Phishing

What is phishing?

Phishing is a type of cybercrime wherein hackers use deception and fraud to encourage users to hand over sensitive information like passwords or financial details.

Cybercriminals who engage in phishing use social engineering techniques to manipulate their victims, either by exploiting their personal vulnerabilities or encouraging them to act against their natural instincts. Once a victim has given the criminal their information, it can be used to gain access to financial accounts.

Many phishing attempts come in the form of emails. Criminals create an email that appears to be from a legitimate company or government organization, but it usually contains a malicious link. Once the victim clicks it, hackers have access to business systems or personal data. 

The best email anti-spam software can now detect many of these malicious emails, preventing them from ever appearing in inboxes at all. But there are still times when these emails bypass spam filters, so users should always be aware of what to look for when it comes to phishing attempts.

Types of phishing

Although plenty of people think of phishing as exclusively email-based cybercriminals use other phishing methods. These include:

• Website phishing. One of the most difficult to spot phishing attempts comes in the form of fake websites. They take on the appearance of a legitimate business, usually, large companies that users know and trust. They think they’re logging into their real accounts, but they’re actually giving their login details to hackers.
• Vishing. Voice phishing is one of the oldest methods of phishing – even pre-dating the internet. Hackers target users via voice messages like phone calls to trick them into providing information like bank details or logins. Hackers then commit identity theft with the details they’ve stolen. 
• Smishing. Also known as SMS phishing, this is when hackers send malicious links via text to user phones. In most cases, the link opens a webpage or starts to download an app, allowing cybercriminals to hack the phone.
• Social media phishing. Some cybercriminals use social media direct messages and comments to send malicious links. In other, more extreme, cases, hackers create fake social profiles to follow friends of targets or other social groups and use these personas to extort money or information.

Basic elements of phishing

There are several red flags that people can be aware of that indicate something might be a phishing attempt. The most common include:

• A sense of urgency. Cybercriminals don’t want their victims to have time to think about their messages and realize that they’re a scam. Phishing attempts often demand immediate action to make the victim panic and click on the link or download the attachment.
• Suspicious links or attachments. There’s a reason why some of the top cybersecurity advice every year is to not open anything in an email or text that wasn’t expected – it’s usually a phishing attempt. Any links or attachments that seem strange should be avoided.
• An unfamiliar greeting. An atypical greeting is a big sign of a phishing attempt. For instance, if a message appears to be from the user’s child, but the start of the text says “hi Claire!” rather than Mom, that’s likely not the real sender.
• Too good to be true messages. These messages offer something like a prize or reward for the user doing nothing. While the offers are enticing to click on, this method is one of the most common ways hackers gain access to devices.
• Unusual requests. Any requests that don’t seem right should always be flagged as potential phishing. For example, an email from the CEO of the company to a random employee asking to collect gift cards from various places or transfer money to an account is not real.
• Spelling or grammar errors. While everyone makes typos now and again, copy editors and proofreaders typically check emails from professionals or big businesses before being sent out. Many strange spellings, grammatical errors, or awkward phrasing should be noted and flagged as suspicious.

Best practices against phishing

Every year, cybercriminals become more sophisticated in their phishing methods. But there are ways to stay protected and remain vigilant about this type of scam, such as:

• Remaining skeptical. It’s always best to be cautious and confirm any details before taking action like clicking a link or downloading an app. If in doubt, going directly to a website rather than clicking an email link is always a good idea.
• Changing passwords regularly. If a password is no longer correct, hackers shouldn’t be able to access the connected accounts. Changing passwords frequently and using password managers to store and generate these secure login details should help.
• Checking all accounts often. Especially when it comes to financial accounts, statements, and records should be reviewed frequently to check for any fraudulent activity. While banks are usually good about detecting suspected fraud attempts, it’s always useful for individuals to be proactive about this on their own.
• Using two-factor authentication. Adding an additional layer of security, like a one-time passcode sent to a phone, can help stop hackers from accessing online accounts. Unless they also have access to that phone, they shouldn’t be able to bypass this step to log in.

Phishing vs. spam

It's common to confuse a phishing email with a spam email, but the two have important differences.

Phishing attempts always have malicious intent. Hackers are actively trying to steal information and use it for their benefit, usually financial gain. 

Spam emails may or may not be phishing attempts. The vast majority of spam is like digital junk mail: frustrating, unwanted, but harmless.

Keep your business data protected from cybercriminals using intelligent email protection software that can detect spam and malicious behavior before it reaches your employees.