Phishing is an invasive and malicious cyber attack in which cybercriminals attempt to deceive unsuspecting victims into divulging sensitive information. This data can include personally identifiable information (PII), financial details, login credentials, or sensitive information from companies and other entities to which the recipient is tied. The basic outline for a phishing attack is that a malicious actor will send some form of communication that appears to be coming from a legitimate source that is actually directing the recipient of the message to a false landing page or resulting in the individual’s device being infected with malware. This scam has evolved alongside technology and phishers now utilize a variety of communication methods to try and dupe users into falling for their schemes. Five of the most prevalent forms of phishing attacks include:
Traditional (Email) Phishing – The original form of phishing in the age of the Internet is the email scam. These deceptive emails impersonate legitimate companies and agencies with the goal of duping recipients into taking the actions outlined above. Phishing emails are common, with an estimated 3.4 billion phishing emails being sent on a daily basis world-wide.
Spear Phishing – This form of phishing goes a step further from the traditional phishing attack which is often random and sent out to large numbers of recipients with the goal of tricking a high number of folks. Spear phishing is a targeted form of the cyber attack which is customized for specific people. These phishing attempts often include personal details or information that would supposedly be confidential. These attacks often follow other cybercrimes in which the sender stole information which assisted them in the targeted message creation.
Smishing – Smishing, otherwise known as SMS phishing, is very similar to email scams however, these are carried out via text message. These will include links and often try to trick users into clicking on them by appearing to be innocuous messages that very well might be true. I received one yesterday that said “The package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link.” followed by a long link. The supposed USPS Postal team even “wishes you a wonderful day” at the end of the text. The USPS is aware of this particular scam and advises that you login to your USPS account by searching for it yourself in a browser if you are unsure if a text update is legitimate or not.
Social Media Phishing – Malicious actors will create fake profiles or share false links on social media sites to attempt to dupe other users of the site into clicking on them and divulging key information or resulting in malware infecting their computer.
Pharming – Pharming redirects users from a legitimate site to a malicious one. This advanced form of phishing manipulates Domain Name System (DNS) vulnerabilities to reroute people to fake sites. To avoid this attack, be sure to check for HTTPS at the beginning of the URL you are visiting. If the display of the website you are visiting appears to change drastically when you click on something, be sure to double check that this secure (https) connection remains.
----
Common themes exist across all types of phishing scams; be sure to look out for these key characteristics of phishing attacks in order to identify and avoid attackers’ malicious schemes.
Urgent or Threatening Language – One of the prime indicators of a phishing scam is the sense of urgency from the sender. If a message requests immediate action and was not prompted by something you did (for example, a password reset request email after you tried to login to your own account), then it is likely a phish. The cybercriminals have gone a step further to threaten recipients of their emails where consequences are supposedly imminent if the requested action is not taken swiftly. Scammers try to use the rush of anxiety that this urgency creates in some people to get them to take action without thinking about what is going on. If you receive an email with an urgent and/or threatening tone, be sure to look a little closer for some of the other key identifiers of phishing emails below and you will likely find that it is a malicious and fictitious email.
Requests for Details – Phishing messages of all kinds often ask for details that are not typically necessary from legitimate entities. For example, an online store that you might purchase a gift for a loved one from does not need the login credentials for your bank in order to process payment. For cybercriminals, data is the name of the game and a huge driver of why they are trying to scam individuals; if a communication from you seems to be asking for too much or unrelated information, cease your interaction and try to find a legitimate source to find whatever it is you are looking to buy or do online.
Suspicious Sender – Phishers will try to trick recipients of their scams by representing themselves as a familiar or seemingly legitimate entity to lower the recipient’s guard and make them feel comfortable clicking on the links included in the communication. These senders will often have an email address or phone number that is close to the real company’s contact information so that a user who is not taking the time to check might even believe it is coming from the real site the phisher is posing as. Be sure to stop and check the full email address that an odd email is coming from in order to verify that it is coming from a real source. If it is a traditional phishing scam you are encountering, it can also be useful to close out of the message you are unsure of and search for other messages from this supposed sender in your inbox. Check the sender for old emails and for these new messages and see if any differences are present.
Grammatical and Other Key Errors – Not all phishing scams will include poor grammar, however, many cybercriminals will give themselves away with major grammatical errors. This includes incorrect spelling, poorly constructed sentences, tones that are not consistent with the supposed sender’s typical communications, strange punctuation, odd formatting, and excessive use of capitalization. Another key structural error of these messages is poorly created brands, logos, or pictures that the legitimate company would not have included in their communications to customers.
Image by rawpixel.com for Freepik.