What is Phishing and How Do You Spot a Scam?
Nothing is more tempting than a shiny blue ‘click here.’
Whether it’s asking you to claim a lottery win, review questionable account activity, or merely update your password in response to an alleged hack. Here is a psychological weakness that cyber-criminals are all too aware of.
A lure which hackers use to maximum effect: according to Webroot’s Quarterly Threat Trends report – scammers build around 1.4 million phishing websites every month.
To safeguard you from the threat, let’s first learn how to spot a phishing scam.
What is Phishing?
Internet users coined the term ‘phishing’ when criminals first began using digital bate to lure us fish into sharing credit card details, passwords, account credentials, the lot.
Phishing involves a criminal sending an official-looking message from an apparently legitimate source that asks you to share personal, usually sensitive information.
Once handed over, the perpetrator can use your details to carry out fraud, perform bank transfers – whatever they like.
While scams typically take place via email, more sophisticated techniques have evolved on social media, messaging services, and even apps, as phishing remains one of the simplest, yet most effective forms of cyber-crime.
You might think “I would never share such personal information with an unknown party,” but therein lies the risk: emails, websites, and phishing campaigns can look indistinguishable from the reputable companies you know and trust.
They take advantage of your good nature. You click before you realize the risk.
And whether you enter your details directly – or inadvertently download malware or ransomware – the outcome is often the same: financial loss, identify theft, blackmail, data leaks, even international espionage.
If you are lured in, know you’re in good company.
Thousands of businesses lose out to phishing scams each year as the FBI estimates the cost to the US economy close to $5 billion.
The Basic Steps of a Phishing Scam
Security experts Symantec estimate roughly 1-in-2000 emails is a phishing attempt, meaning most of the population suffers at least one attack per week. The sheer volume of emails sent every day puts everyone at risk of fraud – if only from a brief lapse in concentration.
However, most phishing attacks follow a similar routine, no matter the means of delivery: email, SMS, WhatsApp, social media.
So, if you’re alert to the process, you’re likelier to avoid falling into the trap:
- Sender delivers an ‘official’ message that asks the user to click a link;
- User clicks, and redirects to a strangely persuasive webpage;
- The page asks the user for personal details – bank info, email and password, social security;
- User inputs information then leaves the page, blissfully unaware of the scam.
Criminals exploit any perceived weakness: including a lack of time or overstretched focus.
They create catchy subject lines that pique your interest as promises of prizes, and money-off vouchers, tempt you into signing up for a new account.
…BUT – to claim your cash back – you first have to ‘add your bank details, alongside your name and date-of-birth.’
All of a sudden, you’re left with an empty account, no prize at all.
5 Telltale Signs of a Phishing Attack
Thankfully, several signs give away most phishing emails.
So even if you fail to spot the process; catch one of these red flags, and you can still protect yourself online.
Sender Address: Check you recognize the sender’s address and, if any doubts, Google it; or validate via the company’s official website. You will often see addresses with random characters such as email@example.com – clearly a fake, if only you take a moment to check.
Recipient Address: Check the recipient address shown by your email provider; if it’s not your actual address or name, report the email as a suspected phishing attack.
“Dear customer”: Official emails should address you by name – first or last – as technology makes it easy for companies to personalize. Anything that reads ‘Dear customer’ is an immediate concern.
Grammar/Spelling: Phishing emails are notoriously bad at spelling, which can be a tactic in itself: people with little time often scan emails, so miss the visible signs. Take a second to read again and click away at the first error.
Strange URL’s: Every email asking you to click a URL should raise an eyebrow; especially if the URL is a shortened version. Before you click, hover your mouse over the link to check its actual source.
Even if the email passes the above five tests, stay safe by using your browser bar or a bookmark to access the company’s website.
Better yet, install security software to identify malicious threats.
Different Phishing Techniques
Cyber-criminals use an array of techniques to lure their bate.
Generic subject lines scream of an ‘URGENT alert from your bank’ or ‘QUICK RESPONSE: Confirm your winning lottery ticket NOW’ to force recipients into a knee-jerk reaction – they rely on outreach volume and hope a few people panic-click.
Spear Phishing is a more sophisticated approach that targets pre-determined groups: a business, a government, or digital banking customers, for example. Messages take the form of a customer query, a false invoice, or even executive outreach, so the email appears specific and credible – designed to dupe high-value victims.
Hyper-targeted phishing often happens via CEO Fraud: where an individual engages with a company in the guise of a high-level employee. Then, through multiple emails, they build trust before requesting funds – a tactic to which Michelin, KPMG, and Nestle have all succumbed.
Social media scams are becoming increasingly prevalent as criminals tap into the soft-heartedness of human nature – sometimes even in state-backed campaigns.
Mobile messaging services offer another access point for phishing attacks as SMS links redirect users to a malicious URL – impulsively clicked on smartphones.
And with the recent explosion of cryptocurrency, it is little surprise cybercriminals are now phishing for their piece of the digital currency pie.
What to Do If You’ve Been Phished?
If you suspect a scam, the first critical step is to change all your passwords, immediately.
Even on unrelated sites that use the same information. Then review your accounts for suspicious activity, speak with the company in question, and check your anti-virus software is up-to-date in case of malware.
Provided you act quickly, you can always avert a crisis.