What is phishing?
Phishing is a cyberattack that uses email to scam people. It is pronounced just like the word fishing. The analogy is of a fisherman (criminal) throwing out bait (emails) to catch a fish (victim). It tries to trick you into believing that the message is something you want or need. For example, receiving an email from your bank, or from someone you work with, where the cyber criminal tries to get you to click on a link or download an attachment.
Links attached to emails used for phishing, are meant to look like legitimate websites. These links would look as if they are from companies that you would be familiar with or you have business transactions.
Phishing scams are not limited to just emails though. They can come in the form of messages that look like they are from UPS or FEDEX claiming that they are holding a package for you.
Social media may be used. You can be tricked into clicking on a link that you believe is from a Facebook friend.
How does phishing work?
The scammers try to make the website look like one that the victim will trust. They are usually trying to get you to do one of two things; hand over sensitive information or download Malware.
For instance, the person phishing may clone a legitimate website and send you an email that looks like it is from your bank telling you that your password was compromised. Then, there will be a link for you to click on so that you can access your account and reset your password. When you input your information, the phisher can then steal your username and password. After gaining access to your personal information, they will usually forward you to the actual website and you won’t even know what happened.
Sometimes, the email will try to get you to download an attachment which will have some type of malware giving the scammer access to your computer.
Types of phishing
Phishing scams are usually generally focused. The scammers will send out millions of emails trying to catch a victim. However, there are different types of phishing scams such as, spear phishing, whaling, and vishing.
Spear phishing is when a scammer is targeting a specific target. For example, the spear phisher may target someone in the finance or accounting dept of a company that has access to the companies funds. The spear phisher may send this person an email pretending to be the company manager and asks for emergency funds for some fabricated problem.
Whaling is when someone is phishing for a specific high reward target like the C.E.O of a large corporation or a board member. This type of phishing scam takes a lot longer and requires more work on the part of the criminal. The criminal has to spend time researching the victim and figuring out who they communicate with. It may take more work and more time, but usually provides a big reward.
Vishing stands for “voice phishing” and is the same tactic as phishing, but just done over the phone. The victim will get a phone call and usually hear a recorded message. The victim may be told that their bank account may have been compromised or that the IRS owes them money. The recording will then give the victim a phone number to call so they can verify their information. Usually by providing a PIN number or social security number.
Scammers are trying to take advantage of the fact that people are generally curious and trusting. Scammers refer to this as social engineering.
Phishing works because scammers are attempting to hack a system by exploiting human psychology rather than using technical hacking methods. For example, a hacker can try to gain access by finding a weakness in your software using technical methods or they can trick you into revealing your password through phishing scams.
Examples of phishing
There are a few ways that you can protect yourself from phishing attacks.
First, understanding what phishing is and how it works; knowing the different types of phishing techniques used; and, understanding why phishing works.
Second, know what scammers are after–usually cash or sensitive information that will give them access to cash.
Third, look for red flags like bad spelling, being asked for money, or promises to reward you. Look carefully at the URL. You may notice that the web address doesn’t match the website that you are on. This is a big red flag.
Fourth, emails from a country where you don’t know anyone but they claim to know you. Don’t open any email or answer any phone calls if you don’t recognize the source. However, be aware that the email or message may be made to look like it’s from someone you are familiar with. Resist the urge to click on any links or downloads. If you are not sure, try to get verification from the person or company that the message is allegedly coming from by contacting them directly.
It may seem obvious but don’t use any of the contact information that is provided in the email. Open a separate window and get the contact information directly from the company by doing a separate search. If the email is from a person, contact that person directly and verify that they sent you an email and its content.