Salmon. Tuna. Halibut. Cod.
Although that may have been what you thought of when you clicked on this article, no, I’m not talking about that type of fishing.
Even though they’re pronounced the same, they’re very different. While you catch one on a boat, the other pertains to cyber security and keeping your data out of the wrong hands. Before you fall victim to this common cyberattack, let’s explore what phishing is, how it works, and the ways you can protect yourself from becoming its prey.
Interested in learning something specific about this popular scam? Jump ahead to:
- How phishing works
- Types of phishing attempts
- How to spot a phishing attempt
- Phishing attacks in the media
What is phishing?
First things first, let’s explain what phishing actually is.
Phishing is the method of obtaining user information through fraudulent communications targeted directly at people. This is usually done through emails disguised as coming from a legitimate source but delivers the target’s information back to the hacker’s actual source.
Essentially, the goal of a hacker performing a phishing scam is for them to trick you, usually using email as their weapon, into giving them the information they want.
Typically, phishing attacks rely on various social networking methods applied to email or other communication methods, like text messages or instant messaging platforms. Phishers may also use social engineering to find out information about the victim, including where they work, their job title, hobbies, interests, activities, and so on.
This information is then used to compose a believable email message. These malicious emails typically start out with a link or an attachment for the opener to click on or open. In addition, the content is usually poorly written with improper grammar.
It goes like this: You’re sent a message that appears to be from a person you know or an organization you recognize. The attack is then carried out through a malicious file attachment, or link, that houses phishing software. You’ll then be prompted to install malware on your device or will be directed to a fake website that tricks you into entering in your personal information, such as passwords or credit card information.
Or, you’ll receive an email from the CEO of your company, with the email address just slightly misspelled. The message reads, “Give me your personal number, I need you to complete a task for me.” Since this is the CEO of your company (or so you think), you respond with your phone number, only to be sent a text asking you to complete a task that doesn’t make sense, like ordering a bunch of Amazon gift cards. I’m not speaking from experience or anything.
|Did you know? 76% of businesses reported being a victim of a phishing attack in the last year.|
Just like there are many fish in the sea, there are multiple types of phishing attempts that you could fall victim to.
- Spear phishing: The email address is customized to include the target’s name, company, phone number, position at work, and other information to trick the person into believing they have a real-world connection to the sender.
- Whaling attack: Whaling is similar to spear phishing, except on a much larger scale. These emails usually have a subject line pertaining to a “critical” business manner and are sent to someone high-up in the food chain within a specific business or organization. The objective of whaling attacks is to infect a computer with malware and obtain executives’ business email credentials so they can make fraudulent wire transfers.
- CEO fraud: When a whaling attack is successful, CEO fraud occurs. This is when attackers successfully impersonate and abuse the CEO’s email to approve wire transfers to a financial institution of their choice.
- Pharming: This method stems from a domain name system (DNS) cache manipulating. Basically, the internet uses DNS servers to convert website names to numeric IP addresses. The attacker then targets the DNS server and changes the IP address, allowing the attacker to redirect users to a malicious website, even if they type in the correct URL.
- Voice phishing: Also known as vishing, this is a form of phishing that takes place over voice communication media. Using speech synthesis software, an attacker will leave a voicemail notifying the victim of suspicious activity on their bank or credit account and urges the victim to respond to verify their identity.
It can be harder than you think to recognize a phishing email since they’re typically sent from a well-known company or someone (you think) you know. Especially if it includes the correct company logo, making it look legitimate. The links included are also constructed to look as genuine as possible, with only one or two characters off. These are the warning signs you should keep an eye out for so you don't fall victim to a phishing attack.
- The link includes a subdomain or a misspelled URL
- It’s sent from a Gmail account instead of a corporate or business email address
- The message possesses a sense of urgency or fear
- The message asks that you verify personal information, such as a password
- It’s written poorly with spelling and grammar errors
- The message isn’t addressed to you personally and instead reads “Dear Customer”
- The content is too good to be true, as in saying you’ve won an iPhone or a lavish prize
- The message contains threats, implying dire circumstances will arise if you do not follow through
In addition to knowing which red flags to watch out for, you can also go one step further by utilizing email anti-spam software to scan email messages, content, and attachments for potential threats.
TIP: Check out our roundup of the highest rated email anti-spam software on the market.
While phishing happens to everyday people all of the time, there have been some attacks that have made some serious waves in the mainstream media.
For example, in 2016, one of the most consequential phishing attacks happened when hackers managed to get John Podesta, chair of Hillary Clinton’s presidential campaign, to offer up his Gmail password. The email sent to Podesta had a subject line that read, “Someone has your password” and informed him that Google stopped a sign-in attempt of his account in Ukraine. They urged him to change his password immediately and provided a fraudulent link to do so, on which he clicked, giving access to his account password and login information.
There was also the “Fappening” incident of 2014 when a number of intimate photographs of celebrities were leaked to the general public. Rumors originally pointed to Apple’s cloud security being at fault, but it turned out to be the workings of various successful phishing attempts.
Hacker Ryan Collins pleaded guilty to the incident, citing he sent emails to the victims from Google or Apple, warning that their various accounts were compromised and asked for login details. Victims would then enter their password information, allowing Collins to download various emails and get further access to their iCloud accounts. When all was said and done, Collins was able to access 120 different Gmail and iCloud accounts, including the account of actress Jennifer Lawrence.
No one wants to be the bait
Especially when it comes to a phishing attack. It can happen to anyone, so make sure you’re extra cautious before opening a mysterious email and clicking on a link. With the amount of personal information that can be accessed online, it’s more important than ever that you take the extra step to ensure you don’t become the bait of a phishing attack.