Phishing scams are widespread and on the rise. These scams are one of the greatest threats to your online security. People lose money and have their identity stolen by phishing crimes every day.
Most people are aware of phishing and are more tech savvy than when these scams started. In response, hackers have become more sophisticated in their tactics.
Older adults used to be the main target of scams. Now age doesn’t matter. Everyone is a target. This post covers things you need to know about phishing attacks.
Phishing is a deceptive attempt to get your sensitive information, like passwords and credit card details. A phishing attack is usually concealed in a message. The hacker wants to catch you off guard or manipulate you into doing something that will give them access to your device or accounts. Their goal is to get you to click a link, open a document, install software, or provide them with your username and password.
There are many types of phishing. While most people know about email phishing scams, many people don't know enough to spot all types of phishing. One survey showed that 88% of people had high confidence in their knowledge of phishing, but only 5% were able to identify all phishing scams. In the same survey, 41% of baby boomers didn't believe phishing happened via social media. Around 60% percent of boomers didn't associate it with fraudulent software.
Phishing attacks are not limited to email. They also occur through:
A phishing attack can infect a device with malicious code. Most of the time, the victim will not know it has happened. But once it has happened, hackers can steal passwords, weaken security, control the device, or redirect the victim to fake websites.
Phishing messages sometimes sound like a story. They're trying to manipulate your emotions to get you to click on a link or open an attachment. They may:
Some phishing messages look like they're from tech support. The phisher will tell you to send your passwords, or to allow remote access to your computer, or to disable a security feature on your device. The sender may explain why this is necessary. For instance, they may say your computer has been hacked, or that your email is full. Don't comply with their request. Legitimate tech support services will never ask for your password or send a message like this. If this happens at work, notify your company's tech support.
Phishing attacks can be very personal. Spear phishing is a common type of personal phishing attack. Using social engineering tactics, criminals collect information about a particular person. Information is acquired from large data breaches or social media sites. They use the information to convince the person to trust them. "Whaling" is a spear phishing attack targeting a high net worth individual.
Fake websites are used to run phishing schemes. Search engine phishing is when a cybercriminal creates a keyword optimized fake website to trick people. They run ads and wait for someone to visit their phony site and start clinking links. This lures people into giving their information with things like special discounts, free products, or fear tactics.
Spoofing techniques are used in many phishing ploys. Spoofed email addresses, names, phone numbers, or web addresses are only slightly different from the legitimate ones. The cybercriminal may even create an entire website that looks like the real one. They do this by using a similar web address and site design. Tricks like this fool people into thinking they're interacting with a business or person they trust. The differences are hard to catch. Sometimes only one letter, symbol, or number has been changed. Examples of phishing schemes that use spoofing are:
Subdomain phishing. These attacks fool people into thinking the link or email is from a legitimate source by using an address like support.companyname.com instead of companyname.com.
Clone phishing. This kind of attack use replicas of legitimate messages. It could be a message that the person has already received. The scammer replicates the original message, inserts malicious links or attachments, and sends it from an address that looks right. They trick people by claiming that they have had to resend the message because of a problem with links or attachments in the previous email.
Use email spam filters.
Delete messages that are filled with misspellings, grammatical errors, and poor syntax.
Don't click, open, or download anything in emails, instant messages, or text messages from unknown or anonymous senders.
Don't fill out forms or respond to phone calls, emails, or texts asking for your personal information.
Don't click on any links from a threatening or intimidating email.
Be cautious with unusual email, text, or call from people, organizations, or businesses you know.
Verify that links, URL's, and email addresses associated with a business or organization are legitimate.
Maximize your privacy settings on all online accounts.
Use security software.
When entering a credit card or other confidential information, make sure the address bar has “https” and a closed padlock icon.
Set your mobile devices, browsers, and security software to update automatically.
Use multi-factor authentication to protect your accounts.
Ignore pop-up windows.
Don't jailbreak a device or run unauthorized applications.
Enable auto-lock on your devices.
Password protect your devices.