SOCIAL ENGINEERING | 10 MIN READ
Cybersecurity is becoming more and more of an issue for companies and individuals alike. With cyber attacks becoming commonplace in the news, the word "phishing" has probably come up once or twice. But what is phishing?
This article will discuss what a phishing attack is (including its various forms), as well as tips on how to prevent someone from successfully phishing you.
What is Phishing?
The name phishing, is a play on the word "fishing." We all know what fishing entails, but phishing, is the digital version of this. Except instead of fish, hackers attempt to catch unsuspecting people.
Phishing is a form of social engineering and is the fraudulent activity of attempting to gain access and capture sensitive information on another's computer through a variety of digital disguising techniques like email and fraudulent websites. The most common of these is email, but what are the signs of a phishing threat?
Signs of a Phishing Scam
Sometimes we don't realize a phishing scam has occurred when we hear about or experience one for ourselves.
The most popular phishing scams are emails that pose as a financial institution (like a bank or the IRS). It's difficult to know if you're being scammed if the scammer gets lucky and sends you an email disguised with your bank's logo.
How do they know my bank's logo?
More often than not, hackers don't know your personal information, which is why email scams are so popular. Here, they choose a popular financial institution and blast their email to thousands of random people.
Their hope is to reach a handful of recipients who actually do business with that bank, making it more likely they'll click on the malicious links embedded in the email.
So what do you look for?
Poor Grammar: Not every malicious email originates from your home country. In fact, a sizable percentage do not. If an email doesn't read with appropriate grammar, then it most likely isn't from a professional institution.
Similar or Blind Copied Email Addresses: If you receive an email claiming to be from an organization but the recipient addresses are all the same name, you are 99% of the time being scammed
(ex: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, etc.)
Blind copied emails that don't list your email are most likely a scam. If it lists another email, that means you've been blind copied to it, which means that they don't want you to see that they've sent this email to a thousand other people.
Misspelled Words: Hackers can be sloppy with their delivery. In their effort to get something out quickly for a great payday, they occasionally overlook the details (like spellcheck).
Random Subject: If the email you're receiving (even if it's from a organization you do business with) seems out of the blue, there's a good chance it isn't something you want to explore. Remember, you won't get a virus from reading an email - only if you click a link or download an attachment.
Not Associated with Other Correspondence: If you receive an email that appears very important, but you haven't received anything in the mail or a voicemail, there's a good chance it's malicious. Trust me, if a financial institution needs to reach you, it will use all channels to do so.
No Return Address: Some scams use mail to get you to pay a bill online or over the phone. If the "bill" doesn't have a return address, or the return address is something suspicious, don't respond. If it is from a company you know, give them a call and inquire about the bill.
Different Types of Phishing Attacks and Variations
There are three main types of phishing and phishing-like attacks addressed below (in order of popularity):
Email: Email is by far the most common type of phishing attack. It is easy to carryout and reproduced on a massive scale with a simple click of a mouse.
Phone: Phone calls are about half as popular as email. For a phone phishing attack to be carried out successfully, the person calling needs enough personal information to sound convincing to the target (you). Phone calls are also harder to trace back to the attacker, but do take more time and effort.
In recent history, a popular phishing attack was carried out by people posing as an IRS agent on the phone, threatening to garnish wages or throw people in jail if they didn't settle there tax dispute over the phone.
Mail: Mail scams are not as common because they can be the most costly to implement. These scams are typically associated with a large bill to be paid, which is why it is most common as a healthcare scam.
If you see that there isn't a return address (and you weren't expecting a bill), don't trust the source. Scams like this usually include a website or phone number you can use to make a payment (how convenient).
How to Prevent Phishing
#1 When in doubt, call it out. If you receive an email that seems phishy (see what I did there?), make sure to call the listed phone number on the organization's website, or if it's your bank, the number you typically use for customer inquiries.
This probably goes without saying, but you should never call the number listed in a suspicious email. There will be someone on the other line who is trained in deceptive practices and they will try to get your personal information.
#2 Google it. Unless you are the unfortunate victim of a newly minted scam, there is a good chance others have also been scammed. You can avoid being another statistic by Googling the scam and seeing if there are any reports on what you're experiencing.
A great site to reference is usa.gov and its list of common types of fraud.
#3 Don't download attachments or click suspicious links. The internet delivered the world a constantly developing source of convenience. But when it comes to your personal information and finances, that convenience can be a huge liability.
Never download an attachment from an email unless you requested something from a company, and if you aren't sure if you should be receiving an email, don't click on the links embedded. It's always better to call and do your due diligence when presented with an email that is questionable (see tip #1).
I know what you're thinking - surely no one would fall for any of the phishing examples above, right? Well, I can tell you that if these kinds of attacks didn't work on people, they wouldn't still be a threat.
Yes, you have to be vigilant about protecting your personal information, but you don't have to live in a bubble under the sea to do so. Using the information above is a great step. As a network security company, we unfortunately see companies and individuals fall into these traps far too often.
Business owners have to be vigilant in making sure their employees are aware of the dangers and signs of phishing attacks. If they are, then the business will be infinitely more secure because of it.
Posted by Daniel Gray
Daniel has a passion for educating and helping people and has spent over a decade in the education and office technology industries. He has a Bachelor's in Education from the University of West Georgia and an MBA from the University of Georgia. Daniel has been the lead blogger at SOS since 2017 and specializes in managed IT services, copiers and printers, and business phone systems. He lives in Atlanta and has a goofy greyhound named Ticker.