We have a tendency to treat our online activity like the safe, convenient space it feels like. Most people just aren’t on guard when surfing the web in their pajamas. The easy connectivity of the digital world can make you think you are anonymous and secure—like you’re watching the world from the security of your home window.
“So much of our lives are lived online,” says Brianna Jensen, identity theft expert at A Secure Life. “It can be easy to develop a false sense of security and to believe it won’t happen to us.” Many people don’t think twice about phishing scams or other forms of theft or crime online until they fall for one. But in this case, ignorance is definitely not bliss.
“Millions of new phishing attempts are launched each week,” says John Biglin, CEO of Interphase Systems. “Most don’t specifically target ‘you,’ but rather target anyone who will fall for it.” Biglin says too many people think they are unlikely to be a target, and therefore, ignore precautions, whereas phishing attacks are mostly automated and not looking specifically for individual users.
When you know what to look for—and treat your online time with certain precautions, you’ll have a better chance of avoiding phishing scams and their requisite fallout. So what are phishing scams specifically? We asked experts in cyber security to share what they wish most people knew about these attacks.
What are phishing scams?
“Phishing scams are the most widely used form of cyber-attack,” says Michael Lester, CISO and chairman of Legacy Armor. Though there are many varieties of phishing, the most common appearance is via email.
It goes something like this—an email appears in your inbox. Maybe your spam filters remove it; maybe they don’t. It is formatted to be something people will want to open. It might sound like it’s from an important financial or education institution. Maybe it appears to be from your boss or someone wanting to hire you. You read the email and it directs you to follow a link. If you click that link, all manner of bad things might happen.
Many phishing scams work by tricking recipients into revealing valuable information, such as social security numbers, credit card information or usernames and passwords. Others work by directing users to a phishing site, which might download malware onto their computers or cause other kinds of cyber mischief.
The average email user might know not to click on suspicious looking links. But since these attacks can be automated and sent in huge waves, the odds increase that someone clicks through and scammers get what they are after.
“It’s the cheapest way to attack and is therefore your largest cyber security risk,” says Dmitri Bulkhukov, CEO of Stealth Mail. Even the stuff that makes headlines—those really serious data breaches often began with a phishing attack and one person clicking on a link.
“Phishing is one of the most common types of digital crime,” Jensen says. “One major consequence of phishing is identity theft. More than 25,000 victims submitted reports to the FBI in 2017.”
Why are phishing scams such a problem?
Phishing scams are prevalent today for a reason. “They are fast, easy, inexpensive and still yield results,” Lester says. “They play on people’s desires.” Lester runs phishing tests for security and “catches” people by offering free coupons for pizza or flash news updates.
“Phishing attacks can be much, much more sophisticated than you can imagine,” Lester says. “Even security professionals fall for one every now and again.” While email providers try to catch and filter phishing emails into a spam folder, plenty will get through their nets. Lester says a well-designed phishing scam can bypass many common security checks.
“A hyperlink embedded in a PDF that is sent as an attachment may not trigger a scanning system,” he points out. “Clicking on a link initiates contact from inside. This bypasses firewall rules that may block the site if it tried to access your network directly.”
Bulkhukov explains that phishing scams work for two main reasons. First of all, email senders can pretend to be anyone—the CEO of your company, your banker—anyone they think people will respond to. “Second, when an email contains a link to a sale, discount or an interesting piece of content, people can be caught off-guard.”
Phishing scam tactics today
“By now, everyone has probably heard the jokes about Nigerian princes who have millions in hidden funds just waiting to be wired into the U.S.,” says Troy Wilkinson CEO of Axiom Cyber Solutions. “The reason those phishing scams were so successful and have had so many variations from princes to Nelson Mandela is that people have continued to fall victim.”
But Wilkinson points out that scammers continually refine and tailor their messages—even hiring translators to make the English grammar and colloquial wording more accurate. “And with the onset of social media sites, scammers are able to more carefully craft their victimization techniques.”
So what are some of these techniques? Phishing scams can take on a variety of forms. Knowing about some of them might help you recognize these scams when they appear.
Technical support scams
Phishing schemes might not directly request your personal information, according to Jensen. Sometimes scammers pose as customer support or technical support talking you through a made-up (or even real) problem. In the course of these conversations, they ask for data in order to resolve the issue and take advantage that way.
“Even savvy computer users might not know about man-in-the-browser (MITB) attacks,” Bulkhukov says. He explains that MITB attacks use a proxy Trojan horse to infect a web browser (e.g., Internet Explorer, Firefox, Chrome, etc.), which materially altering the webpages or transactions when users engage in them. For example, an infected user might enter sensitive transaction information with a bank website—this information is captured by scammers. The MITB exploit would still display accurate transaction confirmation info to the user, but behind the scenes will change the transaction amounts being sent to the bank—this middle layer gives the impression to both bank and user that the transaction was legitimate.
“Some finance professionals actually view this as the greatest threat to online banking,” Bulkhukov says.
Your loved one needs help in an emergency
A popular phishing scam has been going around on Facebook where scammers create fake profiles, befriend friends and family and plead with them to send money because of an emergency, according to Wilkinson. “What parent, grandparent, aunt, uncle or loved one would turn a blind eye to helping a family member in desperate need of assistance?”
In some cases, Wilkinson adds, the accounts might even be genuine because a scammer has gained access to someone’s profile or email.
You’ve been hacked!
“Scammers will often try to scare their victims,” Wilkinson says. “A recent terrible scam trying to trick people out of money involves the use of a real, stolen password along with a threatening email.”
In this email, hackers say they have compromised the victim’s computer, gotten into their webcam and recorded them—or caught them visiting websites that they wouldn’t want people to know about. When they demand money to keep the information secret, victims panic.
Spoofing web domains
A slight misspelling in an email address or a web domain might trick a few victims even if they hover over the link to see the URL it leads to. “Cyber-criminals have gotten good at spoofing email addresses and domains,” Wilkinson says. “For instance, can you spot the difference between ‘www.bankofamerica.com’ and ‘www.baknofamerica.com’? A lot of people will miss the typo in the second one.”
Phishing beyond email
Phishing scams aren’t exclusively for email, Jensen says. Texts, phone calls, social media—even apps like Skype can put you in the path of a phishing scam. If your bank or a government representative calls you out of the blue, telling you something is wrong and they need information right now—be skeptical and take precautions.
6 Smart tips for avoiding phishing scams.
Though these scams are extremely prevalent, taking a few precautions and knowing what to look for can help you avoid falling into their trap. Our experts offered some tips.
1. Be wary of emails you weren’t expecting
Since scammers can customize their address to appear legitimate, it’s useful to be skeptical and slow down when you get an email you weren’t expecting, Lester says. “Think before you click. Examine the email. Did you expect it? Do you recognize it?” Lester says if you have any doubts, contact your company’s security department or avoid the email and look up the institution in your browser directly to access an account.
2. Don’t confirm sensitive information online
In general, your banks and credit card companies don’t communicate via email, Jensen says. “You should never be asked to click a link or respond with sensitive info.” And even if it seems convenient, don’t send personal information in an email response.
If you are on a website that is prompting you to fill in financial information, Jensen suggests looking for the lock icon in the URL address bar. He advises users to never enter information to a site URL that doesn’t begin with ‘https’.
3. Keep software updated
Software companies are constantly looking out for weaknesses and updating any problems or loopholes scammers might utilize. “Keep your operating system and other software updated regularly and quickly after critical patches are released,” Biglin says. “And make sure your network firewall, antivirus and antimalware software are both on and updated.”
4. Never click on links or attachments from unknown senders
Sophisticated attackers can use “crypting” to avoid detection by anti-virus programs, according to Bulkhukov. So you can’t entirely rely on phishing emails getting filtered out. Again, be cautious of clicking links, even if the sender looks legitimate. Bulkhukov suggests having a separate email for your business correspondence or banking and your internet subscriptions.
5. Avoid pop-ups
“Many pop-ups act as if they are legitimate, and certainly some are, but many are driven by third-party sources,” Biglin says. This makes them vulnerable to phishing activity. “Do not click ‘OK ‘or even ‘Cancel’ because they are both buttons that could have bad links in them.” Instead close the browser tab or carefully click the “X” in the top right corner—if you’re not sure what to click, force quit your browser with the keyboard commands: [CTRL+ALT+DEL] or [Command+Option+Esc].
6. Slow down.
Scammers thrive on creating a sense of urgency in their victims. If you get a phone call or see an email that’s full of urgency, be extremely wary and go slowly. When people react too quickly, they give away information before they’ve had the chance to think.
“If you get an email asking you to send money to someone in trouble, get verbal confirmation that it is really them,” Wilkinson says. “Scammers will try to say that they’ve had their phone stolen or can’t talk, but insist on speaking to them.”
If you get correspondence threatening you or implying that you are in trouble, take enough time to hang up the phone or leave your inbox for a few minutes to research. Wilkinson says you should be inherently suspicious of all emails asking for money, changing your account credentials or deals that sound too good to be true.
Creating security in the digital world
As you can see, a large part of avoiding phishing scams is simply knowing about them. The other essential component is trusting in the security measures software engineers, companies and cyber security experts build to protect you on their platforms.
As phishing scams and cybercrimes get more sophisticated, the world of cyber security is rising up to meet the challenge. But keeping your information safe while still engaging in digital tools is growing more and more important. Check out our article, “What Is Cyber Security? The Facts You Need to Know About This Fast-Growing Field,” to see just how much these professionals take on.