Scammers can use phishing attacks to trick you to share sensitive information, such as account access details and personal information. Typically, they want to gain money for this effort.
Scammers use social engineering to take advantage of people by exploiting their emotions and typical behaviors.
What’s even scarier is that a hacker doesn’t need a lot of technical skills to complete a phishing attack. They can use a phishing kit, which is a collection of phishing software that allows someone without technical capabilities to launch and manage a phishing scam easily.
What is phishing?
According to phishing.org, “Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”
The history of phishing
Phishing started in the mid-1990s when, according to CrowdStrike, “malicious adversaries first began trying to steal passwords from an early online-services website called America Online (now known as AOL).” These attackers went “fishing” because they set a hook and waited for unsuspecting people to take the bait.
This unique spelling of “phishing” has a predecessor. In fact, hacking originated with the telephone network before personal computers were available. Starting in the late 1950s, “phone phreaks” explored the telephone network and sometimes hacked them to make free telephone calls. This practice was called “phone phreaking,” which is where “phishing” gets its “ph.”
Types of phishing attacks
There are many types of phishing attacks. Some attacks target one victim for a specific reason while other attacks target a group of individuals. Phishing attacks can be made via email, phone, or SMS messages.
Spear phishing & whaling
Spear phishing is a phishing attack that targets one specific person or a specific group of people. These victims may be targeted for a specific reason, based on their interests, level of access, or wealth. They may be targeted in an effort to attack someone higher up with more access or wealth, acting as a bridge to the hacker’s true target.
Whaling is a type of spear phishing where the hacker targets a high-profile victim. Whaling attacks, when done via email in an effort to attack commercial, government, or non-profit organizations, are called business email compromises (BEC).
According to CrowdStrike, a “pharming attack does not require its victim to click a link. Instead, it redirects a user to a bogus website that either collects sensitive personal information or installs a virus on the user’s computer.”
Phishing largely happens via email, but can also happen via SMS messages, which is called “smishing.” These messages typically lure the victim to a website where they are then encouraged to download malicious content or applications.
Phishing largely happens via email, but can also happen over the phone, which is called “voice phishing” or “vishing.” These calls typically entice the victim to share personal information. The hacker does this typically by impersonating a legitimate business, organization, or government agency.
Most password-protected systems, such as online bank accounts and online shopping accounts, use security tokens to help secure accounts. The token authenticates the user by storing some personal information so they are able to log in to their account. Hackers can steal security tokens to hijack private sessions and impersonate the victim. Once the victim logs out of their account, the hacker continues the session and has all of the abilities the victim has within their own account, such as transferring money or making purchases. This is called “session hijacking.”
When a hacker uses a cloning attack, they clone a legitimate email from a trusted sender, alter it, and send the email. They may alter the email by replacing a link or file to direct the recipient to a malicious website that can steal their sensitive information.
This type of phishing takes cloning to a whole new level. Hackers will spoof a domain in an effort to gain sensitive information. Victims come across the imitation domain that looks very similar to the legitimate domain and may fall into the trap of entering their personal information. Hackers will often change the spelling of the domain URL to look similar to the legitimate URL, such as walmart.com and vvalmart.com (notice the two V’s).
Domain spoofing is often connected to cloning because a hacker will use the spoofed domain and a cloned email to create a targeted attack.
How to avoid a phishing attack
Prevention is the best way to avoid phishing attacks. While you can report phishing emails and other messages, you can’t avoid them completely. This is why knowing how to identify a phishing scam is important.
How to identify a phishing scam
Phishing scams often include many of the similar features. To protect yourself, ask yourself these questions:
- Does the message ask for sensitive information? E.g. Pay now to avoid a lapse in service.
- Does the message include poor spelling and grammar?
- Does the message seem urgent and require immediate action? E.g. Your password will expire in 24 hours.
- Does the message ask you to click on a link or download an attachment?
- Does the link utilize a different domain than the sender’s domain? E.g. “Amazon” shares a link like arnazon.com.
- Does the link change when you hover your mouse over the hyperlink? E.g. amazon.com turns into arnazon.com where the “m” turns into “r” and “n.”
- Is the message impersonal? E.g. Dear Valued Customer,
- Is the message from an unusual sender?
- Is the message too good to be true?
Protect yourself from phishing attacks
Your best line of defense against phishing attacks is to identify them before you click the bait. However, there are many ways you can increase your protection against these attacks.
One critical way you can protect your computer from phishing attacks is to use security software, such as antivirus protection. Be sure to turn on automatic updates.
Another way you can protect all of your devices from phishing attacks is to set your devices to automatically update.
You can also use multi-factor authentication (MFA) to add another layer of security to your accounts. This way, if a hacker learns your account username and password, they will not be able to log in because they will not be able to complete the authentication process. Some accounts may alert you to this login attempt, which can further help you protect your accounts. If you receive one of those emails from a legitimate sender, you will know that you should update your password and continue using MFA.
Just in case you do get hacked or accidentally download a virus, or your device crashes, it’s best to back up all of your devices often. We recommend doing so weekly. While backups can’t protect you from phishing attacks, they can help you recover your files if you are attacked.
Knowing how to protect yourself from phishing scams is just the first step. It’s also important to educate others, especially others on your team.