There are many ways cybercriminals try to infiltrate your computer, mobile devices and network. Phishing attacks are time-tested and effective, and the more you know about how phishing works the more effective you’ll be at protecting yourself online.
How Phishing Works
To protect yourself from the harms of phishing it’s important to understand how phishers work and what their goals are. Consider the following example of an email phishing scam:
My friend Sarah just sent me an email marked urgent.
This is weird though. All the email says is, “Are you available?” and then it includes a link. That’s an odd message to get from Sarah. Seems suspicious. Don’t you think?
Emails like this are called phishing emails, and they’re a popular type of phishing scam. They’re emails sent from sources posing as legitimate. The phishers behind an email like this try to trick people into clicking a link that appears to be from a trusted source to send money or financial information like bank account or credit card information.
The Foundations of Phishing
Phishing can work via a variety of forms, but at its most basic, a phishing attack is a type of social engineering that utilizes legitimate-seeming messages that try to get the phishing recipient to perform an action. If the person being phished performs the action sought, it can result in any number of negative outcomes, including: identity theft through the disclosure of personal details, malware, theft of login credentials, ransomware, credit card number theft, gift card scams (e.g. getting someone to buy and share the numbers off an Apple gift card), data breach, bank account information, and other sensitive data.
The types of phishing messages employed during these cyberattacks can include messages sent by email, text message or SMS, social media (e.g. Facebook, LinkedIn, Instagram, etc.), even voice phishing.
How Phishers Find Information
In order to achieve a successful phishing attack, the phishing message must seem legitimate to the recipient. Phishers target a specific individual. Then, they utilize publicly available sources, from social networks primarily, to gather the type of background information that can make a fraudulent email or text message seem authentic.
Usually, the phishing attempt appears to come from a trusted contact, company, vendor, or other brands.
The “Hook” in Phishing
After gathering enough personal data to send a seemingly authentic message, a phisher will often ask the recipient to click on a link or download an attachment that will bring the recipient to a malicious website or install a virus or malware on their computer. Sometimes, a malicious link will connect the recipient to a fake website that looks like a trusted site. For example, the victim’s company’s site, a school website, or even the victim’s bank. From there, the scammers collect personal information that the victim enters into the fake webpage unknowingly, surrendering their sensitive information to hackers and other cybercriminals.
Types of Phishing Attacks
There are numerous types of phishing attacks. The most common ones are:
1. Email Phishing
Probably the best-known type of phishing, email phishing utilizes personal and business email accounts to try and trick victims into clicking on malicious links or downloading viruses, malware, or ransomware.
Vishing, or voice phishing, is a type of phishing that takes place over a phone call. Through that phone call, phishers try to get the victim to divulge sensitive information they can then exploit.
Smishing, or SMS phishing, takes place over text messaging. In this type of phishing attack, phishers target victims via text message on their mobile phone to try and convince them to click dangerous links, download viruses, make purchases on the phishers’ behalf, or divulge sensitive data.
4. Spear Phishing
Spear phishing can utilize any number of phishing mediums (e.g. email, text, phone, etc.). What distinguishes it from other types of phishing is that it is a highly targeted attack that focuses on one individual inside an organization. The goal is to access the wider organizational network via that one individual.
5. Wi-Fi Spoofing
Wi-Fi spoofing is a type of cybercrime where an attacker tricks internet seekers into connecting to a hotspot that is malicious in its intent and setup. Once connected, spoofed individuals become victims of what are called “man-in-the-middle” (MITM) attacks, which allow an attacker to interrupt a data transfer or communication to steal sensitive information.
6. Clone Phishing
Clone phishing is a more sophisticated type of email phishing attack whereby a phisher utilizes a previously sent email that contains legitimate links or attachments. The clone is basically identical to the original email except the links and/or attachments have been swapped out for malicious ones.
How to Identify Phishing Attacks and Stay Safe
There are a number of anti-phishing tools and extensions available to help internet users identify and filter out phishing attacks. However, in many ways, the best tools are education and a healthy suspicion.
Phishing emails, smishing, and even vishing can often be sussed out due to poor grammar, copywriting, font use, color schemes, logos, and spacing. That being said, cybercriminals are getting more and more sophisticated in their phishing schemes. Before clicking on a link consider the source, hover over the link to see the URL it points to, and if in doubt, never click. The same goes for attachments. It’s always better to take a little extra time and search out the person who supposedly called or sent an email or text to make sure it’s legitimate and not part of an elaborate phishing campaign.
The best way to protect yourself from phishing as well as other online scams is to educate yourself about the most common types and trust your instincts when an email seems fishy.
Interested in learning more?
Learn more about phishing and digital piracy on our FAQs page.