Phishing is one of the most common forms of cybercrime, so if you’re online, you’ve likely been targeted by a phishing attack—and you might not even know it. So what is phishing exactly? It’s the act of collecting personal information—including bank account numbers, passwords, and usernames—through electronic means, such as deceptive email messages and phone calls. According to RSA’s report for the third quarter of 2018, phishing attacks made up 50 percent of cyber attacks this year, and that number is a huge increase from last year. That’s why it’s important to learn what the most common types of phishing attacks are, and how you can reduce your odds of falling for them.
Common Types of Phishing Attacks
One type of phishing is called snowshoeing, where scammers send messages to several IP addresses and domains, with the intention of avoiding spam filters. This ensures that at least some of the emails make it to the inbox before the filters start to identify them as spam. This is much like how snowshoes distribute weight evenly over a large area so you don’t sink into the snow.
Another type of phishing is spear phishing, in which the message is targeted toward one person, not just anyone. Spear phishers put their target’s name in the message and try to make it look like it’s coming from a friend or colleague using a spoofed email address. They might get this information from social media, such as LinkedIn. For instance, a spear phishing email might look like it’s coming from the accounting department at work, requesting your bank account number or home address. It might also look like it’s coming from your bank or favorite store, with a link asking you to input sensitive information, such as a password.
Whale fishing is a subset of spear phishing, as it targets “big fish,” such as CEOs and board members. After all, these individuals tend to have more information, such as passwords and bank account numbers, than the average person. While it may take longer for scammers to convince these “big fish” to give up personal information, the payoff is usually better than with regular spear phishing because they often get access to personal information from the entire company, not just one person.
Vishing is short for “voice phishing,” so as you might guess, it involves the phone rather than email. If someone is vishing you, you’ll get a phone call with a message from a voice that claims to be a bank. It might ask you for your account number, password, or other sensitive information. The message will usually ask you to press a number to talk to a representative, or it will provide you with a phone number to call so you can give them the information. Either way, you might be tricked into giving a scammer enough personal information to have money taken from your account within minutes, making vishing a dangerous attack if you fall for it.
How to Protect Against Phishing Attacks
Now that you know about the most common types of phishing attacks, you can arm yourself with the information you need to ensure you don’t become a victim. Of course, you can expect to occasionally receive emails and phone calls trying to phish for information from you, but you won’t fall for them once you know the telltale signs of phishing attacks.
Look for spelling errors. Many phishing emails contain several misspellings and grammatical errors. This is because they’re not usually crafted by copywriters and then proofread like a legitimate company’s emails tend to be. In addition, it’s common for phishers to live in other countries where English is not the main language, so look for awkward phrasing that makes it clear the writer is not a native English speaker.
Don’t assume you know the sender. Keep in mind that just because a company or individual knows some information about you doesn’t mean it’s legitimate. There are plenty of easy ways for scammers to get your name, address, and phone number. They might even know where you work and which bank you use. So don’t be fooled into thinking they’re legitimate just because they know a few facts or claim to be from a company you’re familiar with. And remember that trusted companies won’t call or email you for personal information anyway
Be wary of links and attachments. If you get an email that claims to be from your bank, work, or credit card company, be suspicious of any links in it. First, hover your cursor over the link to check the URL. If it’s real, the website should be spelled right. But even if it looks correct, there’s a chance you’ll be sent to a different website address once you click on it. The same goes for phone numbers, as scammers can spoof numbers to make it seem like they’re calling from a trusted company. And do not open attachments from email addresses you don’t know, since they might contain viruses. So instead of clicking on a link in an email, type the website address into your browser yourself. And instead of answering personal questions when a possible scammer calls you, hang up and call the number you have for the company.
Report suspicious emails and phone calls. Once you realize the email or call you got it a phishing attempt, contact the company the phisher is trying to mimic. So if it looks like it’s coming from your bank, call your bank to report the phishing attack. Many companies keep track of these and will inform their customers about them to ensure they’re not the next victim.
Use software. Finally, a major defense against phishing is software that is meant to detect phishing attempts before they reach you. This is especially helpful for companies where the employees don’t all know the telltale signs of phishing scams. If you suspect some email recipients will click links and open attachments from phishers, software can protect your whole company before that happens.
The original version of this article was first published on Inspired eLearning.
- Are You PhishProof? - January 28, 2019
- How To Avoid Being the Victim of a SMiShing Attack - January 21, 2019