How to Recognize and Avoid Phishing Scams
Last Updated: February 3, 2021
In this modern age of globalization, where more than two-thirds of the world population has access to texting, mobile calling, and email, the figures would make it easy to conclude that more than half of the earth’s population has been exposed to an attempt of phishing. The suggested exposure is because phishing attacks are mostly executed through one of the mentioned media, with emails being the most common. The eventual goal of a phishing attack is to obtain the victim’s personal information, banking details being the pot of gold. This article will tell you all about this cyberthreat, and show you how to recognize and avoid falling victim to phishers.
The Peculiar Road Map of Phishing Scams
The prime goal of Phishing is to acquire the personal access details to your financial accounts. Though scammers have evolved over the years with the tactics used in coning individuals, there are, however, some red flags that could make it possible to reveal phishing calls, texts, or emails for what they are — scam!
- Phishing calls, emails, and text messages from seemingly trusted organizations. Have you everreceived an email, supposedly sent by your ‘account officer’ requesting for personal information such as your social security number and other banking details? It would interest you to find that those messages and emails are from phishers posing as the real organizations.
- Phishing emails and texts often come with unfounded stories. The trick of such exciting stories is to arouse passion in the victim. A famous phishing attack to which several bank users fell victim requested customers to ‘please’ resend their last login details to update the bank database. This request came after a narration was made about how hackers recently attacked the bank’s data infrastructure.
A more famous story, and easy to fall for, are those that claim that suspicious login attempts have been noticed on your account. Subsequently, users are advised to reset their password by filling in some personal details, usually on a phony website that has been created or the actual website that has been momentarily hijacked.
Typically, this is how phishing scammers harvest victims’ personal information trickily:
- They buy data of your subscription to online services, e.g., mobile numbers or email addresses.
- Next, they create the bait in the form of deceptive emails, text, and fake websites to convince users that the messages are from organizations you are familiar with and trust.
- The scammers send the messages in bulk to the initially purchased contacts, sometimes to thousands of users at a go.
- The phishers use the data they can collect from ignorant recipients of the messages to make unauthorized purchases and acts using the victims’ account.
Common Types of Phishing and How to Recognize Them
Phishing is by no means limited to the ones listed below, as scammers are continually morphing in their tactics; however, records of widely reported phishing attacks would help us categorize them into the following:
1. SMS phishing involves forwarding text messages to mobile phone users, asking them to contact a customer agent, or visiting an organization via a link embedded in the text. Clicking the link takes victims to a login page or text dialogue box where keying in personal information is required before gaining full access to the purported website or resource. This type of attack is on the rise partly because mobile phone manufacturers have bought into the internet revolution by producing mostly smartphones.
An easy way of identifying an SMS phishing attack is that the message is usually sent from odd numbers or even comes with poorly worded texts.
2. Email phishing messages are sent via email to unsuspecting victims. The mails are usually sent as broadcast (BCC) to multiple email addresses with logo and footnotes stolen from the actual organization or individual being imitated. Email phishing attacks seldom end with the message itself; message recipients are often directed to visit a popular website via a text link or download a spam attachment included in the email. On the landing page of the attached link, victims are requested to fill in personal information. The webpage may equally make malware automatically install on a computer as soon as the webpage is loaded. The loaded phishing malware harvests personal information from the victim’s computer, smartphone, or device in one of many ways:
- Recording user keystrokes while filling forms
- Assessing user cache and forwarding its contents to the remote assailant
Like SMS phishing, a thorough look at the source email address will help a recipient isolate and report malicious messages as a phishing attack. For example, a phisher who wants to imitate Amazon Customer Care may use an address like – firstname.lastname@example.org. A legitimate email from Amazon would come with the company’s domain name, e.g., email@example.com. Besides, no properly structured organization will request for your personal or financial details via email.
3. Spear phishing is a more strategic kind of scam which also utilizes the email loophole. Relative to email phishing, where emails are sent to several individuals as broadcast messages, spear phishing is more targeted. Employees of online service providers or government agencies who have been earmarked as having access to several users’ personal information are the prolific targets of spear phishing.
The email is made to appear as being from a superior, or the company boss, requesting for access to users’ information. In other instances, the mail is sent from obviously unfamiliar sources, with a magnetic heading, captivating enough to make the recipient open the message. The message is usually blank and comes with an attachment; curiosity will then make the recipient open the attachment and install ransomware on the computer.
Victims of spear phishing attacks can be compared to the head of the proverbial Hydra. The data collected during such attacks are then used to execute a large scale breach of user accounts affiliated with the organization concerned.
4. Clone phishing, like the name suggests, involves a victim receiving an email having precisely the same content as one that has been previously sent from a trusted organization; the phisher, however, includes an unsuspecting link to a malicious attachment or fake website. The only variation is that the source email address is slightly doctored and made to look very similar to that of the initial sender. This tactic makes clone phishing the most challenging type to detect.
5. Whaling phishing is very similar to Spear phishing. The intent is gaining access to sensitive or personal information of individuals who subscribe to the services of an organization. However, whaling attacks target the ‘whales’ in organizations – like top executives and the board of trustees.
6. Pop-up phishing is very similar to the advert pop-ups that interrupt your user experience while browsing a monetized website. Pop-up phishing, however, comes as a warning, not an advertisement; the pop-up alerts the user of an unnamed malicious document or application that has infected the computer. The option is then given to download an antivirus that will eliminate the threat at no cost. Installing such software exposes your computer to the risk of getting infected by unwanted malware; the claimed threat is mostly a hoax.
Protecting Yourself From Becoming a Victim of Phishing
In this age of ecommerce, to avoid becoming a victim or being used as a channel to reveal sensitive data related to your organization, below are fireproof guides to follow.
- Backup your data. Having a copy of the vital data on your computer or smartphone backed up on external media is essential. If it does happen that you fall victim to a ransomware attack, the backup copy of your documents is safe on perhaps a cloud storage service or an external storage media that is not connected to your computer network.
- Use multi-stage user authentication. Phishers are always after account details like username and password. In situations where the second stage of authentication has been established for your sensitive accounts, having your password and username becomes inconsequential. An excellent example of multi-stage authentication is the confirmation code sent to your mobile contact when making bank transactions or log in. A biometric layer of authentication, like a fingerprint, eye, or face scans, are safe methods of safeguarding our accounts.
- Update devices with the latest security patches. The primary computer and smartphone manufacturers update their operating systems regularly to fix bugs and loopholes through which phishers have been identified to attack. Updating these devices will save technology users a lot of security headaches.
- Avoid opening suspicious messages. Note all the mentioned faults peculiar to phishing attacks. Check the content of emails carefully before clicking links, opening attachments, or filling accompanying forms. If compelled to confirm the integrity of any claim in an email, visit the company’s website directly, instead of going through a supplied link.
As the online presence of several organizations and individual users grow, there is a higher tendency that phishing will increase in scale and impact. But with proactive precautions, as suggested in this article, internet users should succeed in outpacing phishers.