What is Phishing? Definition and Examples of Phishing Scams
What is Phishing?
Phishing is an example of a cyberattack where attackers use social engineering tactics to steal sensitive information from victims. Usually, attackers target individuals where the information stolen is often personally identifiable information (PII). In other cases, companies are targeted where malicious actors steal intellectual property (IP) from employees. In other cases, phishing attacks can be aimed at installing malicious programs on the victims' devices such as PCs. These programs can then be used to carry out further fraudulent and malicious activities.
Types of Phishing Scams
Attackers can employ one of several types of phishing scams to launch attacks on unsuspecting victims. The most common types of phishing scams are:
Email Phishing - Attackers send deceptive emails and try to trick users into taking action described within the email such as clicking a link to a fake website, replying with sensitive information, or downloading malicious attachments.
Spear Phishing - This is a more specific form of email phishing. In spear phishing, attackers target a specific individual or organization. For a spear phishing scam, attackers first conduct extensive research on a target and then design and send out a personalized scam email, which can include personal details of the target, such as name, address, place of work, and more.
Whaling - Whaling scams involves targeting a high-ranking individual in an organization. Attackers can target a CEO, COO, CFO, CTO, MD, and so on. Just like in spear phishing, attackers will carry out comprehensive research on the target before sending a personalized scam email.
Smishing - It is also called SMS Phishing. Attackers send scam text messages to targets through their mobile phones.
Vishing - Attackers use voice calls to try and scam victims. Today, attackers have employed robocalls (robot calls - automated diallers) that initiate a vishing attack. Once a user takes the bait, a human takes over and tricks the victim into doing tasks such as providing sensitive information.
Pharming - This is a more advanced and technical form of a phishing attack. Scammers, through a cyberattack such as DNS poisoning, spoofing, and compromising DNS servers redirect legitimate user browsing traffic to illegal and illegitimate websites.
Common Baits Used in Phishing Scams
Attackers employ a wide variety of baits to try and trick victims into falling prey to phishing scams. Here are the common bait tactics employed by attackers.
Emails usually appear to be from legitimate brands such as banks, e-commerce platforms, government institutions, and other trusted brands. These emails prompt users to perform some tasks such as updating the account passwords, verifying the account, pausing or canceling a pending suspension, illegal transactions, and more. This information is designed to trick users into taking action such as downloading an attachment, clicking a link, or calling a number.
Job postings, particularly those implying work-from-home opportunities. Such phishing scams emphasize huge income, or any other attractive benefit, for very little work, within any schedule. We all know how that can be tempting. However, attackers use fake postings to scam users into providing their personal information individually, or through a resume.
Free gifts and reward notifications are also common tactics by phishing scammers. Scammers text, email, or call unsuspecting users and notify them that they have won a prize from a well-known brand or competition. However, to claim their prize, the targeted users have to submit their information. In a more targetted attack, particularly that involving installing malicious programs, the phishing bait can contain a link "Claim Prize Now", which if clicked, downloads and stealthily installs malware on the victims' devices.
Fake invoices and payment requests have also become quite popular among phishing scammers. They design fake invoices or payment requests and send them out to their targets. Often, these emails have an attachment that contains the 'invoice', which a user is required to download. Once downloaded, malware can be installed on the victims' devices or a redirect made to a fake website, aimed at carrying out further attacks such as adware.
Other phishing scams include illegitimate charity drives, fake charges from your card (unexpected transactions), fake package delivery (See DHL Phishing Scam Example), fax fraud scams, tech support scams, fake inheritance claims, and award of loans and grants (see World Bank and IMF phishing scam example)
Common Signs that an Email is a Phishing Scam
There are signs (breadcrumbs) that you can look out for to quickly determine that an email is most probably (or definitely) a phishing scam. Here are common signs that an email is a scam.
The email has been flagged as spam by your email provider. Email providers such as Google (GMAIL) employ complex and robust email scanners that help flag possible phishing emails. Some definite phishing emails are blocked from reaching your mailbox altogether.
The email appears to be from a big organization or brand and uses a public email domain such as Gmail. Phishing scammers create public domain emails for big organizations to try and trick users. Such emails can be paypalprizes@gmail.com, ABZbank@gmail.com, facebook2023winners@gmail.com, and more.
Grammar errors are some obvious mistakes in a phishing email - however, not all emails with grammar mistakes should be quickly dismissed as phishing emails without further investigation. However, it is a red flag
How Protect Yourself From Phishing Scams
There are several ways that you can protect yourself from modern forms of phishing, and most of them require no special applications, just human actions.
Be skeptical of emails and messages from users that you do not recognize.
Before clicking a link, replying to the message or email, or downloading an attachment, verify that the email is legitimate.
Be suspicious of unsolicited calls, especially those where the callers ask for personal information.
If an email claims to be from an organization, independently search for the organization and inquire about the email or text message that you have received. DO NOT call or email any contacts given on the suspicious email or message.
Be cautious of any unexpected email or text that has a tone of urgency.
Ensure that your firewall is installed and activated and that your security applications (antivirus, anti-malware, and more) and software programs are up-to-date.
DO NOT ignore passive and active warnings from your system that an email is possibly a scam (marked as spam or contains malicious elements) and that a website you are about to visit is highly considered a phishing site.
If an offer is too good to be true, then it probably is fake. Whereas receiving awards and gifts is good and usually done often, it is almost impossible to receive such from competitions that you did not participate in. Job postings and investment opportunities that promise unbelievably huge returns should be carefully trended. After all, we are humans and I DO NOT believe such an opportunity can be shared with thousands if not millions, of people worldwide - and for free.
Be constantly informed on the latest phishing scams. Being aware ensures that you stay ahead of the scammers, who might come knocking in your email, social media account, or phone.
For a scammer, no information is insignificant. Giving a phishing scammer just the name or the email, which a user might consider public information, is a win for them. Avoid giving any information to a suspicious sender or caller. If you find later that you have been a victim of a phishing scam, change your accounts' authentication and enable multi-factor authentication if possible. Contact any organizations such as banks and platforms and notify them that you have just been a victim of a phishing scam. And most of all, learn the lessons from that scam to better arm yourself for another round, 'coz that next round is coming, and the scammers will have evolved to newer, more complex tactics.