Phishing is a type of online scam where criminals impersonate legitimate organizations via email, text message, advertisement or other means in order to steal sensitive information. This is usually done by including a link that will appear to take you to the company’s website to fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the scam.
Learn why phishing still works, what makes us click, and how criminals are using COVID-19 scare tactics to trick you.
The term “phishing” is a spin on the word fishing, because criminals are dangling a fake “lure” (the legitimate-looking email, website or ad) hoping users will “bite” by providing the information the criminals have requested – such as credit card numbers, account numbers, passwords, usernames or other valuable information.
But if you're like most people, you probably think you can identify a phishing attack before falling for one. Here's why you may be mistaken:
11 Types of Phishing Attacks
Since being first described in 1987, phishing has evolved into many highly-specialized tactics. And as digital technologies progress, this attack continues to find new ways to exploit vulnerabilities.
Below are 11 of the most pervasive types of phishing:
Standard Email Phishing – Arguably the most widely known form of phishing, this attack is an attempt to steal sensitive information via an email that appears to be from a legitimate organization. It is not a targeted attack and can be conducted en masse.
Malware Phishing – Utilizing the same techniques as email phishing, this attack encourages targets to click a link or download an attachment so malware can be installed on the device. It is currently the most pervasive form of phishing attack.
Spear Phishing – Where most phishing attacks cast a wide net, spear phishing is a highly-targeted, well-researched attack generally focused at business executives, public personas and other lucrative targets.
Smishing – SMS-enabled phishing delivers malicious short links to smartphone users, often disguised as account notices, prize notifications and political messages.
Search Engine Phishing – In this type of attack, cyber criminals set up fraudulent websites designed to collect personal information and direct payments. These sites can show up in organic search results or as paid advertisements for popular search terms.
Vishing – Vishing, or voice phishing, involves a malicious caller purporting to be from tech support, a government agency or other organization and trying to extract personal information, such as banking or credit card information.
Pharming – Also known as DNS poisoning, pharming is a technically sophisticated form of phishing involving the internet’s domain name system (DNS). Pharming reroutes legitimate web traffic to a spoofed page without the user’s knowledge, often to steal valuable information.
Clone Phishing – In this type of attack, a shady actor compromises a person’s email account, makes changes to an existing email by swapping a legitimate link, attachment or other element with a malicious one, and sends it to the person’s contacts to spread the infection.
Man-in-the-Middle Attack – A man-in-the-middle attack involves an eavesdropper monitoring correspondence between two unsuspecting parties. These attacks are often carried out by creating phony public WiFi networks at coffee shops, shopping malls and other public locations. Once joined, the man in the middle can phish for info or push malware onto devices.
BEC (Business Email Compromise) – Business email compromise involves a phony email appearing to be from someone in or associated with the target’s company requesting urgent action, whether wiring money or purchasing gift cards. This tactic is estimated to have caused nearly half of all cybercrime-related business losses in 2019.
Malvertising – This type of phishing utilizes digital ad software to publish otherwise normal looking ads with malicious code implanted within.
Phishing Examples: Can You Spot the Scam?
Make no mistake, these attacks can be quite clever. After all, these types of phishing exist because they work. Let’s take a deeper look at two of the more common attacks.
Anatomy of an Email Scam
Below is a fake Charles Schwab notice claiming the recipient has been locked out of his account and must update it to regain access. Here are some clues indicating this email is actually a scam:
-
The email is not addressed to the recipient. If the recipient was truly being notified by Charles Schwab that there was an issue with their account, they would know the recipient’s name.
-
Again, they don’t know the recipient’s name;"Dear Customer" isn’t an identifier.
-
The recipient hasn’t attempted to sign into a Schwab account, so could not have exceeded the number of attempts allowed.
-
Grammatical errors: The words Online Banking are capitalized throughout the text. And, if you read carefully, the text says "Please visit www.schwab.com/activate Reset Account your account" which clearly doesn’t make sense, but since most people scan emails quickly, grammatical errors that are this small usually don’t get noticed.
-
They try to reassure recipients by encouraging them to confirm the email is from Schwab….. by using a link they provide.
-
Look at the sixth flag; this shows the true email address displayed when you hover your mouse over any link on this page (which is a red flag in itself, what company would have all of these actions point to the same link?). See that the website is actually http://almall.us? The scammer added the words /schwab.com/ after their website’s true name in an attempt to look legitimate, but this site is anything but legitimate.
Seeing any one of these flaws is enough to tell you the email is a phishing attempt – but what if these errors aren’t present?
A smarter scammer could have corrected these mistakes, including knowing the recipient’s name and email address, and masking their URL in a much more convincing manner. If they had done a better job, there would have been nothing alarming in the message. But it would still be a fake.
Avoiding Phone Scams
Have you received any calls from ‘Windows Tech Support’ lately? The chances are high since this is one of the more common vishing attacks – a phone scam that reportedly made up nearly 30% of all mobile calls in 2018.
As discussed above, vishing is an attempt to collect sensitive information over the phone. Attackers often pretend to be with tech support, your bank or a government agency to steal account information or even gain remote access to your computer.
Follow these five best practices to avoid getting vished:
-
Be skeptical when answering calls from unknown numbers, even when the number appears to be local.
-
If they ask for personal information, don’t provide it over phone.
-
Use a caller ID app, but don’t trust it completely.
-
Search for the caller’s phone number online, even while on the call, to see if it’s a known scam.
-
If the call is about a product or service you use, go to the vendor’s website or call the vendor directly to confirm the claim.
Two Ways to All but Guarantee You Don’t Fall for Any Phishing Scam
Applying these two actions consistently will help protect you from online scams:
-
Don’t click. Use your own link. If you use a product or service from the company apparently sending you the message, don’t click. Instead, navigate to the website via a browser bookmark or search engine. If the email is legitimate, you will see the same information when you log into your account on the legitimate site. This is the ONLY way to guarantee you land on the legitimate site.
If you use the link or phone number in an email, IM, blog, forum, voicemail, etc. where you land (or who you talk to) is their choice, not yours. The website they take you to or the “bank manager” on the phone may be a convincing copy, but if you share your information it will be stolen and abused.
-
Use a browser filtering extension. There are browser extensions that grade search engine results based on known characteristics or behaviors and may even prevent you from navigating to malicious sites. Generally, sites will be graded on a scale from safe to suspicious to high risk.
What to Do if You’ve Been Phished
If you find you are the victim of a phishing scam, change all of your passwords immediately. Since most people use the same password for multiple sites (we hope you don’t), cybercriminals could be in the process of gaining access to your other accounts on commonly used sites.
According to Dashlane, Americans have 130 online accounts on average. This makes remembering strong, unique passwords unmanageable without writing them down or using a simple formula – both of which are risky.
Instead of rolling the dice on your password security, consider using a password manager. They make it easy to store all your passwords and allow for encrypted auto-filling of login forms.
In fact, top antivirus solutions also include integrated password management so you can protect your passwords and devices from one place.