Phishing is a type of social engineering attack that extracts sensitive information from victims by posing as credible or authoritative entities or people. It usually happens through emails. Readers often click links or follow directions to relinquish credit card or Social Security numbers, and then the cybercriminal can use them for malicious purposes.
Phishing is one of the most pervasive cyberattacks in a threat actor’s roster. Learning foundational info about phishing attacks is critical for tech users, especially for people who have been victims of phishing before.
Table of Contents
How phishing works
Phishing attacks typically start with an email or message from someone posing as a familiar or authoritative figure such as a boss, family member, financial institution, or online shopping site.
The message usually includes a link with a note of urgency or fear that will drive victims to click and follow prompts without considering the potential consequences.
The way this works can vary depending on the mode of execution and the end goal.
For example, a phishing email may have a subject header that convinces the victim they need to log into their account to fix a compromised password, leading them to input that very information in an online form from a fake storefront with familiar-looking logos.
On the other hand, a phishing text could have victims click a link that downloads malware to their phones.
To be effective, threat actors must research companies or personas to create convincing templates that the receiver can’t ignore. Sometimes, it’s even more targeted and personal.
How to identify and avoid phishing attacks
Identifying phishing scams varies by method, but the most common are emails. Look for these traits when scoping an email:
- Unpersonalized greetings, such as “to whom it may concern” or “sir or ma’am”
- Unofficial email addresses with numbers or random letter strings
- Excessive emojis
- Suspicious attachments
- Typos or grammar mistakes
- Unusual fonts in subject headers
- Any request for personal information
- Links or buttons for you to act
A great rule of thumb is to always log into your accounts through your smartphone apps or by typing the URL into your browser, rather than clicking on links in emails or text messages. And call the person or institution from the number stored in your phone or on their website, rather than the one that appears in the message.
Companies and regulatory bodies like the IRS, banks, or legitimate online marketplaces will not request information through email. Before clicking or responding to prompts, contact the business and talk to service representatives to confirm the communication is legitimate. Even if it’s not, you’re helping them by reporting that threat actors are targeting their customers.
What happens if you fall for phishing?
If you are a victim of phishing, the situation is fixable if you act quickly. While stressful, there are ways to be proactive with your data and documents to retrieve as much as possible. Here are the best practices to navigate the system with as much calmness as possible.
First, do not attempt to back up any data on external hard drives or flash drives. Do not plug external devices into the affected device, especially if you suspect malware. Documents may already be tainted, and connecting and transferring them to other devices could cause a spread.
It may feel like the right thing to do to get precious information off an infected computer, but it could actually worsen the situation. With this in mind, the first step is to immediately disconnect from the network to prevent the further spread of any malware.
You should then start running scans with anti-malware or antivirus programs. Not all programs can deal with novel phishing attacks, but it never hurts to begin a cursory scan. Meanwhile, you can attempt to change your credentials for the affected website from another device.
If they gave a password to a site or similar data, they could try to get the phisher out by using recovery methods to reclaim the account.
In the United States, immediately file a report with the Federal Trade Commission (FTC). The FTC has a form that asks users to follow prompts to begin an investigation into suspected identity theft. You can also file a complaint with the FBI’s Internet Crime Complaint Center (IC3).
Here are some other actions you may want to take to keep data secure if you suspect a breach:
- Submit freezes to all card companies and credit bureaus.
- Set up fraud alerts or additional authentication measures on sensitive accounts.
- Remove pre-saved passwords, addresses or card information from browsers.
- Report phishing messages as spam and increase spam filters in inboxes.
- Notify workplace management and IT teams.
- Set up a password manager to store passwords in an encrypted service.
- Contact relevant companies so they can alert customers of an active phishing scam.
Businesses may also have to recover from phishing from a media perspective. The loss of customer loyalty and brand trust are some of the most notable adverse effects of a public phishing epidemic.
What are the different phishing attack types?
The success of phishing attacks led them to quickly expand into a variety of different types, including spear phishing, clone phishing, angler phishing, whaling, smishing, and vishing. As amusing as many of these names may be, their results are anything but.
Spear phishing is when hackers target particular individuals using more sophisticated, personalized deception methods. For example, they could masquerade as someone in the workplace that the target frequently communicates with.
These are sometimes called business email compromises (BECs) because they take advantage of a worker’s relationship to their management hierarchy.
Phishers can take copies of legitimate content and make the tiniest adjustments to include malicious links and attachments. Clone phishers make it challenging for even the most skeptical eyes to see if the email is a scam. This is another reason why it’s always best to type URLs manually rather than clicking email or SMS links.
Angler phishing is a bot or fake accounts resembling real people or companies that extort information from victims through DMs or other means on social media.
Whaling targets “big fish” people who have a lot of money to spare and little to lose. These high-profile targets could respond with ferocity if they know they’re a victim of phishing, or the amount lost might be inconsequential to them, putting hackers in a unique circumstance regarding their risk commitment.
Smishing and vishing
These portmanteaus represent SMS phishing and voice phishing, respectively. These tactics rely on text messages or phone calls. The calls may be voicemails or robotic conversations, guiding victims through prompts until they enter valuable data like their credit cards or Social Security numbers.
For example, it could be a fake representative from a bank calling about protecting your account from fraud and asking the user for their credit card number for “verification.”
Evil twins and pharming
Evil twin phishing is a specific attack looking to jeopardize hotspots, and pharming is when hackers sneak their way into domain name servers (DNSs) to manipulate IP addresses.
3 real-life phishing examples
Phishing can happen on large or small scales, pinpointing individuals, companies. or governments. Here are a few recent examples of notable phishing attacks.
1. Decentralized finance targets
A devious manipulation of Google Ads has recently targeted cryptocurrency traders, resulting in a loss of millions of dollars in digital assets. Companies like Lido and Radiant have had to scramble to protect users by clicking crypto ads with slightly edited links that make them enter their wallet information to scammers.
2. Legitimate emails from YouTube
A “no-reply[at]youtube[dot]com” sender is convincing many YouTube registrants to enter their information, which risks whole channels. Investigations reveal the email is legitimate, but the phishers have found loopholes in the video platform’s sharing system to spoof from an authentic account.
3. Ukrainian infrastructure attack
In 2015, Ukrainian power outfits experienced outages that impacted hundreds of thousands of citizens because of suspected spear phishing. A targeted individual opened attachments containing the debilitating BlackEnergy malware, which started the interruptions.
Bottom line: Avoiding phishing attacks in the enterprise
Phishing will never go away—it will only get more creative. Most internet users must remain vigilant and approach any communications with an ounce of caution.
Before clicking anything, you should call the person or company to verify or report situations or log into their website through their app or by typing the URL into your browser.
Meanwhile, companies should do all they can to train their employees on the dangers of phishing in all its different forms, and encourage users to report suspicious emails to their IT team immediately.
Combating identity theft and breaches online is a group effort. People must communicate strategies to keep everyone in the loop on the newest and most innovative phishing variants.
Learn how to fend off social engineering attacks to protect yourself and your company.