Phishing is a cyberthreat hackers use to trick individuals into revealing sensitive information, such as passwords and personally identifiable information. In this guide, we’ll shed light on how phishing works, how you can spot an attack, and how security software like Norton 360 Deluxe can help defend against phishing attacks by protecting your device from malware, hackers, and other dangers associated with phishing.
Ever get an email that looks like it’s from your bank warning you that it will freeze your checking account unless you verify your personal information? The email might have contained a link. And if you clicked, you might have landed on a website that asked you to fill in such personal information as your Social Security number and bank account numbers.
The problem? These emails never come from your actual bank. Instead, they're a tool scammers use to launch phishing attacks that threaten your cybersecurity.
What is phishing?
Phishing is a cyberthreat in which scammers try to lure sensitive information or data from you by disguising themselves as a trustworthy source. They do this using a variety of communication methods, including email, text messages, phone calls, and more. No matter which method scammers use, they want your personal information so that they can use it to access your bank accounts or credit cards.
And they’ll send countless fake emails and smishing texts across the globe in hopes of tricking people into exposing this sensitive information.
Some phishing emails or texts might look unprofessional to you, using poor grammar or asking you to click on links with odd-looking URLs. But phishers don’t have to be sophisticated. These cybercriminals work in volume and only need to trick a small number of victims to consider their work a success.
How do you make sure you’re not one of these unlucky victims? It’s all about learning how to recognize phishing scams and resolving to never click on a link in a text or an email supposedly sent from a bank, credit card provider, or other well-known company. Similarly, some phishing emails may appear to come from other sources, such as a relative, coworker, or friend. And that doesn’t include all the phishing emails that get caught in your spam filter.
How does phishing work?
While phishing can vary based on the specific type of scam the scammer is carrying out, phishing attacks often follow these five steps:
- The phisher determines the target (whether an organization or individual) and creates strategies to collect data they can use to attack.
- Next, the phisher creates fake emails or phony webpages to send messages that lure data from their victims.
- Phishers then send messages that appear trustworthy to the victims and begin the attack.
- Once they’ve deployed the attack, phishers will monitor and collect the data victims provide on the fake webpages.
- Finally, phishers use the collected data to make illegal purchases or commit fraudulent acts such as identity theft.
That said, when defining what phishing is, not all attacks look and operate the same. Phishing scams can take a variety of forms and can have different goals.
Types of phishing attacks
Phishing scams can take a variety of forms. Some phishing emails will ask you to click on a link to prevent your bank account or credit card from getting closed. When you click on the link, you’ll be taken to a website that asks for your personal financial information. That could open the door to identity theft.
Other types of phishing attacks ask that you click on a link to verify that a credit card or bank account is yours. Again, that link will take you to a fraudulent phishing website that will ask you to provide personal or financial information that will likely be captured by fraudsters.
You might receive a phishing email warning that your email account is full and in danger of being shut down. The email claims that unless you click on a link you will lose access to your email messages. Again, links like this can request and capture your personal information or install malware or adware onto your computer.
The unfortunate truth? There are many types of phishing attacks, and you need to be on the lookout for all of them.
1. Email phishing
The basic phishing email is sent by fraudsters impersonating legitimate companies, often banks or credit card providers. These email phishing attacks are designed to trick you into providing login or financial information, such as credit card numbers or Social Security numbers.
Other spoof emails might try to trick you into clicking a link that leads to an unsafe website designed to look like Amazon, eBay, or your bank. These fake phishing sites can then install malware or other viruses directly onto your computer, allowing hackers to steal your personal information or take control of your computer, tablet, or smartphone.
2. Spear phishing
While most phishing emails are sent to large groups of people, there is one type of attack that is more personalized in nature: spear phishing.
Spear phishing emails are targeted toward a specific individual, business, or organization. And unlike more generic phishing emails, the scammers who send them spend time researching their targets. The technique is sometimes called social engineering. These criminals will send emails that look like they’re from legitimate sources.
For example, a spear phishing email might target a company employee. The email may appear to come from the boss, and the message requests access to sensitive company information. If the spear phishing target is tricked, it could lead to a data breach where a company’s or employee’s information is accessed and stolen.
3. Clone phishing
Another type of phishing, clone phishing, might be one of the most difficult to detect. In this type of phishing attack, scammers create a nearly identical version of an email that victims have already received.
The cloned email is sent from an address that is nearly, but not quite, the same as the email address used by the message’s original sender. The body of the email looks the same, too. What’s different? The attachment or link in the message has been changed. If victims click on those now, it will take them to a malicious website or open an infected attachment.
Sometimes phishers go after the biggest of targets, the whales. Whaling attacks target chief executive officers, chief operating officers, or other high-ranking executives in a company. The goal is to trick these powerful people into giving up the most sensitive corporate data.
These attacks are more sophisticated than general phishing attacks and require plenty of research from scammers. They usually rely on fraudulent emails that appear to be from trusted sources within the company or from legitimate outside agencies.
5. Pop-up phishing
Pop-up phishing is a scam in which pop-up ads trick users into installing different types of malware on their computers or convince them to purchase fake antivirus software they don’t need.
These pop-up ads sometimes use scare tactics. A common pop-up phishing example is when a fake virus alert pops up on a user’s screen warning the user that their computer has been infected and the only way to remove the virus is by installing a particular type of antivirus software.
Once the user installs this fake software, it either doesn’t work or, worse, actually does infect the computer with malware.
To help scammers increase their chances of getting the information they want, they may employ a combination of different phishing techniques, including:
- Social engineering: Social engineering is the act of tricking someone into divulging sensitive information using false trust and persuasion tactics. For example, a scammer may pretend to be a family member in a dangerous situation to get you to quickly send them money.
- Hyperlink manipulation: Phishers may use the text of a legitimate URL to disguise a link to a phishing website. For example, you may think you’re navigating to your bank’s official support page, but after hovering over the link, you discover it is actually going somewhere else.
- Graphical rendering: Graphical rendering is when a phisher uploads their email as an image rather than text to avoid certain text from being scanned by phishing filters.
- Site redirects: Phishers may also use a malicious webpage as a middle ground between their phishing email and a legitimate site. For example, following their instructions may take you to a webpage created by a phisher to collect your personal information before redirecting you to a legitimate website to minimize your suspicion of a phishing attack.
- Link shortening: Another popular phishing tactic is using link shortening tools to disguise links to dangerous websites.
- Typosquatting: By utilizing typosquatting, a phisher registers domains that are very close to a legitimate domain, hoping their targets won’t notice. For example, a phisher pretending to be an Amazon support representative might create a phishing site under the URL “Amazpn.com.”
- AI voice generators: Phishers may use AI voice generators to impersonate public figures or acquaintances of yours to get you to divulge sensitive information.
- Chatbots: Scammers may also use AI-enabled chatbots to create highly personalized phishing messages free of spelling and grammatical errors often associated with phishing attacks.
Now that you better understand the techniques used by phishers, it’s time to learn the common warning signs of a phishing attack.
How to spot phishing
Scammers have become more sophisticated when it comes to sending out phishing emails. But there are still some signs you can look for, including:
- Too-good-to-be-true offers: Phishing emails may try to hook you with what appears to be incredibly cheap offers for things like smartphones or vacations. The offers may look irresistible, but resist them. They’re likely phishing emails.
- Requests for personal information: Your bank, or any financial institution, will never ask for your Social Security number, bank account number, or PIN by email. Never provide this information in response to an email.
- Spelling and grammatical mistakes: There was a time when you could easily spot phishing emails because they were littered with spelling and grammar mistakes. Scammers have gotten better at avoiding these errors, but if you do receive an email littered with typos and weird language, that email might be sent from someone phishing.
- Generic greetings: Phishing emails might not be addressed specifically to you. Instead, the email might start with a generic greeting such as “Dear Sir or Madam” or “Dear Account Holder.”
- Calls for immediate action: Phishers want you to act quickly without thinking. That’s why many will send emails asking you to immediately click on a link or send account information to avoid having your bank account or credit card suspended. Never reply hastily to an emergency request. Urgent requests for action are often phishing scams.
- Senders you don’t recognize: If you don’t recognize the sender of an email, consider deleting it. If you do decide to read it, be careful not to click on links or download files.
- Senders you think you recognize: You might get a phishing email from a name you recognize. But here’s the catch: That email may have come from the compromised email account of someone you know. If the email requests personal information or money, it’s likely a phishing email.
- Suspicious links and attachments: If you receive an email requesting you click on an unknown hyperlink, hovering over the option might show you that the link is really taking you to a fake, misspelled domain. This link is created to look legitimate but is likely a phishing scam. The sender may also include an attachment that doesn’t make sense or appears spammy.
By keeping these common warning signs and phishing examples in mind, you can ensure you’re prepared to quickly identify phishing emails that enter your inbox.
How to protect yourself from phishing attacks
Though hackers are constantly coming up with new phishing techniques, there is good news. There are some things that you can do to help protect against phishing. All it requires is some common sense and email security best practices. To help you stay safe, keep these dos and don’ts in mind.
- Don’t open suspicious emails: If you receive an email supposedly from a financial institution with an alarming subject line—such as “Account suspended!” or “Funds on hold”—delete it. If you are worried that there is a problem, log in to your account or contact the bank directly. If there really is a problem with your bank account or credit card, you’ll find information once you’ve logged in.
- Don’t click on suspicious links in emails: If you open an email from someone you don’t know and are instructed to click on a link, don’t. Often, these links will take you to fake websites that will then encourage you to either provide personal information or click on links that might install malware on your computer.
- Don’t send financial information through email: Your bank or credit card provider will never ask you to provide bank account numbers, your Social Security number, or passwords through email.
- Don’t click on pop-up ads: Hackers can add fraudulent messages that pop up when you visit even legitimate websites. Oftentimes the pop-ups will warn you that your computer is infected and instruct you to call a phone number or install antivirus protection. Avoid this temptation. Scammers use these ads to either install malware on your computer or scam you out of a payment for a computer cleanup you don’t need.
- Do use spam filters: Spam filters can help get rid of spam and phishing emails from illegitimate sources, but you should always use your best judgment in case phishing emails get past your blocker.
- Do use security software: By installing security software like Norton 360 Deluxe, you can surf the web with confidence, knowing you took the extra steps to help protect your device from hackers, malware, and other threats of phishing.
By remembering these dos and don'ts, you can help minimize the risk of phishing attacks and keep your device and personal information secure.
What to do if you’ve fallen for a phishing scam
What if you've fallen for an email scam? Perhaps you sent financial information to a scammer or clicked on a link that installed malware on your computer. You’ll want to act quickly. Here are some steps you can take to help minimize the damage if you’ve responded to a phishing scam.
- Change your passwords: Make sure to change the passwords you use for your banking, credit card, and other accounts. Use long and unique passwords and a combination of numbers, letters, and symbols to make these passwords more difficult to crack.
- Enable two-factor authentication (2FA): Consider enabling 2FA if it’s available. 2FA requires entering a second piece of information—such as a code sent to your smartphone—to access an account.
- Alert the credit bureaus: Visit the home pages of Experian, Equifax, and TransUnion, the three national credit bureaus, and alert them that you've been the victim of a phishing attempt. You might freeze your credit with each of the bureaus to make sure criminals can't open new credit accounts or take out new loans in your name.
- Contact your credit card providers: If you've given up credit card information, immediately call your credit card providers. They can freeze your credit to prevent unauthorized purchases. They can also work with you to determine which purchases on your accounts are legitimate and which were made by criminals.
- Check your credit reports: Order free copies of your credit reports from AnnualCreditReport.com. Check these reports carefully for any unfamiliar activity to make sure no one has opened credit card accounts or loans in your name.
- Study your credit card statements: Be on the lookout for any unauthorized or suspicious charges.
- Report the incident: You can report a phishing attempt to the Anti-Phishing Working Group by forwarding the phishing email to firstname.lastname@example.org. If you receive a phishing text message, forward it to SPAM (7726).
- Run antivirus software: Running antivirus software can help scan your device for any malware that may have infected your computer. Antivirus software can also help you remove malware from your device, ensuring the scammer isn’t spying on your information or harming your device.
To respond promptly to a phishing attack, make sure to take the above precautions and use your best judgment when browsing online and responding to messages.
Help defend against phishing with Norton 360 Deluxe
As cybercriminals continue to evolve their phishing attacks, it's best to have advanced security software leading your defense. Norton 360 Deluxe helps you use your devices more safely, knowing you have powerful malware and virus protection, as well as a secure VPN that can help keep your internet activity private and out of the hands of hackers.
FAQs about phishing
If your questions don’t just stop at “What is phishing?,” we’ve got you covered. Read through this FAQ section to learn more about phishing scams.
Who are the targets of phishing attacks?
Anyone can be targeted in a phishing attack. Phishers will often target as many email addresses as they can to help increase their chance of success.
Why do phishing attacks work?
Phishing attacks are often successful because they exploit human emotions. For example, many phishers try to get their targets to respond quickly by informing them of an emotional situation that may cause a person to act quickly without realizing it's a scam.
Can AI be used for phishing attacks?
Yes, many scammers have utilized AI to help make their communications sound more believable. For example, phishers may use it to generate realistic conversations free of spelling and grammatical errors so their phishing messages seem more legitimate.