Phishing is a form of social engineering that tricks users into sharing their personal information or logins in order to scam them.
Have you ever received an unexpected email that looks to be from your bank asking to verify some personal information, but it looked just a tiny bit off? The email probably asked you to click a link that would send you to a page to “verify” your personal information for that purported bank. We are here to explain once and for all what is phishing and how to prevent it.
You would have been wise to double-check the URL on the sender’s email address to ensure it matches the bank’s exactly. If you went as far as clicking that link, hopefully, you checked the URL at the top of your browser as well.
An attempt like this to trick you into entering personal information such as Social Security numbers, credit card numbers, bank login information and more is known as a phishing attempt.
The designers behind these attacks have gotten so good that it’s often tough to differentiate between the real version of the websites and the fake ones. They are nearly identical in most cases, except for the URLs.
It may seem like a relatively simple “hack” that doesn’t involve breaking into a computer or tapping an internet line like packet sniffing. But, phishing is the number one cause of data breaches.
What is phishing?
In the “early days” of the internet, the most known phishing attempts came in the form of an email for a “Nigerian prince.”
This scam is so widespread it’s become known as the Nigerian Prince email. In this case study, a sender alleges to be a Nigerian prince who needs the receiver to pay a small fee to unlock a large sum of money. The sender may also ask for bank account information to deposit the large sum, thus “phishing” it out of the victim.
In general terms, phishing attempts to steal sensitive information by pretending to be a reputable source or company with a request. Usually, it’s for personal information to verify or confirm an account.
The thieves then use that account information in malicious ways, such as opening new credit cards, draining a bank account, making online purchases and more.
Phishing is a form of social engineering. This means it’s a way of manipulating people to do something or give up confidential information.
The cybercriminals behind these attacks typically pretend to be social media sites, online payment processors, IT administrators and auction sites such as eBay.
It’s not just personal information that these scams are looking for.
Another form of phishing attack includes putting links in these emails to websites infected with malware or links that lead to malware downloads.
It’s a sad fact that hackers plan phishing attacks around holidays and natural disasters.
Hackers took full advantage of the COVID-19 pandemic, knowing how many people were working from home and from less secure computer systems, especially at the beginning of the pandemic.
At one point early on in the pandemic, Google registered a 350% spike in phishing websites.
The costs and growing threat of phishing
Phishing attacks are becoming more complex as we get into 2021. These attacks are no longer just an email issue. They are expanding into SMS, social media networks, messaging platforms and even gaming services.
Hackers realize that mobile users are more vulnerable because of the size of the screens they are using. It’s a lot easier to spot fraudulent websites on laptops or desktops and it’s especially easier to check URLs.
iPhone users are 18x more likely to be victims of a phishing scam than to download malware, according to slashnext.com.
It’s not just individuals that hackers are targeting in these phishing attacks. Often the individual and first phishing attempt are just the tip of the iceberg for a cybercriminal.
They are targeting individuals to gain access to company systems and databases via logins.
22% of all data breaches in 2020 involved phishing, according to a Verizon Data Breach Investigations Report.
Data breaches are a massive problem. The average cost of a data breach globally is $3.92 million, according to IBM. In the U.S., the average cost of a data breach is $8.19 million.
HOW TO PREVENT PHISHING ATTACKS
The best form of defense against phishing attacks is being aware of the different types and staying alert.
Here are some tell-tale indications of phishing attempts:
Hyperlinks/URLs: Always check the URL before clicking a suspicious link. You should hover your cursor or links in the body of the email and check to see if they match what is written in the email. The links may be fakes. Check the spelling of the URLs and the ending domains. Often, phishing attempts will use .net to disguise the URL.
Sender’s email address: Check the email address of the sender. This is a great area to spot the fraud. Ensure the sending address is coming from the real website or business and matches the URL exactly.
Email greeting and signature: Keep an eye out for generic greetings in emails and signatures. “Sir/Ma’am” intros are strange and suspect. Check for contact information in the signature block. If there is nothing there, it’s highly unlikely it’s coming from a trusted organization.
Layout/Design: Check for any misspellings, bad grammar and bad formatting as indicators of a phishing attempt. Spotty design is also an indicator of a phishing attempt.
Follow these tips to further avoid phishing scams:
- Use 2FA. What is two-factor authentication? Two-factor authentication is a secondary layer of protection behind your password. It’s a double-check, which comes in a number of forms such as an authenticator app or an email or text to your personal accounts to prove it’s you who is trying to log in. Even if you get tricked into giving up your password via phishing, hackers won’t be able to gain full access because they won’t be able to get past your 2FA.
- Set updates to automatic. Make sure all of your applications are automatically downloading securing updates. This applies to your computer operating software as well. Software companies are constantly adding security protection against the latest malware and security flaws.
- Mark emails as phishing. It’s important to report suspicious emails to your email provider so that they are aware of phishing attempts and can work to stop them on a wider scale.