What is phishing? How to recognize and avoid phishing scams
Sept. 25, 2020
Ever get an email that looks like it’s from your bank warning you that it will freeze your checking account unless you verify your personal information? The email might have contained a link. And if you clicked? You might have landed on a website that asked you to fill in such personal information as your Social Security number and bank account numbers.
The problem? These emails never come from your actual bank. Instead, they’re a part of a scamming tool called phishing wielded by cybercriminals and a threat to your cybersecurity.
What is phishing?
Phishing is a cybercrime in which scammers try to lure sensitive information or data from you, by disguising themselves as a trustworthy source. Phishers use multiple platforms.
The ultimate goal no matter which method scammers use? They want your personal information so that they can use it to access your bank accounts or credit cards. And they’ll send countless fake email and text messages across the globe in the hope that they’ll trick enough people into surrendering this sensitive information.
Some phishing emails or texts might look unprofessional to you, using poor grammar or asking you to click on links with odd-looking URLs. But phishers don’t have to be sophisticated. These cybercriminals work in volume, and only need to trick a small number of victims to consider their work a success.
As an example, in 2018 the Federal Trade Commission pointed to a phishing attack targeting Netflix users. The phishing email purported to be sent from Netflix and warned recipients that the streaming company is “having some trouble” accessing the customer’s billing information. The message asked victims to click on a link to update their payment method. That link, of course, didn’t take users to Netflix but instead to a fake website created by the scammers.
How do you make sure you’re not one of these unlucky victims? It’s all about learning how to recognize phishing scams and resolving to never click on a link in a text or an email supposedly sent from a bank, credit-card provider, or other well-known company. And that doesn’t include all the phishing emails that get caught in your spam filter.
How does phishing work?
- The phisher begins by determining who their targeted victims will be (whether at an organization or individual level) and creates strategies to collect data they can use to attack.
- Next, the phisher will create methods like fake emails or phony web pages to send messages that lure data from their victims.
- Phishers then send messages that appear trustworthy to the victims and begin the attack.
- Once the attack has been deployed, phishers will monitor and collect the data that victims provide on the fake web pages.
- Finally, phishers use the collected data to make illegal purchases or commit fraudulent acts.
That being said, when defining what phishing is, not all attacks look and operate the same. Phishing scams can take a variety of forms and can have different goals in their deployment.
Types of phishing attacks and examples
Phishing scams can take a variety of forms. Some phishing emails will ask you to click on a link to prevent your bank account or credit card from getting closed. When you click on the link, you’ll be taken to a website that asks for your personal financial information. That could open the door to identity theft.
Other types of phishing attacks ask that you click on a link to verify that a credit card or bank account is yours. Again, that link will take you to a fraudulent website that will ask you to provide personal or financial information that will likely be captured by fraudsters.
You might receive a phishing email warning you that your email account is full and in danger of being shut down. Unless you click on a link, the email warns, you will lose access to your email messages. Again, links like this could request and capture your personal information or could install malware or adware onto your computer.
The unfortunate truth? There are many types of phishing attacks. You need to be on the lookout for all of them.
1. Email Phishing
The basic phishing email is sent by fraudsters impersonating legitimate companies, often banks or credit card providers. These emails are designed to trick you into providing log-in information or financial information, such as credit card numbers or Social Security numbers.
Other spoof emails might try to trick you into clicking a link that leads to a fake website designed to look like Amazon, eBay, or your bank. These fake websites can then install malware or other viruses directly onto your computer, allowing hackers to steal your personal information or take control of your computer, tablet, or smartphone.
A phishing example? You might receive an email that looks like it was sent by PayPal. The email might say that you need to click on a link to verify your PayPal account. If you don’t? The email says that your PayPal account will be shut down.
Here’s an example of a PayPal phishing email.
Source: Secure World
Of course, this is a scam. If you click on the link, you’ll be taken to a fake log-in page designed to look like it is PayPal. If you then enter your password and username, the scammers will capture this information.
These emails often feature spelling errors, odd grammar, and generic greetings such as “Dear User” or “Dear client.” The links you are supposed to click will often lead to websites with odd URLs or ones that are spelled just a bit differently from the institution’s legitimate website.
PayPal, credit card companies, mortgage lenders and banks will never contact you by email to request any personal information from you. Instead of clicking on links in emails, log into your account on your own. If there is a legitimate concern, you’ll see it when you log in.
How to recognize phishing emails
Scammers have become more sophisticated when it comes to sending out phishing emails. But there are still some signs you can look for.
- Too good to be true offers. Phishing emails may try to hook you with what appears to be incredibly cheap offers for things like smartphones or vacations. The offers may look irresistible but resist them. They’re likely phishing emails.
- A bank — maybe not even your own — is asking for your account information or other personal financial information. Your bank, or any financial institution, will never ask for your Social Security number, bank account number, or PIN by email. Never provide this information in response to an email.
- Spelling and grammatical mistakes. There was a time when you could easily spot phishing emails because they were littered with spelling and grammar mistakes. Scammers have gotten better at avoiding these errors, but if you do receive an email littered with typos and weird language, that email might be sent from someone phishing.
- The generic greeting. Phishing emails might not be addressed specifically to you. Instead, the email might start with a generic greeting such as “Dear Sir or Madam” or “Dear Account Holder.”
- A call for immediate action. Phishers want you to act quickly, without thinking. That’s why many will send emails asking you to immediately click on a link or send account information to avoid having your bank account or credit card suspended. Never reply hastily to an emergency request. Urgent requests for action are often phishing scams.
- Senders you don’t recognize. If you don’t recognize the sender of an email, consider deleting it. If you do decide to read it, be careful not to click on links or download files.
- Senders you think you recognize. You might get a phishing email from a name you recognize. But here’s the catch: That email may have come from the compromised email account of someone you know. If the email requests personal information or money, it’s likely it’s a phishing email.
- Hyperlinks. If you receive an email that requests you click on an unknown hyperlink, hovering over the option might show you that the link is really taking you to a fake, misspelled domain. This link is created to look legitimate but is likely a phishing scam.
- Attachments. The sender included attachments that don’t make sense or appear spammy.
2. Spear phishing
While most phishing emails are sent to large groups of people, there is one type of attack that is more personalized in nature, spear phishing.
Spear-phishing emails are targeted toward a specific individual, business, or organization. And unlike more generic phishing emails, the scammers who send them spend time researching their targets. The technique is sometimes called social engineering. These criminals will send emails that look like they’re from legitimate sources.
For instance, in 2016, millions of customers who had made a purchase from Amazon received an email with the subject line “Your Amazon.com order has been dispatched” with an order code after it. When consumers opened the email, there was no message, just an attachment. If they opened the attachment, consumers ran the risk of installing ransomware on their computers.
In another spear-phishing example, emails might target a company employee. The email may appear to come from the boss, and the message requests access to sensitive company information. If the spear-phishing target is tricked, it could lead to a data breach where a company or employee’s information is accessed and stolen.
3. Clone phishing
Another type of phishing, clone phishing, might be one of the most difficult to detect. In this type of phishing attack, scammers create a nearly identical version of an email that victims have already received.
The cloned email is sent from an address that is nearly, but not quite, the same as the email address used by the message’s original sender. The body of the email looks the same, too. What’s different? The attachment or link in the message has been changed. If victims click on those now, it will take them to a fake website or open an infected attachment.
Sometimes phishers go after the biggest of targets, the whales. Whaling attacks target chief executive officers, chief operating officers, or other high-ranking executives in a company. The goal is to trick these powerful people into giving up the most sensitive of corporate data.
These attacks are more sophisticated than general phishing attacks and require plenty of research from scammers. They usually rely on fraudulent emails that appear to be from trusted sources within the company or from legitimate outside agencies.
5. Pop-up phishing
Pop-up phishing is a scam in which pop-up ads trick users into installing malware on their computers or convince them to purchase antivirus protection they don’t need.
These pop-up ads sometimes use scare tactics. A common pop-up phishing example is when an ad might pop up on a user’s screen warning the user that their computer has been infected and the only way to remove the virus is by installing a particular type of antivirus software.
Once the user installs this software, it either doesn’t work or, worse, actually does infect the computer with malware.
How to report phishing
If you’ve been victimized by a phishing scam, you should alert the proper authorities. You can report a phishing attempt or crime to the Federal Trade Commission at its Complaint Assistant page. You can also report the attack to the Anti-Phishing Working Group or forward the phishing email at firstname.lastname@example.org. If you receive a phishing text message, forward it to SPAM (7726).
How can I protect myself from phishing attempts?
Though hackers are constantly coming up with new phishing techniques, there is good news. There are some things that you can do to protect yourself and your organization. All it requires is some common sense.
- Don’t open suspicious emails. If you receive an email supposedly from a financial institution with an alarming subject line — such as “Account suspended!” or “Funds on hold” — delete it. If you are worried that there is a problem, log in to your account or contact the bank directly. If there really is a problem with your bank account or credit card, you’ll find information once you’ve logged in.
- Don’t click on suspicious links in emails. If you do open an email from someone you don’t know and you are instructed to click on a link, don’t. Often, these links will take you to fake websites that will then encourage you to either provide personal information or to click on links that might install malware on your computer.
- Don’t send financial information through email. Your bank or credit card provider will never ask you to provide bank account numbers, your Social Security number, or passwords through email.
- Don’t click on pop-up ads. Hackers can add fraudulent messages that pop up when you visit even legitimate websites. Often, the pop-ups will warn you that your computer is infected and instruct you to call a phone number or install antivirus protection. Avoid this temptation. Scammers use these ads to either install malware on your computer or scam you out of a payment for a computer clean-up you don’t need.
- Use spam filters. Spam filters can help block emails from illegitimate sources, but you should always use your best judgment in case phishing emails get past your blocker.
- Sign up for antivirus protection. Make sure your computer is protected by strong, multi-layered security software.
Installing and running trusted security software may provide real-time threat protection, help you create and manage unique passwords, and help protect your personal files and financial information from phishing attacks and other scams.
How to recover after responding to a phishing email
What if you've fallen for an email scam? Perhaps you sent financial information to a scammer or clicked on a link that installed malware on your computer.
You’ll want to act quickly. Here are some steps you can take if you’ve been responded to a phishing scam to help protect yourself against identity theft.
- Change your passwords: Make sure to change the passwords you use for your banking, credit card and other accounts. Use a combination of numbers, letters and symbols to make these passwords more difficult to crack. Consider enabling multi-factor authentication if it’s available. Multi-factor authentication requires entering a second piece of information — such as a code sent to your smartphone — to access an account.
- Alert the credit bureaus: Visit the home pages of Experian, Equifax, and TransUnion, the three national credit bureaus, and alert them that you've been the victim of a phishing attempt. You might freeze your credit with each of the bureaus to make sure that criminals can't open new credit accounts or take out new loans in your name.
- Contact your credit card providers: If you've given up credit card information, immediately call your credit card providers. They can freeze your credit to prevent unauthorized purchases. They can also work with you to determine which purchases on your accounts are legitimate and which were made by criminals.
- Check your credit reports: Order free copies of your credit reports from AnnualCreditReport.com. Check these reports carefully for any unfamiliar activity to make sure no one has opened credit card accounts or loans in your name.
- Study your credit card statements: Be on the lookout for any unauthorized or suspicious charges.
As cybercriminals continue to evolve their phishing attacks and other techniques, its best to have advanced security software leading your defense. To ensure you aren’t asking yourself “what is phishing” after an attack has already unfolded, make sure to take the precautions and use your best judgment when browsing online and responding to messages.
While antivirus protection is one of the keys to limiting risk, the right VPN can encrypt the network traffic you send and receive and hide your IP address, providing an additional layer of online privacy.
Cyber threats have evolved, and so have we.
Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.
Try Norton 360 with Lifelock.
Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.