What Is Phishing?
Phishing is a type of identity theft that focuses on people unknowingly providing personal information or details that can then be used for malicious reasons. It is frequently carried out by creating a phony website, email, or SMS message that appears to be from a reputable company.
A scammer may utilize a phony website that appears to be identical to the authentic website on the surface. Visitors to the site may send personal information, such as social security numbers, account numbers, login IDs, and passwords, in the mistaken belief that they are engaging with a legitimate company.
The scammers then use the information provided to steal money, identities, or both from visitors, or sell it to other criminals.
Phishing may also occur in the form of emails or texts from scammers that are made to appear as if they were sent from a legitimate business. These fake emails or texts may install programs like ransomware that can allow scammers to access a victim’s computer or network.
KEY TAKEAWAYS
- Phishing is a type of data theft that involves people unknowingly volunteering their personal information to a bad actor.
- A phishing attempt may utilize an official-looking website, email, or other forms of communication to trick users into handing over details like credit card numbers, social security numbers, or passwords.
- Phishing websites can appear identical to official websites, prompting users to input their real credentials on the malicious website.
Understanding Phishing
Phishing scammers give their victims a false sense of security by spoofing or copying well-known, authentic company logos, or by pretending to be a friend or family member of their victims.
Scammers frequently try to persuade victims that they must have personal information immediately or face dire consequences, such as frozen accounts or personal injury.
An identity thief setting up a website that seems like it belongs to a major bank is a typical form of phishing. The thief then sends out a series of emails posing as a representative from a big bank, requesting that recipients enter their personal financial information (such as their PIN) into a website so that the bank may update its records.
Once the scammer gets a hold of the needed personal information, they attempt to access the victim’s bank account.
$57.8 billion
Phishing scams are some of the most common attacks on consumers. According to the FBI, more than 114,700 people fell victim to phishing scams in 2019. Collectively, they lost $57.8 million, or about $500 each.
Protecting Yourself from Phishing Attacks
The following highlights signs of phishing, and how to protect yourself.
Exceptionally good deals or offers.
If an email touts offers that are too good to be true, they probably are. For example, an email claiming you’ve won the lottery or some other lavish prize may be luring you in to get you to click a link or relay sensitive personal information.
Unknown or unusual senders.
Though phishing emails may appear to come from someone you know, be wary if anything appears out of the ordinary. When in doubt, hover over the sender’s email address to make sure it matches the email address you anticipate.
If you’re unsure about an email or website, give the company a call. Responding to emails with personal information is not a good idea. (An example of an uncommon sender’s email address can be seen in the image below.)
Hyperlinks and attachments.
These are particularly concerning if received from an unknown sender. Never open links or attachments unless you are confident they are from a safe sender. Type in the link address rather than clicking the link.
Incorrect spelling in the web address.
Phishing sites often use web addresses that look similar to the correct site, but contain a simple misspelling, like replacing a “1” with an “l”.
Immediate pop-ups.
Be wary of websites that immediately display pop-up windows, especially those asking for your username and password. Use two-factor authentication, a browser with anti-phishing detection, and keep security on your systems up-to-date.
Phishing Attempts
According to the Federal Trade Commission (FTC), phishing emails and text messages frequently tell stories to trick people into clicking on a link or opening an attachment. For example, phishing attempts may
- Say they’ve noticed suspicious activity or log-in attempts on your account
- Claim there’s a problem with your account or payment information
- Say you need to confirm or update personal information
- Include a fake invoice
- Ask you to click on a link to make a payment
- Claim you’re eligible to sign up for a government refund
- Offer a coupon for free goods or services
How to prevent phishing
Phishing attack protection requires steps to be taken by both users and enterprises.
For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.
For enterprises, a number of steps can be taken to mitigate both phishing and spear-phishing attacks:
- Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
- In addition to using 2FA, organizations should enforce strict password management policies. For example, employees should be required to frequently change their passwords and to not be allowed to reuse a password for multiple applications.
- Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links.