Phishing: What it is and How to Never Become a Victim?
If you think you’ve not been targeted by phishing scams, let me change your mind!
An estimated 3.4 billion phishing emails are sent daily. There’s a really good chance you’re one of those.
No, these are not the annoying spam emails in your junk folder – those are usually harmless and just promotional content.
On the other hand, phishing emails can be dangerous and may result in identity theft, stolen funds, or other severe security breaches.
Nobody wants that. But there are so many malicious schemes in the digital age. How do you protect yourself now more than ever?
One way to do that is to understand what phishing is and how to never become a victim.
So, can you spot a phishing email when you see it? Most people can’t, but I’ll teach you.
What is Phishing?
Phishing happens when a fraudster poses as a reputable organization like Google, Apple, or your bank to lure you into revealing personal information, such as a password or credit card number.
How do scammers contact you? It’s typically via email, text messages, or phone.
There are different types of phishing attacks. It’s a broad spectrum of scam strategies that, quite frankly, will bore you out.
There are email phishing, spear phishing, whaling, angler, smishing, and vishing campaigns.
The bottom line is that you’ll be asked to click a link, download an attachment, or share sensitive information.
Unfortunately, the variety of phishing scams makes it easy for anyone to become a victim without knowing.
That’s right, even you.
You don’t believe it? The numbers say otherwise.
More than 25 percent of American workers fall for these malicious emails. This means phishing not only puts the individual at risk but potentially the organization they work for.
It’s clear that many people won’t recognize the scam until it’s too late.
If you don’t want to be like them, there are a few ways to stay safe and never fall victim to phishing attacks.
What Are the Different Types of Phishing Attacks?
Phishing attacks come in many different forms. Each type involves tricking a person into providing sensitive information such as login credentials or credit card details. It is important to be aware of these types of attacks and to take measures to protect oneself against them.
1. Email Phishing
The most common type of phishing attack is known as email phishing. Email phishing normally involves a cybercriminal registering a fake web domain that mimics a genuine company or organization. Common types of phishing email include:
- Emails being sent from a public domain such as Gmail. For example, an email coming from netflix@gmail.com is not a legitimate email address.
- Emails that contain a strange or unexpected attachment. These attachments usually contain malware that can infect a computer or device when the attachment is opened.
- Emails that create a sense of urgency. These emails typically include the sender of the email asking the victim to act before it’s too late. These emails include phrases such as ‘unexpected activity detected’ ‘your password has expired,’ and ‘your billing details need updating.’
These phrases are used to get the victim to take action on the specific request contained in the email and usually involve an individual handing over sensitive information such as their credit card number or account login information.
Email phishing campaigns usually target thousands of individuals at a time and often come from email addresses that mimic big companies such as Amazon, Netflix, or PayPal.
2. Spear Phishing
Spear phishing is a type of phishing tactic that cybercriminals use to target specific individuals. These campaigns usually involve malicious emails being sent to a specific person, such as an employee of a specific company or an account holder of a particular service.
In the context of targeting an employee, cybercriminals will usually have access to the target’s name, place of employment, job title, email address, and even specific information about their professional role.
Having access to this level of personal information makes it easier for a scammer to appear legitimate. This makes it more likely for the person they’re targeting to respond and give them the information they need.
3. Whaling
Whaling is a type of phishing scam that cybercriminals use to target senior executives instead of employees. Instead of focusing on certain requests or low-level scamming tactics, whaling usually involves a scammer using sophisticated tactics to get access to the most valuable information possible.
Examples of this include attaching fake tax forms to gain an executive’s personal or business bank account details or sending spoof emails pretending to be a client or a vendor that the executive or the company they represent utilizes.
Whaling is similar to spear-phishing in the sense that whaling campaigns target individuals, but the main difference is that these individuals tend to be high-ranking.
If a scammer can get hold of a senior executive’s personal or financial information, they have the chance to scam significant amounts of money, particularly if they gain access to companies’ business accounts or financial assets.
4. Smishing and Vishing campaigns
Smishing involves cybercriminals sending text messages to a target, while vishing refers to a cybercriminal using a phone call to get the information they need from the person they’re targeting.
Smishing text messages often contain similar content to phishing emails and will contain similar phrases such as ‘your password has expired and needs resetting,’ and ‘unexpected activity has been detected on your account.’ These text messages will then contain a link that a target will press to fulfill the request.
Vishing phone calls usually involve a scammer posing as an individual from a legitimate organization that the person targeted may use. For example, a scammer may pose as an employee of a financial institution to get the account or card details of the person they are targeting.
5. Business Email Compromise (BEC)
Business Email Compromise (BEC) is another form of phishing attack that specifically targets organizations. In a BEC scam, the attacker typically pretends to be a high-ranking executive within the company or a trusted business partner. They send deceptive emails to employees, often related to financial transactions or confidential information. These emails may instruct the recipient to transfer funds, change payment details, or provide sensitive data.
The scammer’s goal is to manipulate employees into taking actions that benefit the attacker financially. This can lead to significant financial losses for the targeted organization. BEC attacks rely on social engineering and can be highly convincing because they exploit trust and authority within the organization.
To defend against BEC attacks, it’s essential for organizations to implement security measures, employee training, and verification processes for financial transactions to confirm their legitimacy and authenticity.
✎ Related: Business Email Compromise (BEC) Scams ➔
How Can You Identify Phishing?
Did you know 97 percent of people can’t identify a sophisticated phishing email?
That’s because scammers have become more creative with their social engineering tricks. They also have access to cutting-edge software and tools that make their phishing scams look credible.
Here are some signs to watch out for in phishing emails:
1. There is a threat attached to the mail or an urgent call to action
One thing that will easily help in fishing out the phishing scammers is their threat.
You would want to be fast if you were stealing something from the fridge, too, remember?
So, you’ll often see scammers using urgent tones or call-to-action in their emails to get you to act quickly.
They may claim your password has been compromised, and you must change it immediately. Or you’ve won money, sweepstakes, or prizes you never entered.
If you’re not looking for a miracle or magic, you typically won’t fall for these scams.
Scammers make their emails urgent to fool you into giving personal information without thinking or before telling someone.
2. The message contains poor grammar or spelling
Everyone makes mistakes, right?
Yes.
But, in most cases, they are not legitimate organizations when sending emails, texts, or any other correspondence.
These organizations will typically hire professional writers and proofreaders who ensure there are no grammatical errors.
Don’t assume it was just a simple mistake.
3. When there are suspicious links or attachments
Most phishing emails will contain a suspicious link or attachment.
For example, the attachment could be out of place, and the link may be shortened. Another way could be the link redirects to an entirely different site.
4. You may notice generic or awkward introductions
Look, a bit of warm regards is fine, but you’ll agree with me that some greetings are just off-putting.
So, it’s something you should always look out for.
And no, your bank or Google didn’t just become so warm overnight; neither did they forget your name.
Legitimate companies often go straight to the point in emails. There could be a “Hi [your name] or Hello [your name],” in the beginning, but that’s usually all the greeting.
Scammers, on the other hand, may do something different.
Like what?
Strike a rapport with you to make you relaxed or not mention your name in the greeting. These instances are usually awkward or indicate it wasn’t a personalized email.
You’re probably just one of thousands of others receiving that email.
5. When the email domains don’t match the alleged organization
Just like the writing example I gave, unmatching email domains and the organization is a huge red flag.
Here’s an example to make you understand. Emails from Google and Apple will have @google.com or @apple.com domain names.
But, of course, scammers can never access that. So, they try to get creative.
They may send phishing emails from public domain addresses like Gmail, Yahoo, AOL, etc.
Or, they may also switch letters for numbers, such as “go0gle,” “cha5e,” etc.
Let’s be honest; how many people will notice that?
Thankfully, you would know after reading this article. But that’s not even everything yet.
6. You may receive unrecognized invoices or bills
Bills can be annoying, right?
Now, imagine receiving invoices and bills you have no idea about.
Phishing emails may also include invoices or bills, especially from a company you don’t use.
7. Unknown, unusual, or first-time sender
Not to be rude, but if an unknown or first-time person sends you an email, it may be cause for alarm.
Although this may not always apply to all phishing emails, it’s worth noting.
Have you ever created an online account and didn’t receive at least a “welcome email”?
It’s not impossible, but you’ll agree it’s rare.
Virtually every legitimate organization welcomes you once you create an account.
Then, they’ll take it from there and start sending other informational content over the next months or years.
So, you’ll agree it’s a bit strange to receive a first-time message or email from a service you’ve been using for a while, right?
Even if you don’t get regular messages or emails from a legitimate organization, be wary of any first-time sender you don’t recognize.
8. Some emails may ask for your personal information
Ask yourself this; Why is your bank asking for your information online?
The answer is they aren’t!
Scammers may send phishing emails asking for personal information like your Social Security Number, credit card number, two-factor authentication (2FA) codes, password, or Medicare number.
Image by Mohamed Hassan
How Can I Prevent Phishing Scams and Attacks?
If you’re asking this question, you’re not the only one.
One thing you should keep in mind is phishing emails generally need you to do something before they can be successful.
For example, you may need to open a malicious link, download an attachment, or reveal sensitive information.
So, in a way, it all comes down to you.
Common sense actually helps a GREAT deal!
You’ll be able to avoid most phishing scams by using common sense and heeding the following best practices:
1. Don’t click stray links or download attachments
Avoid clicking on links or downloading attachments from suspicious or unknown sources.
Why is a brand in the 21st century exposing links in their email? THAT’s WHAT BUTTONS ARE FOR!
Here’s a tip that helps: always hover on links before clicking them – even for buttons, because you never really know.
This allows you to preview the link’s destination to ensure it matches the sender before you click on it.
2. Choose where you share your contact information carefully
Hey, not everyone needs to have access to your contact information!
Be cautious about giving out personal information like your phone number, name, address, and any other contact info. The less information scammers have on you, the fewer phishing attacks you’ll receive.
Don’t overshare; always aim for the most minimal amount of required information when signing up for a new service.
Do you think it’s just a harmless question? Maybe, it’s only the “talking stage.” You may be WRONG. A scammer could be using it to gather intelligence about you.
3. Make Sure You improve your email security
Most phishing scams happen via email. Just like your phone comes with security features, email service providers also try to protect you from these phishing attacks.
There are many ways you can improve your email security. Let me show you some.
You can boost your email security by using spam filters, which identify emails from marketers or attackers that contain unwanted or dangerous content.
So, you’re not only staying safe from phishing emails but promotional ones, too.
Two stones for two birds, right?
But it doesn’t end there. You also want to make sure the email provider supports DMARC (Domain-based Message Authentication, Reporting & Conformance).
DMARC is an email authentication protocol that helps prevent phishing emails and spoofing.
Lastly, don’t forget to confirm if the email provider has a good reputation for security. What does their track record look like? Any previous cases of breaches? Answers to these questions will help you figure out the right platform.
4. Look out! Nobody needs to know your sensitive info
You should only share private information with people you know, whether it’s on the phone, by email, or text. Make sure you’re sure of the receiver’s identity.
If you’re not, why are you sharing private information with someone you don’t know?
5. Strong passwords and two-factor authentication
Ensure your passwords for all accounts are strong and unique, comprising 8-15 characters with lowercase and uppercase letters, numbers, and special characters.
If you’re like me, you probably can’t remember all your passwords.
So, use a password manager like LastPass.
Enable two-factor authentication because it helps secure your account even if you mistakenly fall victim to phishing scams.
Consider using authenticator apps like Google Authenticator or Microsoft Authenticator instead of SMS verification. This might help you avoid SMS swap scams.
✎ Related: Tips on Preventing Password Leaks ➔
6. Contact the legitimate organization directly
Most organizations have fraud prevention strategies, so it might be a good idea to reach out to them.
That way, you can hear directly from the horse’s mouth.
If you receive a suspicious call, text, or email claiming to be from a legitimate organization, contact them directly to verify the authenticity. If you don’t know where to find your organization’s contact information, their website could be a place to start.
Then, you may also check search engines and forums.
Something is sure to come up.
7. Ignore urgent or threatening messages and calls
As I mentioned above, thieves always want to do things fast.
They may even threaten you. Don’t worry; you’re tougher than that!
Scammers often use threatening messages to pressure you into giving out personal information or making a payment.
I’ve seen some examples of these in my emails, so they may help you:
- “We detected suspicious activity on your account. If you don’t change your password now, your account will be closed.”
- “You owe back taxes and will be arrested [or charged with fraud] if you don’t pay immediately.”
- “Your [sister, brother, father, mother] has been kidnapped. Pay us or we will hurt them.”
- “Your computer has been infected with a virus. Pay us to remove it or we will delete all your files.”
These are only a few messages a scammer might send to create urgency and fear, making you more likely to act quickly without critical thinking.
Legitimate organizations will never threaten you to give out personal information or pressure you into making a payment.
Children and seniors may be more susceptible to falling for the urgency. So, ensure you educate them to ignore these threatening messages.
8. Monitor bank statements and credit reports regularly
If you don’t like checking your financial reports, then you’re good meat for preying scammers!
Why?
Fraudsters target people who don’t check their credit reports or bank statements regularly because they’re unlikely to spot any irregularities.
Ensure you always review your bank statements and request a free credit report annually from each credit bureau; Equifax, Experian, and TransUnion.
Let me give you a pro tip I use:
It’s a good idea to request your free credit report at different times during the year (around every three months) rather than all at once. You can request a credit report on AnnualCreditReport.com.
9. Install anti-virus software and enable
Anti-virus software and firewalls can help protect your computer and other devices from viruses, trojans, worms, and other security threats.
This can be helpful if you accidentally click a phishing link or download an infected attachment.
You never know, a sleight of hand or just plain curiosity. A strong anti-virus program will back you up, don’t worry!
Some reliable anti-virus software to consider are Norton, McAfee, Avast, and Bitdefender.
10. Visit websites directly
If an email says, “You need to change your password on this platform,” why not check it out yourself?
Rather than clicking links in emails, visit the website directly by typing the URL into your browser. You’ll still be able to do anything the email claims you need to do, but more safely.
11. Consider phone spam filters
Phone spam filters can help block unwanted calls and messages. It works similarly to email spam filters but for calls.
12. Update your apps and software regularly
There are many new cyberattacks every day. So, like you’re reading this to protect yourself, organizations also need to do something!
Companies regularly release security updates to fix vulnerabilities in previous versions of the app or operating system. This is called a security patch.
Sometimes, the new update will protect you automatically. So, you really don’t need to do anything. Easy, isn’t it?
Always update your apps and software to ensure they have the latest security patches and features.
13. Don’t reply to unsolicited emails, text messages, or phone calls
Basically, what this means is if you didn’t ask for it, ignore it.
If you receive unsolicited emails, messages, or calls, don’t reply or provide any personal information. Delete them immediately and report the sender if there’s an option to do that.
14. Update your social media privacy settings
Fraudsters often crawl social media profiles to gather as much information as possible on a target. Your social media posts, liked pictures, location, tweets, etc., may reveal personal information that an identity thief or scammer can use against you.
Reviewing and updating your social media privacy settings is vital to ensure your posts are only visible to people you trust.
You may want to read our helpful guide on the Dangers of Posting Your Pictures and Information Online. We covered some vital information on what to do online.
✎ Suggested Reading: How to Protect Yourself From Social Media Attacks ➔
15. Ignore suspicious pop-ups
It’s pretty much almost impossible to navigate the web without coming across pop-ups or ads.
While blogs use it to generate revenue, hackers also use it to “generate revenue,” but in a bad way.
These notifications may claim your device has been infected with malware, and you need to contact tech support to resolve the issue.
It’s a lie
This could be a part of a phishing scam. Ignore these notifications and close your browser.
Pop-ups like this may indicate you’ve been hacked. If you suspect you might have been hacked, don’t worry, we’ve got you covered.
Check out this guide that tells you what to do immediately: Have I Been Hacked? What Can I Do To Recover?
16. Check if the Website is Legitimate
Does the website look real? You need to confirm that!
Phishing scams will often involve links to fake websites designed to look like legitimate ones, such as your bank’s login page.
Don’t be mistaken; these websites do look real.
They may contain subtle variations or misspellings that can be hard to detect at first glance.
However, if you submit your login credentials, scammers may be able to see it in plaintext.
Before submitting data to a website, always double-check the URL. Check that you’re on the official website, not a spoof.
For example, “Netf1ix.com” instead of “Netflix.com,” Walmrat.com” instead of “Walmart.com,” or “Amaz0n.com” instead of Amazon.com.”
Some of these examples look so real, right? That’s why it’s so easy to fall!
You should also verify the website’s security. Secure websites have HTTPS (Hypertext Transfer Protocol Secure) rather than just HTTP (Hypertext Transfer Protocol). HTTPS provides a secure connection for online transactions, such as shopping and banking.
The padlock symbol also indicates a website is secure. Click on it and verify that the SSL/TLS certificate is issued by a legitimate organization.
17. Avoid using public Wi-Fi networks whenever possible
Free Wi-Fi feels really good to use, but are you prepared for the consequences?
I doubt.
Public Wi-Fi networks in your local coffee shop, restaurants, or airports are often unsecured and can be easily compromised by hackers.
If you must use a public Wi-Fi network, ensure you connect to a Virtual Private Network (VPN) and use reliable anti-virus software.
So, does this mean you shouldn’t use public Wi-Fi anymore?
Not really, but if you must, read the risks of public Wi-Fi and how to use it safely.
18. A Digital Protection Tool Can Help
Some digital tools are made just for phishing scams or other times of security attacks.
Many digital security protection tools offer 24/7 monitoring. They can help you stay safe from phishing attacks and other security risks.
This is especially important if you’re like many of us who have busy lifestyles and can’t actively monitor our personal information.
Some examples are Norton 360, Bitdefender Total Security, Aura, and Trend Micro Maximum Security.
These tools provide a complete security suite for protection against viruses, malware, and spyware.
The kids aren’t left out, either!
They may also contain parental control features for your kids, VPN, identity theft protection, and a firewall.
19. Is your personal information on the dark web? You may want to check that out
Many of us don’t know our details have been leaked on the dark web.
Use a dark web monitoring tool to check if your personal information, such as passwords, email addresses, Social Security Numbers, etc., has been compromised and is being sold on the dark web.
The dark web or darknet is a part of the Internet that is not visible to search engines. It can be used for illegal activities like selling people’s personal information.
Do you want to know more about the dark web? Read these:
20. Educate yourself and stay informed
Scammers are always evolving and learning new ways to scam people through phishing links.
This is why companies release security patches to tackle emerging threats.
You should also continue to stay up to date on the latest phishing scams and techniques. Read our security blogs and learn how to prevent identity theft and other scams to avoid falling victim.
How Can My Business Prevent Phishing Attacks?
If you have a business, then heads up, scammers may be coming for your brand!
According to CISCO’s 2022 Cybersecurity Threat Trends report, 86 percent of organizations experienced phishing attacks.
One employee’s negligence can harm an organization. Sadly, data breaches can be expensive, either in terms of financial or reputational damages.
The numbers don’t look good, so you need to do something. And FAST.
If you own or manage a business, here’s how to ensure the company never falls victim to phishing attacks:
1. Train your employees
You’ve just learned about phishing attacks and how to protect yourself. What’s stopping you from teaching your employees as well?
Educate your employees about phishing attacks, the consequences, how to identify them, and what to do if they receive a suspicious email.
2. Have an organization-wide password policy
Ensure your staff creates secure and unique passwords using lower and upper-case letters, numbers, and special symbols.
The National Institute of Standards and Technology (NIST) recommends that passwords should be a minimum of 8 characters and 64 characters when protecting particularly sensitive data.
Remember, the longer the password, the more difficult it is to crack.
Plus, you have a password manager that will always remind you, anyway. So, why not make it as long as possible?
3. Use a Virtual Private Network (VPN)
A VPN protects employees’ internet connections and ensures they use secure networks to access sensitive information.
It’s important to subscribe to the premium version of your chosen VPN as they are more reliable and offer better security features.
4. Implement a sender policy framework
What is the sender policy framework (SPF)? SPF is an email authentication designed to prevent phishing emails.
It allows a domain owner to define which mail servers are authorized to send email messages on behalf of their domain. This helps you verify the sender’s identity and protect your business from email spoofing and phishing.
There’s more.
5. Use anti-virus software
Install and use strong anti-virus software that can detect and block phishing emails and other malware.
6. Use encryption
Ensure that sensitive data in transit and at rest is encrypted to prevent unauthorized interception or access.
7. Implement identity and access management policies
Not all employees should be able to access every sensitive data the organization handles.
This is where identity and access management comes in.
Identity and access management (IAM) policies ensure that only authorized people can access the data or information needed to perform their jobs. Employees should not access any information that doesn’t affect their ability to function effectively.
8. Regular security audits
Conduct periodic security audits to review your cybersecurity policies, procedures, infrastructure, and general security posture. This allows you to keep security measures up-to-date and effective.
9. Update software regularly
Keep all software updated, including browsers, apps, operating systems, and plugins, to protect against known and emerging security threats.
10. Use email filters
Ensure all employees have email filters to block malicious emails from reaching their inboxes. This significantly reduces the risk of them becoming victims of phishing attacks.
Conclusion
As you’ve seen, phishing scams aren’t only a threat to you but even to your business. And, who knows? It could spread to your loved ones as well!
These attacks lure unsuspecting victims into providing sensitive information or downloading malware.
Since phishing threats typically request action from the victim, it’s important to be careful and proactive.
Avoid suspicious links, protect your devices with anti-virus software, use email filters, use strong passwords, enable two-factor authentication, and never share personal information with people you don’t trust.
Ultimately, trusting your instincts and not dismissing suspicious signals will help you stay safe.