Phishing Explained

Phishing is a form of cyber-attack that uses social engineering techniques with the goal of stealing personal information, like passwords, bank account details, credit card numbers, social insurance numbers, and other types of private information. Phishing attacks can take on many shapes and forms, with cybercriminals often posing as trusted organizations like an online streaming service, a financial institution, or even a co-worker within your own organization. 

These days, scammers are able to impersonate major companies so well that it's almost impossible to tell the difference. They create fake emails that look identical to official messages from a legitimate organization - same logo, branding, and colors - you wouldn’t even be able to tell the difference. That's precisely why these scams are so effective, they catch you off guard when you're least expecting it, making it all too easy to fall for their deceptive tactics.

Example of phishing email


Image Source: PayPal Community

The messages might tell you there’s an issue with your account, using fear or urgency to make you click on a link. Clicking the link might not only risk handing over your data but could also download malware, potentially leading to identity theft and financial loss. Plus, the scammers can go on an online shopping spree using your credit card details. Last year in the US alone, there were over 300,500 phishing victims, resulting in a total loss of $52 million.

 

Different Types of Phishing

Phishing was born soon after the Internet as cybercriminals executed the first phishing attack in the mid-'90s. The email attack used America Online (AOL) platform to steal users' credit card and login information.

Although the basics of social engineering stay the same, fraudsters have developed more modern tactics to make it look legit. Here are some of the latest phishing tricks you should know about:

 

1. Email Phishing

This is one of the most common and well-known phishing attempts. A scammer will send you an email pretending to be someone you might trust. It can be your employer, bank, or brand you shop with on a regular basis.

In a typical phishing scenario, you’d receive an email claiming there's an issue with a recent order, like noise-canceling headphones you've been excited about. The email prompts you to click a link to confirm your shipping details. When you click the link, you're taken to a webpage that looks almost identical to Amazon's official site. Believing you're fixing your order issue, you log in with your credentials.

However, when you later try to check your account for another order, your password doesn't work. After contacting customer service, you discover the harsh truth: the email was a phishing scam, and the site you entered your details into was fake, crafted by cybercriminals to steal your information. Unauthorized purchases have already been made by the time you realize the mistake. Learn more.

 

2. Spear Phishing

While traditional phishing strategies scatter wide nets, sending bulk emails or texts to thousands of people, spear phishing attacks are directed at specific individuals or organizations. Attackers do their homework, research the individual or firm, and use what they know about their targets to personalize their deceptive messages. The level of personalization can vary., but basically, it’s less about fishing with dynamite and more about focusing on particular groups or sectors with tailored messages. Learn more.

 

Image source: Newsweek

3. Whaling

By meticulously researching a company's hierarchy through its website and social media profiles, scammers identify top executives, such as the CEO, and sometimes even gain access to these executives' accounts to hijack communications. Armed with this insider stance, they craft highly personalized emails, masquerading as high-ranking officials to target individuals within the same organization.

Unlike broad-spectrum phishing, which casts a wide net, or spear-phishing, which targets specific individuals with tailored messages, whaling specifically hones in on the "big fish" of an organization. These senior figures, such as CEOs or finance directors, represent lucrative targets.  The scam capitalizes on the authority these figures wield, exploiting employees' reluctance to question orders from their superiors, and adds an intricate layer of social engineering by potentially hijacking the very accounts of those in power to further their deceptive reach.

Imagine being in the finance department and receiving an email seemingly from your CEO directing you to disclose sensitive financial information or initiate a substantial money transfer to a specified account. The realism and apparent legitimacy of such a request could easily catch you off guard, potentially leading to significant financial repercussions for the company if the deceit isn't recognized.

 

4. Vishing

Vishing refers to "voice phishing." In this type of phishing attack, a scammer leverages phone calls to create a heightened sense of emergency. The aim is not to give you enough time to think but to trick you into taking immediate actions to ensure your best interest.

A common example is receiving a call from a computer/laptop IT service informing you about a virus on your laptop. The cybercriminal will ask you to share your email ID and pay a certain amount of money so they can send antivirus software for you to download immediately. If you fall for the trap, the email you receive will have a malicious link or downloadable attachment that can install malware on your device. They may also ask you to download a remote access program that will give the scammer full access to your computer. Learn more.

 

5. Smishing

"Smishing" is a type of phishing attack executed through SMS (Short Message Service) AKA text messages. The term is a play on the words "SMS" and "phishing" combining the two. Through smishing, scammers craft text messages laced with social engineering tactics aimed at duping people into revealing sensitive details like passwords, banking information, or Social Security numbers. These deceptive messages frequently pose as trustworthy entities, be it financial institutions, government bodies, or popular service providers like delivery companies, employing a mix of urgency and fear to provoke a swift response. At the heart of social engineering lies a repertoire of psychological manipulations designed to breach your digital defenses. Like most phishing attempts, the text message will most likely include a link to install malware or ransomware on your device or redirect you to a malicious website. Learn more.

 

6. Angler phishing

Phishing on social media is becoming a common form of cyber attack as cybercriminals explore different mediums to trap the victims. Like smishing, angler phishing attempts involve cyber attackers using direct messaging and notification features to orchestrate phishing on social media.

The direct messaging or notification will ask you to complete a certain task (call to action) like clicking an image or navigating to a fraudulent website. If you fall for it, it may lead to a complete hack of your social media account or transfer of your personal information to the scammers. Criminals can alternatively use the data you post on your social media account to create a more targeted attack.

 

7. Pop-up phishing

You might already be using pop-up blockers to protect yourself from unwanted, unsolicited web pages and ads on your devices. Yet, this doesn't entirely safeguard you from the threat of pop-up phishing schemes. Cybercriminals have mastered the art of embedding harmful code within seemingly harmless notification boxes, known as pop-ups, that spring to life upon visiting a website. The evolution of pop-up phishing now taps into the notification functionalities of modern web browsers.

Imagine you're browsing the web, and suddenly, a notification pops up, stating, “www.xyzwebsite.com" wants to send you notifications. It might seem harmless, maybe even helpful, but clicking 'Allow' could be a trap. This is a classic case of pop-up phishing, where cybercriminals exploit legitimate websites by embedding malicious code. These cunningly designed pop-up messages spring to life during your online exploration.

The trickery lies in the message's content, which is often a made-up warning about your computer's security. The pop-up might alarm you with claims of a virus infection, urging you to download a so-called antivirus tool. Beware, though, as this tool is often malware in disguise. Alternatively, the message might entice you into calling a fake support number, wich is known as a tech support scam ( a topic for a whole other article) and is a scam tactic gaining popularity among scammers.

These fake warnings are crafted to exploit your fears, convincing you to take immediate but misguided action. Whether it's downloading rogue software or reaching out to bogus support, the outcome can lead to compromised security, data theft, or worse. Always approach unexpected pop-up messages with caution and verify their legitimacy before taking any action. Learn more.

 

How can I protect myself from phishing?

The world of phishing scams is dark and bleak, but it doesn’t have to be. Not if you have Guardio's cybersecurity tools on your side.

Guardio's phishing protection keeps you safe by:

  • Blocks fake websites and dangerous links.
  • Filtering out smishing attempts on your mobile.
  • Scanning and protecting your inbox from phishing emails and new threats.
  • Alerting you if an email or text contains links that lead to dangerous sites.
  • Protecting your social media accounts from being hijacked.
  • Detecting if your info has ever been compromised in a data leak. 

Guardio's protection helps eliminate the risk of falling victim to phishing attempts or accidentally engaging with malware.

Was this article helpful?
18 out of 20 found this helpful

Articles in this section

See more