Phishing scams: How to Protect Yourself from Phishing Scams
Phishing scams: The Ultimate Guide. What is phishing? Understand the the common types of phishing scams, see examples of phishing scams and learn how to protect yourself from phishing scams.
Image by Adobe Stock
What is Phishing?
Phishing is an attack where a malicious actor employs techniques, particularly social engineering, intending to steal a victim's sensitive details. The details collected from victims are then used by the attackers for identity theft or sold to other malicious users at a cost. Further, a malicious user can also launch a phishing attack to install malicious programs on a victim's computer (PC) or device such as malware or ransomware. Phishing attacks are not limited to individuals as companies and organizations are targeted as well.
Phishing: Where it all Began
The term phishing was coined in 1996 after hackers targeted America Online (AOL). AOL was a popular online services provider in the 1990s. AOL provided an Instant Message (IM) platform and email services to a huge user base, and with the lack of sophisticated security measures, these services became a target for hackers. Hackers sent deceptive emails to unsuspecting users, claiming they originated from AOL itself, and from customer representative support and technical support of trusted brands at the time. In the case of AOL phishing emails, users were tricked into visiting fake AOL websites and providing login credentials. The fake sites mimicked the legitimate AOL website in terms of design and appearance.
Attackers then collected the login information and used it to gain unauthorized access to users' accounts. It is worth noting that phishing attacks have gained in popularity and evolved since the AOL attacks in 1996 and the following years. However, as much as users are aware of the existence of phishing attacks and systems designed to spot them, hackers have evolved as well. Today, phishing attacks are much more sophisticated and have become difficult to detect, even for automatic scanners. However, it remains that users are the weakest chain in the anti-phishing security chain, as phishing attacks primarily occur through social engineering.
Whereas many cyberattacks target vulnerabilities in systems, phishing attacks aim to exploit vulnerabilities that exist due to the human factor. Since the 1990s, the most common channel that phishing attacks have occurred is through email; however, in recent years, we have seen attackers using other communication channels such as text messages (SMS), instant messaging platforms (IMs), Social media, Voice calls, and more.
Common Phishing Scams Today
There are several types of phishing used by attackers today. In this section, we explore the most common types of phishing attacks.
a. Email Phishing
Whereas more types of phishing have emerged over the years, email phishing is the oldest and most common form of phishing. Email phishing involves sending deceptive emails to try and trick users to reveal sensitive information, downloading malicious email attachments, or visiting illegal websites. Through email phishing, an attacker sends out tens of thousands of emails that mimic a trusted brand such as a bank, social media platform, e-commerce platform, and so on.
For instance, an attacker can design a phishing email that impersonates a giant and global brand, say PayPal, Meta, or Amazon. In the case of PayPal, an attacker knows that by casting a wider net to a large number of emails, the recipients are likely to be PayPal clients or have heard of it, hence are likely to take the bait attached to it.
b. Spear Phishing
Think of spearfishing, where a fisherman holding a fishing spear would target a specific fish in the water and not blindly throw the spear with the hopes of catching fish. In cybersecurity, spear phishing involves focusing a phishing attack on a specific individual or an organization, unlike email phishing where an attacker sends out thousands of emails hoping for a few to fall for the bait. Spear phishing requires attackers to conduct extensive research on the targeted individual or organization. Once this information is gathered, the attacker can then send a personalized phishing email to the target, or multiple in the case of an organization.
For instance, Mark is an employee at TBB Technologies, a company dealing in next-generation Robotic Chips. One afternoon, Mark receives this email.
Subject: Urgent: Security Update Required - Action Required
Hello Mark,
As part of our ongoing efforts to enhance security measures within TBB Technologies, we are implementing a critical security update to protect against potential cyber threats. Your immediate attention and action are required to ensure the security of your account and our company's sensitive information.
To complete the security update, please follow the instructions below:
Click on the following link to access the security update portal: [link to fake TBB Technologies Website]
Once on the portal, you will be required to provide your current authentication details.
You will then be prompted to create a new password that meets our updated security requirements. Please ensure that the new password is unique, and contains a combination of uppercase and lowercase letters, numbers, and special characters.
Please note that failure to complete the security update within the next 24 hours will result in a temporary suspension of your account access, as it will be considered a violation of our security policies. We understand the importance of maintaining the confidentiality of our data, and this security update is a crucial step in safeguarding our organization against potential cyber threats. Your cooperation is greatly appreciated.
If you have any questions or encounter any issues during the update process, please contact our IT Helpdesk immediately at [phone number operated by the attacker] or reply to this email.
Best regards,
Stephen
Head of IT - TBB Technologies
In the above email, Mark, an employee of TBB Technologies is the target of this phishing attack. The specificity of the email makes this a spear phishing attack. To broaden the attack radius, the attacker could target a few more employees in the organization (TBB Technologies).
c. Whaling
Just like spear phishing, whaling focuses on an individual. However, whaling targets only the higher-ups in an organization such as senior executives (think the C-suites: CEO, COO, CTO, and so on), celebrities - generally, high-ranking individuals within an organization. Just like spear phishing, once a target has been identified, the attacker sends out a personalized phishing email with all the characteristics of a phishing email.
In our example about Mark, consider that he is not a junior employee but the Chief Financial Officer (CFO) at TBB Technologies.
d. Smishing
Smishing refers to phishing attacks conducted through SMS (Short Message Service), particularly text messages to mobile numbers. Smishing attacks employ common tactics of a phishing email, however, they are more direct (scary and often contain threats) due to the limit of information that can be contained in a text message.
For instance, you might receive the following text message:
ALERT! We have detected malicious activity in your bank account. Action is required immediately. Click here to secure your account [malicious link to a phishing website] or call [attacker's phone number].
e. Vishing
Voice phishing, also known as vishing, involves phishing attacks conducted through phone calls, with either an automated voice (commonly known as 'robocalls' - robot calls) or an actual attacker on the other end. In some instances, an automated call will be made first with the reason for the call and an option to talk to a 'customer agent' - who is usually the attacker. Due to the low rate attached to voice calls and the existence of VOIP (Voice over IP) services, vishing has grown in popularity with victims being on one end and attackers being on the other end of the world.
Just like any other type of phishing, vishing attacks aim to get personal details from victims over the phone. For instance, in 2020 and 2021 when the Covid pandemic was still at its peak, many vishing scams emerged, which included COVID-19 Reliefs scams, Vaccine Appointments scams, Health Insurances scams, Test Kits scams, Contact Tracing scams, and more. Users would receive calls where the caller requested one to provide personally identifiable information (PII) such as name, address, social security, date of birth, and more, to complete their registration to qualify for the obviously fake COVID-19 Relief scam, complete their vaccine booking, and more.
f. Pharming
Pharming is a more technical and advanced form of phishing. An attacker, through a cyber attack such as DNS Cache Poisoning, DNS Spoofing, or compromising authoritative DNS servers, gains access to the victim's computer and alters the Domain Name System (DNS) settings. Therefore, when a user searches for a legitimate website, say his or her banking portal, the changed DNS settings redirect to a fake website that mimics the legitimate bank's website. Usually, the fraudulent website is set to collect users' banking information.
The sophisticated nature of pharming makes it highly undetectable and stopping it relies more on programs and applications and not on diligence alone.
Phishing Attacks: The Bait, Hook, and Catch
The term ‘phishing' comes from the act of fishing itself. In that sense, we can compare phishing attackers to fishermen. The bait is often a message crafted to trick a user into accepting the legitimacy of what is being communicated. The hook is usually the malicious part of the phishing attack. A hook can be a user downloading an attachment that installs malicious programs, or clicking a link to a fake website. The hook is often the action taken by a user as intended by the attacker. The catch is the end goal of every phishing attack. Attacks can steal login credentials, sensitive data such as personal and bank information, and more.
The three parts, bait, hook, and catch, work together to trick the user into taking an action he or she would not have taken under normal circumstances. Therefore, let's take a deep dive into these parts and how they are used in a phishing scam.
A. The Bait
Just like fish are lured through a worm as bait, an attack baits an unsuspecting user by a message through an email, SMS, social media post, or voice call. The bait can come in many methods, as attackers are aware of how to make an email catchy. Here are some common baits used in phishing attacks today:
1. Urgent account verification: Most bank customers receive one or two emails from their banks every week and other users receive one every month. Therefore an email from your bank is expected. What's not expected is the email from your trusted bank claiming that your bank account will be suspended or terminated unless you verify your account immediately. Most times, the email will give you less than 2 hours to take action. How do you do that? The email contains a link titled "Verify Account Now", which you are required to click or open an attachment with instructions.
Consider the Spear Phishing email to Mark from TBB Technologies above. The email instructs Mark to complete a task - visit a website and provide information - within 24 hours, which creates a sense of urgency. The email states that failure to complete the task will be considered a violation of company policy.
2. Prize or Reward Notification: An email, private message on social media, or an SMS pops up with a "Congratulations: You've Won a Luxury Getaway!" The message reads that you have been selected as the winner of an exclusive Luxury Getaway competition. The winnings include an all-expenses paid trip to a wonderful destination (one that you see yourself going to one day). To claim the prize, you are required to reply to the message, or if it is an email, click a link to submit your details (full name, address, phone number, email address. A final message at the bottom reads:
Please note that this offer is time-sensitive, and you must claim your prize within 48 hours to avoid forfeiture.
3. Job Posting / Work-from-home Opportunities: You receive an email about a job opportunity where you can make money, be your own boss, and work any hours, all from your house. The email states that you can make thousands of dollars (Euros, Pounds) doing virtually no work at all. According to the email, this is an exclusive opportunity to live your life your way. You are, however, required to submit your resume, full name, address, bank account, and number (and any other personal information) for verification purposes.
4. Fake Invoice Request: An email pops up alerting you to an invoice sent to you or your organization. As the recipient of the email, you are required to download an attachment that contains the details of the invoice.
B. The Hook
Once a user takes the bait of a phishing attack, next comes the hook. This is the action that a user is required to complete as instructed in the phishing scam. This can include clicking a link to a fraudulent website, downloading a malicious attachment, or replying with the requested information. The sole purpose of the hook is to trick the user into performing an action that solely benefits the attacker and fulfils the purpose of the phishing scam.
In a phishing email supposedly from a bank regarding account verification, clicking any links in the email gets a victim into the attacker's hook.
C. The Catch
Every phishing scam has a goal. This is what the attackers aim to gain by running a phishing scam through any of the common ways. The catch identifies the objectives of the phishing scam and the desired outcome of an attacker.
The most common catches of phishing scams include:
Stealing login credentials
Gaining unauthorized access to accounts (bank, e-commerce, and so on)
Distributing malware
Harvesting personally identifiable information (PII)
Carrying out further fraudulent and malicious activities
How to Protect Yourself From Phishing Scams
There are several how-to tips that you can implement to prevent yourself from getting scammed through the now-elaborate phishing scams. Here are a few, and the most effective:
Be skeptical of emails from senders you do not recognize. Before clicking any links and downloading attachments, first, verify that the email is legitimate. Read on how to Spot a Phishing Email.
Be suspicious of unsolicited calls, especially those requesting your personal information.
Before clicking any links in text messages, social media posts, IMs, and emails, verify the sender of the message and the message itself by searching on it.
Verify a message, email, or call from an organization by independently contacting the organization and NOT through the contact information attached to the communication. In Mark's case on spear phishing, Mark should independently get the phone number of the IT department and confirm the existence of a security update. If none is available, he should walk to their department and ask about the same. For the smishing scam, a user should search for the bank's customer care number (not that attached in the SMS) and call the bank to ensure his or her account is in order.
Avoid providing information upon request until you can verify the sender
Be aware of emails, text messages, and calls that have a tone of urgency. An email requiring you to take action in a certain period of time is probably a phishing scam. First, verify the sender before giving in to the pressure.
If it is too good to be true, it is probably fake. Emails that promise high-earning jobs with little work, huge returns on investments with low risks, cash reliefs, vacation prizes from unknown and random competitions, tips to gain an advantage - business insider information, loss weight in record time with no workouts-, access to limited resources (remember the vaccine appointment scam during COVID-19 pandemic), and so on are phishing scams. Do not fall for the pressure or excitement of the message.
Install security applications such as anti-virus programs and ensure your software applications are up-to-date.
Do not ignore passive and active warnings on the possibility of an email or website being a phishing scam. Email servers, browsers, and anti-malware have complex and robust anti-phishing filters that assist in filtering spam emails. When an email is flagged, be suspicious of it and do not interact with it until you can verify the sender.
Exercise caution when sharing information online. Sharing personal information can give attackers the necessary tools to target you with a spear phishing scam.
Beware of the latest phishing scams. Staying informed about common scams ensures you are aware of the latest scamming tactic employed by scammers.