number to appear local and even appear on your caller ID. This makes them more challenging to identify and report. Some phishing scams involve malware that can encrypt files on your computer or steal passwords. Others may target university IT accounts to gain access to research and institutional data.
Scammers are taking advantage of the coronavirus pandemic to deceive consumers with messages that pretend to be from government institutions, hospitals, and insurers. Be wary of calls from unfamiliar numbers, and refrain from responding to emails or texts requesting that you visit a website or download a program. The best way to protect yourself is to have a reliable call blocker that can filter out unwanted calls and only forward the ones you need to your phone.