What is phishing?
Ever get an email that looks like it’s from your bank warning you that it will freeze your checking account unless you verify your personal information? The email might have contained a link. And if you clicked? You might have landed on a website that asked you to fill in such personal information as your Social Security number and bank account numbers.
The problem? These emails never come from your actual bank. Instead, they’re the tools wielded by scammers.
Such emails are an example of phishing, an effort by scammers to trick you into giving up personal information that they can then use to access your bank accounts or credit cards. Phishers can reach you through email, text or even by phone.
The ultimate goal no matter which method scammers use? They want your personal information. And they’ll send countless fake messages across the globe in the hope that they’ll trick enough people into surrendering this information.
Some phishing emails or texts might look unprofessional to you, using poor grammar or asking you to click onto links with odd-looking URLs. But phishers don’t have to be sophisticated. They work in volume, and only need to trick a small number of victims to consider their work a success.
The Federal Trade Commission points to a recent attack targeting Netflix users. The phishing email purports to be sent from Netflix and warns recipients that the streaming company is “having some trouble” accessing the customer’s billing information. The message asks victims to click on a link to update their payment method. That link, of course, doesn't take users to Netflix. It takes them to a fake website created by the scammers.
How do you make sure you’re not one of these unlucky victims? It’s all about learning how to recognize phishing scams and resolving to never click on a link in a text or an email supposedly sent from a bank, credit-card provide, or other well-known company.
Types of phishing
Phishing can take a variety of forms, including these.
What is a phishing email?
The basic phishing email is sent by criminals who are impersonating legitimate companies, often banks or credit card providers. These emails are designed to trick you into providing log-in information or financial information, such as credit card numbers or Social Security numbers.
Other phishing emails might try to trick you into clicking a link that leads to a fake website designed to look like Amazon, eBay, or your bank. These fake websites can then install malware or other viruses directly onto your computer, allowing hackers to steal your personal information or take control of your computer, tablet or smartphone.
An example? You might receive an email that looks like it was sent by PayPal. The email might say that you need to click on a link to verify your PayPal account. If you don’t? The email says that your PayPal account will be shut down.
Of course, this is a scam. If you click on the link, you’ll be taken to a fake PayPal log-in page. If you then enter your password and username, the scammers will capture this information.
These emails often feature spelling errors, odd grammar, and generic greetings such as “Dear User” or “Dear client.” The links you are supposed to click will often lead to websites with odd URLs or ones that are spelled just a bit differently from the institution’s legitimate website.
PayPal, credit card companies, mortgage lenders and banks will never contact you by email to request any personal information from you. Instead of clicking on links in emails, log into your account on your own. If there is a legitimate concern, you’ll see it when you log in.
What is spear phishing?
While most phishing emails are sent to large groups of people, there is one type of attack that is more personalized in nature, spear phishing.
Spear-phishing emails are targeted toward a specific individual, business, or organization. And unlike more generic phishing emails, the scammers who send them spend time researching their targets. These criminals will send emails that look like they’re from legitimate sources.
For instance, in 2016, millions of customers who had made a purchase from Amazon received an email with the subject line “Your Amazon.com order has been dispatched” with an order code after it. When consumers opened the email, there was no message, just an attachment. If they opened the attachment, consumers ran the risk of installing ransomware on their computers.
What is clone phishing?
Another type of phishing, clone phishing, might be one of the most difficult to detect. In this type of phishing attack, scammers create a nearly identical version of an email that victims have already received.
The cloned email is sent from an address that is nearly, but not quite, the same as the email address used by the message’s original sender. The body of the email looks the same, too. What’s different? The attachment or link in the message has been changed. If victims click on those now, it will take them to a fake website or open an infected attachment.
What is whaling?
Sometimes phishers go after the biggest of targets, the whales. Whaling attacks target chief executive officers, chief operating officers, or other high-ranking executives in a company. The goal is to trick these powerful people into giving up the most sensitive of corporate data.
These attacks are more sophisticated than general phishing attacks and require plenty of research from scammers. They usually rely on fraudulent emails that appear to be from trusted sources within the company or from legitimate outside agencies.
How can I protect myself from phishing?
The good news? You can avoid being scammed by phishing attacks. All it requires is some common sense.
Don’t open suspicious emails: If you receive an email supposedly from a financial institution with an alarming subject line — such as “Account suspended!” or “Funds on hold” — delete it. If you are worried that there is a problem, log in to your account directly. If there really is a problem with your bank account or credit card, you’ll find information once you’ve logged in.
Don’t click on suspicious links in emails: If you do open an email from someone you don’t know and you are instructed to click on a link, don’t. Often, these links will take you to fake websites that will then encourage you to either install malware on your computer or provide personal financial information.
Don’t send financial information through email: Your bank or credit card provider will never ask you to provide bank account numbers, your Social Security number, or passwords through email.
Don’t click on pop-up ads: Hackers can add fraudulent messages that pop up when you visit even legitimate websites. Often, the pop-ups will warn you that your computer is infected and instruct you to call a phone number or install anti-virus protection. Avoid this temptation. Scammers use these ads to either install malware on your computer or scam you out of a payment for a computer clean-up you don’t need.
Sign up for anti-virus protection: Make sure your computer is protected by strong, multi-layered security software. We recommend Norton 360, which offers a full suite of security programs.
Here’s a glossary of phishing terms.
Phishing email. An email designed to trick users into installing dangerous software on their computers, sending payments for fraudulent services or providing scammers with their personal or financial information.
Spear phishing. A phishing attempt targeted at a specific individual.
Clone phishing. A phishing attack that tricks victims with duplicated versions of email messages they’ve already received.
Whaling. A more sophisticated version of phishing in which scammers target CEOs, CFOs and other high-ranking business executives.
Pop-up phishing. A scam in which pop-up ads trick users into installing malware on their computers or convince them to purchase anti-virus protection they don’t need.
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Norton by Symantec is now Norton LifeLock. LifeLock™ identity theft protection is not available in all countries.
Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, the Checkmark logo, Norton, Norton by Symantec, LifeLock and the LockMan logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the United States and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution Licence. Other names may be trademarks of their respective owners.