Phishing is more popular than ever. The FBI has reported that phishing is “by far” the most common type of cyberattack, with over twice as many incidents than any other kind of computer crime.
Don’t know what I’m talking about? That’s part of the problem. Awareness is one of the best defenses against phishing, yet even as it continues to rise many don’t know how to identify a phishing attempt, the different kinds of phishing, or what phishing even is.
In this article, we’ll talk about what phishing is, different types of phishing, how to identify phishing attempts, and how you can protect yourself online.
What is phishing?
Phishing is when someone sends fraudulent, deceitful, or fake messages attempting to appear trustworthy in order to gain access to certain information. These attempts can appear to be from people you know (such as work colleagues), companies you know or do business with (such as streaming services or social media platforms), financial institutions, or government agencies.
The information sought by a phishing attempt can be any sensitive data, including social security numbers, online logins, credit card numbers, bank account credentials, etc. Phishing that targets employees of a company may also try to access vital information related to the company’s products or services or financial information.
In addition to trying to gain access to information, phishing attacks can also aim to install malware on the target’s devices in order to gain access to sensitive information.
What does phishing look like?
The most common form of phishing is via email. That said, there can be significant variation from one phishing email to another, depending on the goal of those behind the phishing attempt. Common email phishing attacks are false messages from banks and other financial institutions, streaming services, and social media platforms.
Phishing emails will often include a call to action (often clicking a link included in the email, or entering sensitive or confidential information) and a sense of urgency. Though some phishing emails can look legitimate, there are telltale signs that can help you differentiate between a phishing attempt and trustworthy communication (don’t worry, we’ll get there).
Because email phishing is extremely prevalent with so much variation, there are many different categories of email phishing.
Spear phishing is when an attacker targets a specific organization or person and tailors the phishing emails to an individual or group. This can be difficult to identify compared to more general phishing attacks, as there may be information that does seem personally relevant to the target.
Often, spear phishing is implemented to attack a company or organization and targets those that will have access to valuable aspects of the business, such as higher-ups and those in financial positions. As much as 95% of all attacks on enterprise networks are the result of successful spear phishing.
Whaling is when an attacker targets a high-profile individual, such as a company CEO. These attempts are even more customized than spear phishing attempts, well-researched and timed to give the attacker the best chance of success. These emails often appear to be correspondence related to legal, financial, or business concerns. Whaling can be catastrophic when successful, as these individuals often have access to sensitive company information.
Whaling is not the same as CEO fraud, another type of phishing. When an attacker attempts CEO fraud, they will attempt to trick company employees by sending emails that appear to be from the CEO. Often, those with access to company finances will be the targets of CEO fraud, and will be asked to transfer funds.
Though email is the most common form of phishing, it is not the only way an attacker can reach out to you. Voice phishing, or vishing (yes, really), refers to phone calls from people who claim to be associated with an organization or institution to get money or sensitive information from you. Often, they will pose as people from your bank, credit card company, or from government institutions such as the IRS.
Another non-email form of phishing is SMS phishing, or smishing (again, really). Though the general tactic is the same – attempting to impersonate an organization or company you may be familiar with – SMS phishing refers to phishing attempts through text messages. These attempts will often come with a link you’re urged to click, or a contact you need to reach out to.
Consequences of Phishing
If you fall victim to a phishing attempt, the consequences can be severe.
For individuals, the fallout from a successful phishing attack can be:
- Online accounts being compromised, or losing access to online accounts,
- Fake posts and messages from your social media accounts, potentially putting those on your friends and followers lists at risk as well,
- Fraudulent credit card charges,
- Money stolen from your bank account,
- Fraudulent documents created in your name, such as tax returns, mortgages, or new credit cards,
- And identity theft.
If your company or business has been the target of a successful phishing attack, the fallout can be:
- Loss of access to key files and accounts,
- Disclosure of private company information,
- Disclosure of private customer information,
- Loss of corporate funds,
- Fines due to compliance violations,
- And significant damage to your company’s reputation.
How to Spot Phishing
As we’ve said, phishing can look different depending on the target, method, and intentions of the attacker. In 2022, phishing attempts are more sophisticated than ever, and are becoming more imperceptible all the time; however, there are telling details in nearly all phishing communications that can help you identify these attempts before you fall victim to them.
If you receive an email that could be suspicious, check the spelling and grammar. Often, phishing attempts will have misspellings or small mistakes. These typos are not only present in the body of the email or communication, but in the subject or even the URL if one is provided.
A typo is a small detail, and of course, many of us make the occasional mistake – I’m sure there’s a typo or two in this post – but generally, you can expect that official communication, particularly from government or financial institutions, will not have these mistakes. Small mistakes of any kind, not just grammatical errors, such as discrepancies in logos, can help you determine the legitimacy of correspondence, so be sure to stay aware of the little things.
Strange links or attachments
If an email has already come across as a bit suspicious to you and includes a link to a website you don’t recognize or a strange attachment, do not click. In general, it’s a good rule of thumb to not click links that you do not recognize, but this is particularly important when it comes to potential phishing correspondence.
As with checking an email for typos, check that the URL is legitimate, or if it is slightly different from the official URL the correspondence claims to be sending you to. Hover over the link to get a preview of the website to see if you can gain more information, but do not ever click on any strange links.
If you receive correspondence from someone that you were not expecting, that is reason to be suspicious. Attackers often use fear or stress as a tool to manipulate people into falling for phishing attempts, which is why many pose as representatives from banks, government agencies, or legal teams. While receiving an email like this could be intimidating, don’t allow the worry or surprise guide your actions, and be discerning about the validity of the correspondence, particularly if it was unexpected.
Not possible to verify
If you receive strange correspondence from an institution, company, or person that you recognize, reach out to them via a legitimate means to verify that they did send you the correspondence. If the correspondence is important, or legitimate, verification should be straightforward to obtain.
If you are not able to verify that the correspondence was legitimate, or if you are able to verify that it was not sent by who the sender claimed they were, it is likely a phishing attempt.
Urgency is a valuable tool for phishing. Particularly if the phishing email is disguised as something particularly important, like financial or legal information, urgency can cause the target to panic and follow the email instructions without verifying its authenticity.
While urgency as a singular factor does not mean an email is phony, do not allow the urgency of correspondence to stop you from verifying the source.
How to Avoid Phishing
There isn’t much you can do to stop phishing attempts from coming your way. But there are steps you can take to ensure that you will not be the victim of a successful phishing attack.
- Be Informed
A lot of scammers who use phishing tactics rely on you not knowing what is or is not normal or expected when it comes to certain types of correspondence. The more you know about phishing attempts and what they can look like, the more likely you are to spot them.
But being informed doesn’t just mean being informed about phishing. If you do receive a concerning email or are not sure if certain correspondence is legitimate or not, familiarize yourself with how a particular company, institution, or individual will communicate with you so you can identify veritable correspondence as well.
- Verify the Source
If you’re not sure if a message is legitimate, verify it. Check which number, email, or person you would receive a message from if you were to receive genuine correspondence from this person or organization. Does that line up with the correspondence you received? Perhaps the email from your CEO looks legitimate, but when you check the email address, it is clearly not associated with them, thus confirming that the correspondence is fraudulent.
If you cannot verify the source from the correspondence itself, reach out to who the person claims to be to determine if the correspondence is legitimate. Most companies and institutions have specific procedures for contacting you, so any diversion from these methods can also indicate a phishing attempt.
- Search the Message
If you receive a message that seems to be suspicious, search for the contact or message in a search engine. There are many anti-phishing websites and organizations that try to reveal scammers by publishing messages, emails, phone numbers, etc. If you are the target of a prominent phishing attempt, searching for the message you received may come up with results verifying that the message is fraudulent.
- Stay Up-to-Date
One of the most sinister aspects of phishing is that is is constantly evolving, becoming more sophisiticated and difficult to discern from legitimate correspondence. Even to those who are vigilant, newer phishing attempts may be very difficult to detect.
As such, one of the best ways to protect yourself from phishing is to stay up-to-date on news and emerging trends around phishing. Be aware of new tactics, and if any correspondence ever seems off, do a quick search to see if there is something to be suspicious of.
- Educate Yourself and Others
Particularly in a company setting, most phishing attempts that are successful are because people were not educated about what to be skeptical of. If your company has been the target of phishing attempts, do what you can to notify and educate your employees to reduce the likelihood of a successful phishing attempt. Conduct trainings, and if there is an active phishing attempt at your company, make your employees aware of it immediately. If you are an employee and are a target of a company phishing attempt, report it to your manager or HR team so they can alert the rest of the team.