As the name implies, phishing scams use emails, texts or calls as lures to get you to voluntarily hand over sensitive information. Phishing scams attempt to trick you into clicking a link or handing over personal information. Once a scammer has the information, they can use it to steal your money, identity or gain access to your computer.
The criminals attempt to trick you into sharing sensitive information such as passwords, usernames and credit card details. They may also trick you into clicking on a link that takes you to a fake website or opening an attachment that installs malware (malicious software) that provides the hacker complete access to your or your company’s device and data.
Attackers target both individuals and companies, and while statistics on monetary losses to individuals are not readily available, the FBI reported that businesses lost $676 million in 2018 due to business email compromise campaigns, which are designed to trick company executives or accounting departments into sending money to fake vendors.
There are three principal reasons why email scams are so effective:
1) Most people use email. The Radicati Group, which specializes in market research, estimates there are more than 3.8 billion email users worldwide in 2019, accounting for over half of Earth’s population.
2) Phishing attacks are simple, low-tech operations.
3) It’s human nature to want to open messages and click on buttons, and psychologists say we all suffer from FOMO, an acronym for “fear of missing out,” and don’t want to be left behind. Then there’s the enduring belief, despite overwhelming evidence to the contrary, that we can get something for nothing.
Phishing comes in several varieties:
Traditional phishing. Attackers send malicious emails to as many people as possible, thinking that the more people they reach, the more people are likely to fall victim. The phishing emails usually appear to come from a trusted source, such as your bank, someone you may know or a legitimate company you’re familiar with.
For example, scammers may send out an attack email that instructs you to click on a link in order to rectify a discrepancy with your account. The link leads to a fake login page that collects your login credentials and delivers them to the attackers.
Phishing emails are impersonal and often contain spelling errors or other mistakes, but not everyone notices these hints. Trusted logos and links to known destinations are enough to trick many people into sharing their personal information. In addition, the emails frequently use threats and a sense of urgency to scare users into following instructions.
The most common type of phishing scam, deceptive phishing, refers to any attack by which fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials.
The success of a deceptive phish hinges on how closely the attack email resembles a legitimate company’s official correspondence. As a result, you should inspect all URLs carefully to see if they redirect to an unknown website. You should also look out for generic salutations, grammar mistakes and spelling errors scattered throughout the email.
Spear phishing. These attacks are personalized to their victims. These emails are more challenging to detect because they appear to come from sources close to the target. Cyber-criminals send personalized emails to particular individuals or groups of people with something in common, such as employees working in the same department.
Before crafting the spear-phishing email, the attacker will select a victim and gather information about them from social media profiles like LinkedIn, Twitter and Facebook. This will enable them to customize their attack emails with your name, position, company, work phone and other information in an attempt to trick you into believing they have a connection with the “sender” of the email.
In addition, the attacker may gather information about your friends and colleagues in order to make the fake email appear like it was sent by one of them. Such highly targeted and customized attacks are far more likely to succeed than traditional phishing attacks.
Spear-phishing is especially commonplace on social media sites like LinkedIn, where attackers can use multiple sources of information to craft a targeted attack email.
Whaling. Similar to spear fishing, except it targets CEOs, CFOs, and other high-level executives, whaling is so named because fraudsters attempt to harpoon executives and steal their login credentials.
The attacker sends emails on issues of critical business importance, masquerading as an individual or organization with legitimate authority. Whaling attacks always personally address targeted individuals, often using their title, position and phone number, which can be obtained through company websites, social media or the press.
Whaling attacks work because executives often don’t participate in security awareness training with their employees.
Vishing. Also known as “verbal phishing,” this scam is a mashup of spear phishing and caller ID spoofing (when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity). Scammers may make it sound like they’re from a legitimate company. They may know specific details about you and ask you to verify information in full (such as your Social Security number or address). They can also fake their caller ID to trick you into thinking the call is from someone you trust.
Lisa Lake, Consumer Education Specialist with the Federal Trade Commission (FTC), gave this example of a call you might receive:
“I’m calling from [your bank or any bank]. Someone’s been using your debit card ending in 2345 at [any retailer]. I’ll need to verify your Social Security number — which ends in 8190, right? — and full debit card information so we can stop this unauthorized activity.”
Impressed that the caller ID shows the name of your bank and the caller knows some of your personal details? It’s still a scam — and scammers are counting on the call being so unsettling that you might not stop to check your bank statement.
Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now, however, vishing fraudsters often use modern Voice Over Internet Protocol (VOIP) features such as caller ID and automated Interactive Voice Response (IVR) systems to make it difficult for legal authorities to monitor, trace or block.
Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Pharming. This scam, which has been called “phishing without a lure,” involves installing malicious code on a personal computer or server, misdirecting users to fraudulent web sites without their knowledge or consent. The website mimics the appearance of a legitimate one, in order to obtain personal information such as passwords, account numbers, etc.
A complicated process, pharming stems from “domain name system (DNS) cache poisoning.” The internet uses DNS servers to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses used for locating computer services and devices. “Pharmers” target a DNS server and change the IP address associated with an alphabetical website name, which redirects users to a malicious website even if you enter the correct website name.
Dropbox and Google Docs phishing. Bad actors attempt to gain access to your accounts with Dropbox, a file hosting service, and Google Docs, a web-based software suite.
Dropbox’s trademark is regularly used by cybercriminals as camouflage for their phishing attacks. Scammers copy the Dropbox logo onto their emails to lend authenticity to their scams, a practice known as “brandjacking.” They may try to lure you into entering your login credentials on a fake Dropbox sign-in page in order to harvest your login details.
Similarly with Google Docs, phishers create a web page that mimics the Google account log-in screen and collects user credentials
What can you do?
The phishing methods described above should help you and your business recognize some of the most common types of attacks. But you won’t be able to spot each and every phish. Attackers are constantly evolving and adopting new forms and techniques.
Here are some steps to help mitigate the effects of phishing attacks:
- Businesses should conduct security awareness training on an ongoing basis. This should include all company personnel, including executives. Personnel who are aware of spear phishing are less likely to fall victim to an attack.
- Organizations should also consider amending their financial policies so that no one person can authorize a financial transaction via email.
- Multi-factor authentication can keep hackers from obtaining your personal information. With this method, you are granted access to files only after successfully presenting two or more pieces of evidence (or factors) as authentication. This can be something you know, such as a username or password, and something you have, such as a smartphone or cryptographic token. If your password is compromised, it’s of no use to an attacker without the physical device or alternate ID method you have selected.
- Companies should take steps to prevent employees from using corporate access passwords on fake websites. Staff should be instructed to always enter a false password when accessing a link provided by email. A legitimate website won’t accept a false password, but a phishing site will.
- Don’t assume your caller ID is proof of whom you’re dealing with. Scammers can make it look like they’re calling from a company or a number you trust.
- Don’t respond to a phone call, email, or text from someone asking for your personal information. Instead, check it out using contact info you know is correct.
- Don’t trust someone just because they have personal information about you. Scammers have ways of getting that information.
- If you gave a scammer your information, go to IdentityTheft.gov. You’ll learn what to do if the scammer made charges on your accounts.
- To protect against pharming attacks, organizations should encourage employees to enter login credentials only on HTTPS-protected sites (HTTPS is basically an HTTP protocol with additional security). Companies should also implement anti-virus software on all corporate devices and implement virus database updates, along with security upgrades issued by a trusted Internet Service Provider (ISP), on a regular basis.
- Even if you didn’t give personal information to the scammer, report the scam to the FTC at https://www.consumer.ftc.gov/