The rise in remote work, online shopping, and incompetent FCC leadership creates a perfect storm for scammers. Phishing attacks are more common than ever before, and they regularly lead to fraud, identity theft, and corporate data breaches. But what is phishing, and how can you avoid it?
“Phishing” is a catchall term for a variety of cybercrimes. But in its most basic form, phishing (pronounced “fishing”) is a scam in which a victim is tricked into sharing sensitive information or downloading ransomware.
The majority of phishing schemes occur via email or SMS text message. And they tend to follow a simple formula; scammers will impersonate someone trustworthy, such as Amazon, a police department, or an employer, and tell you about a problem that requires immediate attention. Usually, this “problem” can only be “solved” by sharing credit card details, opening a malicious file, or typing your login data into a fake website.
Most phishing attacks are easy to spot. They center around scammy topics (like car warranties) and fail to impersonate a person of authority. If you receive an email from “Amazon” that contains typos or comes from a Yahoo address, you’ll probably notice that something’s wrong. (Still, people fall for these “obvious” phishing attacks every day, which is why they’re so common.)
But phishing schemes can be very sophisticated. Scammers may learn details about your employment, subscriptions, family, or location before attempting a phishing attack. If you order shoes from a website that’s been hacked, for example, a scammer may send you an email asking to verify the purchase with your login details. And if you’re of retirement age, a scammer may impersonate a young family member to beg for bail money.
To be clear, phishing schemes aren’t just directed toward individuals. According to a recent Proofpoint report, over 55% of businesses fell victim to a phishing attack in 2020. More than half of these companies ended up with ransomware on their systems. And unfortunately, several of these phishing attacks led to a data breach, which can expose customer information to hackers.
Governments are also a huge target for phishing schemes. The CSIS maintains a long list of successful cyberattacks against government organizations, and many of these attacks were enabled by phishing.
Regular people are the first and only line of defense in a phishing attack. But Proofpoint’s data shows that over half of all full-time workers know nothing about phishing. Clearly, businesses and governments aren’t educating people on this topic, which is why it’s so important to sit down and learn about it yourself.
One of the most frustrating things about phishing, at least from our perspective, is that it comes in so many different shapes and sizes. Cybercriminals aren’t just repeating the same scam every day. They’re constantly developing new ways to fool their victims.
However, scammers have to play a balancing act when phishing. They can cast a wide net with an “obvious” scam and hope that someone takes the bait, or they can put in the work to hit a specific target.
Here are the common forms of phishing, which should illustrate my point:
- Email Phishing: This is the most common form of phishing. A scammer impersonates a popular website or figure, like Amazon or a politician, in an attempt to steal your information or trick you into downloading ransomware. They may even create a custom domain name to make their email address look “official.”
- Spear Phishing: Scammers who want to hit a specific target will resort to “spear phishing.” They gather information on their victim before impersonating a trustworthy person, business, or automated message.
- Clone Phishing: Most phishing emails are sent to victims at random. But in some cases, a scammer will send you a duplicate version of a real email. If you receive an order confirmation, for example, a hacker may send a copycat “order confirmation” containing malicious links or attachments.
- Pop-Up Phishing: Pop-ups are still a common vector for scams and malware. Modern pop-up phishing attacks usually take advantage of a browser’s notification settings to send you “antivirus warnings.”
- Angler Phishing: The world of social media lets scammers “angler phish” for victims. Essentially, scammers will impersonate a public figure or company on social media. Someone may impersonate a YouTube creator to share scammy “sweepstakes” links in a video’s comments, for example.
- Whaling: When a phishing attack is aimed toward an important person, such as a CEO, it’s called “whaling.” These targets are often wealthy, easy to blackmail, or have access to a corporation’s backend.
- Smishing and Vishing: These terms describe phishing through an SMS text message or phone call. Most of the spam messages or robocalls you receive are forms of “smishing” or “vishing.”
Again, these phishing attacks sway between “ultra-specific” and “very broad.” The most sophisticated attacks tend to target a single person, while the more basic attacks are a bit random.
Due to the rise in remote work, phishing is more popular than ever. And we expect it to remain a huge problem for individuals, corporations, and governments—phishing scams can be quite sophisticated, so even if you’re “computer literate” or use an antivirus software, you need to keep your eyes peeled.
Scrutinize every email or SMS message that hits your inbox. If someone sends you a URL or a file, don’t open it unless you can verify the source. And I’m not just telling you to look at the sender’s email address or phone number. Try to contact the organization or person who supposedly wrote that email to verify its authenticity.
To be clear, there are some things you should never send through an email or text message. If someone asks you to type out your social security number or credit card info in an email or text, ignore them! Your bank won’t ask for this stuff on such an insecure platform, and neither will the IRS.
Note that some scammers are bold enough to phish through phone calls. They may even impersonate the police, the bank, or your employer. If an unknown number calls and asks for money or sensitive information, hang up. You can always call back using an official phone number from the organization’s website.
To reduce your chances of being phished, set up spam filters in your email client. You may also want to install an antivirus software and disable website notifications in your browser.
And since phishing attacks are so common, I suggest taking some preventative measures to reduce their impact. Use a password manager to create unique passwords for every account, and enable 2FA on all websites, as it will lock out scammers even if they have your password. You can also activate a fraud alert through a credit bureau to prevent new lines of credit from opening under your name.
According to the U.S. Federal Trade Commission, you should report all phishing attacks to the Report Fraud website. You can also forward phishing emails to email@example.com and forward phishing text messages to SPAM (7726). If a phishing attack impersonates a person or organization, you should also warn them of the attack (especially if they’re a family member or someone within your company).
If you fall victim to a phishing attack, it’s time to enter harm reduction mode. Change the passwords to all sensitive or affected accounts, and enable 2FA to lock out scammers who have your password—a password manager will help you get the job done.
And if a scammer gets your credit card information or bank details, tell your bank! They’ll help you replace the affected card and dispute fraudulent charges. You may also need to freeze your credit cards or set up a fraud alert if a scammer obtains your social security number, address, or birthday. This will prevent unwanted transactions and keep scammers from opening new lines of credit under your name.
Unfortunately, phishing attacks involving malware are a bit more complicated. If you open a malicious attachment or download suspicious software, you should take the affected device offline. Run an antivirus scan or factory reset the device to remove any malware.
Cleaning your device of malware may be impossible if ransomware locks you out. In this situation, take a photo of your device’s screen (so you can identify the ransomware later) and contact law enforcement or the FBI. Don’t bother paying the ransom—you’re better off visiting a repair specialist or waiting for a security firm to publish a solution. Scammers rarely care if you pay a ransom, and if anything, it just encourages them to spread more ransomware.