They lurk in a murky corner of the digital world – several million inhabitants who have zero morals and who prey on the rest of the world. But they are innovative and tech-savvy, and they keep coming up with new innovations or improvements to old techniques every few weeks. And yet, we aren’t celebrating their success or talking about it much. Who are these shady figures?
They’re scammers, and they use phishing to harm innocent people. It’s a massive industry that cost the US more than $10 billion in 2022. But they aren’t done yet. Better technology and our changing society are helping scammers to find new, more subtle ways to get people to fall for very old tricks. There are dozens of distinct phishing techniques, and the list of seemingly amusing names keeps growing.
Does that mean that the “phishers” are winning the battle? What are our defenses and how can we prevent phishing scams?
What is Phishing and What Do They Want?
Phishing is a type of cyberattack aiming to trick people into revealing sensitive information.
They want to steal sensitive information, which they can use to hijack your accounts, impersonate you, steal your money, and ruin your reputation. They can steal your login details for, e.g., a social media or shopping platform, or they can record your credit card details, or they even can plant spyware or data stealers on your computer.
Malware provides them with a back door to your device, so they can keep gathering even more information over a longer period, use the backdoor to launch a ransomware attack, or perhaps even switch on your camera and microphone without you knowing to record intimate details of your life.
How Does Phishing Work?
Phishers send people emails, SMS, or chat messages that appear to come from legitimate sources. They usually impersonate banks, courier and delivery services, online shops, banks or financial services, government departments, or one of your trusted contacts.
The messages usually contain a link or an attachment. Attachments contain malware. Links usually lead to a fake website where they’ll prompt you to log in, then steal your login details. The links could also just take you to an infected website, where they can trigger an automatic malware download.
How Do They Get You to Click on a Suspicious Link?
They use something called social engineering. Another word for social engineering might as well be “people-hacking” or “people-manipulating” because they use techniques that use people’s emotions to persuade them to take action. These “human hacking” scams can lead people to expose data, spread malware infections, or give access to restricted systems.
For example, they love to use scare tactics. They might send you an email claiming that your account has been hacked or that they need to verify your identity urgently for security reasons. The messages are designed to make you feel a sense of urgency, for example, you should act immediately to secure your account or that you’ve won a prize, but you must claim it within 24 hours.
A Non-exhaustive List of Phishing Techniques
They pull off a bewildering range of scams using established techniques. Think romance scams, immigration scams, sextortion, money mule scams, SaaS phishing, prize scams, contextual scams where they use recent news events to rake in donations to victims of disaster, display name spoofing, and many other types of scams.
● Email Phishing: hackers impersonate a legitimate identity or organization and send mass emails to as many addresses as they can.
● Spear Phishing: targets specific individuals or organizations with more personalized messages.
● Whaling: targets high-level executives or other high-profile targets.
● Business Email Compromise (BEC): impersonating the CEO or another high-ranking executive within a company in emails to employees.
● Clone Phishing: creating a nearly identical version of a legitimate message that has already been sent but with malicious links or attachments.
● Vishing: phishing over the phone.
● Smishing: phishing via text messages.
How Can You Protect Yourself From Phishing?
While there are some great tech tools to help us distinguish between good and bad emails, some of them may slip through our filters.
● Use antivirus software and keep all your software updated. Antivirus software can help detect and remove malware that may be hidden in phishing emails or attachments.
● Always use a VPN to protect your private information. A VPN encrypts your data and “scrambles” it before you send the data via the internet. Even if a hacker intercepts the data, he won’t be able to read or use the encrypted data.
● Start restricting the information that you make publically available. Hackers can easily find your location and use the information to make their phishing messages appear more personal. Obscure your location when you go on the internet, which you can do by changing your VPN server location or change location on Chrome.
● Check the sender’s address carefully. Look for subtle variations like typos or unusual characters (homoglyphs) in well-known domain names. For example, Facebook is never spelled faceb00k. It’s easier to spot this type of thing if you read your messages as plain text instead of HTML. You can also use the mouse-over trick: hover over the link to reveal the whole link address and check where it leads before you click on it.
● Do not click on links or open attachments that you are not expecting or that look suspicious. Treat any prize winnings or last-minute discount
announcements as suspicious.
● Did you really win? Don’t “click here to claim your prize.” Search for the company’s website, get their legitimate phone number, and contact them directly. If it turns out to be a phishing message, be kind enough to inform the company about the hoax. They may ask you to forward the message to their fraud department.
● There are many ways to spot fake websites. Always do a few checks before you enter any information. There should be a padlock icon or “https” in the address bar to indicate that the site is encrypted.
● Beware of sites that ask for more information than necessary. They don’t need your social security number to deliver a parcel!
● Also, be wary of websites that have poor design or grammar.
● Use strong and unique passwords for your online accounts. Change them often, and don’t reuse old passwords. It’s better to use a password manager to store and generate secure passwords.
It’s No Fun to Be the Butt of Scammer’s Jokes
Use every tool you can to fight phishing: from antivirus and a VPN to good old human cussedness. Let’s just stop clicking on email links!
Be vigilant and cautious, and stay informed about the latest phishing trends and techniques.