Everyone's gotten a strange email or two before. Maybe it said you won the Australian lottery or got coupons for a product you've never purchased. Most people have gotten better at recognizing this type of scam, but more sophisticated digital scams are targeting folks through their emails, texts and phones now.
Read on to learn more about phishing and related scams so that you can protect yourself from these damaging cyber attacks.
What is phishing?
Phishing is a type of cyberattack that hackers and scammers use to "fish" for information by sending malicious links. These links often arrive in an unsolicited email and may be disguised as something legitimate, such as a notification from your bank. Once you click on the link, scammers may get access to your private information.
How does phishing work?
Clicking on the link or button in a phishing email can make you vulnerable to scammers in a couple of ways. For example, you might unknowingly download malware (short for malicious software) onto your device by opening an email attachment or visiting a website. Malware can gather sensitive information, consequently exposing you to further security risks.
Alternatively, interacting with a phishing link may take you to a seemingly authentic website. After you open the site and try to log in, the scammers collect your username and password. Not only can they access your account now, but they may also try this username and password combination on other popular websites in an attempt to find valuable data, such as payment or banking information.
Other types of phishing scams
Phishing is a broad, catch-all term for the types of scams that use technology to get you to share vital data and login information. However, these types of attacks don't just arrive as fraudulent emails anymore. Scammers have developed new techniques to target you for identity fraud in almost any way that they can approach you.
Smishing and vishing
If you've ever received a suspicious text message or robocall, you were likely the target of smishing or vishing attempts. Smishing is the use of SMS or text messages to send you malicious links, whereas vishing is the use of voice-based technology, such as a voicemail, phone call, robocall or VoIP (voice-over-internet-protocol) call, to fish out your private information.
A smishing attempt may look like a text that says, "Your streaming service account has been closed. Click here to renew your membership." Clicking the link could take you to a webpage that steals your login credentials when you try to sign in.
Vishing attempts come in a few different forms. Some take place as sales calls meant to collect your personal information, such as your email, last name and credit card number. Others may be robocalls that sound like a real person saying "Are you there?" If you answer "Yes," these scammers may use a recording of your approval to try and access personal accounts while pretending to be you.
Sometimes suspicious messages seem like they are meant directly for you. They might be addressed to you by name or mention your workplace, for example. If it seems like a scammer knows some personal information about you, it's possible you're the target of spear phishing.
Spear phishing often targets people or groups with sensitive information or access to specific computer systems. If you work at a large company with significant proprietary information, you may experience spear phishing attempts aimed at gaining access to your network and private company information.
Spear phisher scammers might make their approach seem like it's coming from an internal colleague or external client to trick you. The message may seem urgent or overly friendly. Corporate cybersecurity should have protocols in place to help you avoid spear phishing attempts.
Similar to phishing, whaling is a type of digital fraud that targets specifically high-level employees at organizations to phish. These employees may have greater access to data the scammers are after or may be able to make financial decisions quickly.
Like typical phishing attacks, these messages often contain a link that delivers malware or steals information through an online form. They are designed to manipulate high-level executives into responding due to their apparent urgency or the use of language familiar to the organization. This may result in ransomware attacks where scammers extort the whaling victim for money to prevent further attacks or they infiltrate digital systems and halt their operations.
How to spot a phishing email
While phishing emails can be scarily similar to legitimate emails from institutions such as your bank or workplace, there are some key ways to know how to spot a phishing email. You can prevent cyber attacks of this nature and protect your personal information by learning to recognize patterns in these suspicious messages. Watch for some of the following clues.
1. Watch for suspicious senders and addresses
To check an email's validity, look at the "from" line. If you click on the name there or hover your mouse over the name, a full email should show. You should see an email address that you expect, such as "email@example.com." If you see something like "firstname.lastname@example.org," it’s almost certainly not from your bank and you should flag the message.
2. Beware of requests for personal information
It's unusual for institutions (such as your bank) to send messages requesting personal information. Be wary if you get an email saying that your account has been compromised and you need to confirm your password after clicking a link to regain access. You should never be asked for personal information like your password through an unsolicited message.
Refuse to give out confirmation codes. Even if you are contacted by someone claiming to be from a website where you shop regularly, don't do it. A common scammer's way of doing things is to reset your password and access your account.
3. Verify links and check email inconsistencies
Make it a rule to never click on a link from an email you didn't expect to get. Even when the email is from someone you expected to hear from, hover over the link first and watch for your browser to show a pop-up with the complete address. It should always lead to a recognizable web address.
If you are going to click on a link, copy and paste them instead to avoid the risk of malware. Alternatively, simply open a browser and type the web address into your address bar to navigate to the website on your own. Never download an unknown attachment.
Phishing emails may look similar to legitimate ones, but looking closely should reveal some inconsistencies. These include red flags which may indicate that a scammer is behind the email, such as low-quality images, poor text formatting or misspellings.
How to prevent phishing
Scams are more common than ever before, but you can still try your best to protect yourself online. Getting familiar with clues to recognize phishing messages is one thing you can do. You can also take additional steps to increase your security and prevent attacks in the first place.
1. Install and update antivirus software regularly
Antivirus software can warn you about suspicious downloads and regularly scan your device for malware. Many antivirus software programs are available for free or at a low cost. Depending on the level of security you need, you can easily find a program that’s within your budget.
Most antivirus programs offer a set-it-and-forget-it approach with automatically scheduled scans. These can help you spot detectable malware with very little maintenance on your part.
2. Be cautious when sharing personal information
Make it a habit to guard your personal information. Social engineering scams like phishing are often based on getting you to reveal information unwittingly.
Scammers may directly ask you for credit card information while pretending to be a legitimate business. They may get you to enter your information into fake websites at the end of a link they send. They might even collect information you post on social media status quizzes, such as your favorite color or the high school you attended, to try and guess your security questions on financial sites.
When it comes to personal information online, don't share or post anything you wouldn't show a known thief standing in front of you.
3. Enable two-factor authentication and use strong passwords
Two-factor authentication requires that you verify a login on your computer via a notification or confirmation code on another device such as your phone. Adding this security measure can prevent others from logging in to your accounts because they won't have your second device.
You’ll want to use strong passwords that feature a variety of letter, number and character combinations. You should also avoid duplicating username/password combinations across multiple sites. Scammers will try the same combination on popular sites to try to access more of your accounts.
Use autofill password settings judiciously. They could be handy for a forum or social media login, but reconsider using this type of password for financial accounts or any accounts that have a payment method attached to them.
How to report phishing emails
When you report phishing emails, you take a small step towards shutting down scammers. Establishing the digital trail of scammers helps public and private cybersecurity authorities track and stop these scammers.
1. File a complaint with the appropriate authorities
The Federal Trade Commission (FTC) is a governmental authority that takes many steps to help citizens recognize, avoid and report phishing scams. They suggest consumers direct complaints about phishing as follows:
- Forward phishing emails to the Anti-Phishing Working Group at email@example.com.
- Forward phishing/smishing text messages to SPAM (7726).
- Report phishing attempts directly to the FTC at ReportFraud.ftc.gov.
- If you are registered on the National Do Not Call Registry but still receiving potential scam calls, report unwanted calls to the FTC through this online form.
2. Notify your email service provider about the incident
Many email clients and apps have built-in "phishing" labeling alongside "junk" filtering options. When you select this option, your email provider may receive an automatic report about the flagged email to help track phishing attempts.
What to do if you click on a phishing link
If you click on a phishing link, try to act quickly by doing the following:
- Don't type anything into a website if it opens. Close the tab or window immediately.
- Disconnect your device from the internet.
- Run a virus scan to catch any malware that may have been downloaded.
- Change any passwords associated with the account the link opened.
If you unintentionally provide log-in information to an account with personal data, contact any connected financial accounts and follow their fraud protection recommendations. Consider a credit freeze and investigate identity theft protection insurance. Lastly, notify friends and family members that your social media may be hacked and to reject any unexpected requests from someone who appears to be you.
Just because you clicked on a phishing link doesn't mean that your accounts will be immediately compromised. However, it might be time to reevaluate your typical security measures.
Summary of Money's what is phishing and related scams
Phishing and other related scams are very real digital threats, but awareness and good digital hygiene can be part of how to protect yourself online.
It’s important to know how phishing works and how to spot phishing emails to prevent a security breach. Take steps to keep your personal information and login credentials secure and private. If you do encounter a phishing attempt, report it to the relevant authorities and service providers to help stop further scams.
Even if you stumble into a phishing attack, there are steps you can take to scan for malware or protect potentially compromised accounts. Staying aware and acting quickly can prevent identity theft and digital financial theft once you know what phishing attacks look like.