People really are out to get you online. Here’s what to know about phishing, smishing, BEC, and other scams to watch out for.
What is phishing?
Often carried out over email — although the scam has now spread beyond suspicious emails to phone calls (so-called “vishing”), social media, SMS messaging services (aka “smishing”), and apps — a basic phishing attack attempts to trick the target into doing what the scammer wants.
Exactly what the scammer wants can vary wildly between attacks. It might be handing over passwords to make it easier to hack a company or person, or sending payments to fraudsters instead of the correct account. This information is often stolen by making requests that look entirely legitimate — like an email from your boss, so you don’t think twice about doing what is asked.
A successful phishing attack is one that can provide everything fraudsters need to ransack information from their targets’ personal and work accounts, including usernames, passwords, financial information, and other sensitive data.
Phishing is also a popular method for cyber attackers to deliver malware by encouraging victims to download a weaponized document or visit a malicious link that will secretly install the malicious payload in attacks that could be distributing trojan malware, ransomware or all manner of damaging and disruptive attacks.
Why is phishing called phishing?
The overall term for these scams — phishing — is a modified version of ‘fishing’ except in this instance the one doing this fishing is a scammer, and they’re trying to catch you and reel you in with their sneaky email lure. In most cases, they will put out many of these lures. Most people will ignore these scam emails, but someone eventually bites.
It’s also likely a reference to hacker history: some of the earliest hackers were known as “phreaks” or “phreakers” because they reverse engineered phones to make free calls.
Who is a target of phishing scams?
These scams can target anyone, anytime. The aim and the precise mechanics of phishing scams vary: for example, victims might be tricked into clicking a link through to a fake web page with the aim of persuading the user to enter personal information. In this case the lure might be that you’ve won a prize, or a chance to grab a must-have special offer, or (oh the irony) a claim that your account has been hacked and you should login to take action.
More complex phishing schemes can involve a long game, with hackers using fake social media profiles, emails and more to build up a rapport with the victim over months or even years, especially in cases where specific individuals are targeted for data that they would only ever hand over to people they trust.
That data can range from your personal or corporate email address and password to financial data such as credit card details, online banking accounts and cryptocurrency wallets, or even personal data including your date of birth, address and a social security number.
In the hands of fraudsters, all of that information can be used to carry out scams such as identity theft or using stolen data to buy things or even selling your private information to other cyber criminals on the dark web, who can use it how they please. For example, phished usernames and passwords are regularly the starting point for ransomware attacks.
Because phishing can be so effective, it’s one of the most common techniques used by state-backed hacking groups for conducting espionage against other governments or other organizations of interest.
Ultimately, anyone can be a victim of a phishing attack, from high-ranking officials, to business leaders, to office professionals — anyone who has an email or social media account could fall victim to a phishing attack.
How does a phishing attack work?
A basic phishing attack attempts to trick a user into giving away personal details or other confidential information, and email is the most common method of performing these attacks.
The sheer number of emails sent every single day means that it’s an obvious attack vector for cyber criminals. Over 300 billion emails are sent every day — and it’s believed that at least three billion of these are malicious phishing emails.
Most people simply don’t have the time to carefully analyze every message that lands in their inbox.
Some scammers are aiming at unwary consumers. Their email subject line will be designed to catch the victim’s eye. Common phishing campaign techniques include offers of prizes won in fake competitions, such as lotteries or contests by retailers offering a winning voucher.
In order to receive the prize, the victims are asked to enter their details such as name, date of birth, address, and bank details, as well as their username and password, in order to claim it. Obviously, there’s no prize and all they’ve done is put their personal details into the hands of fraudsters.
Other phishing emails claim to be from a bank or other financial institution looking to verify details, online shops attempting to verify non-existent purchases or sometimes — even more cheekily — attackers will claim that there’s been suspicious behavior on your account and you should login to check.
Sometimes they’ll even claim to be representatives of tech or cybersecurity companies and that they need access to information in order to keep their customers safe.
Other scams, usually more sophisticated, aim at business users. Here attackers might pose as someone from within the same organization or one of its suppliers and will ask you to download an attachment that they claim contains information about a contract or deal.
Attackers will often use high-profile events as a lure in order to reach their end goals. For example, during the height of the coronavirus pandemic, cyber criminals extensively sent emails that supposedly contained information about coronavirus as a means of luring people into falling victim.
One common technique is to deliver a Microsoft Office document that requires the user to enable macros to run. The message that comes with the document aims to trick the potential victim into enabling macros to allow the document to be viewed properly, but in this case it will allow the crooks to secretly deliver their malware payload.
What’s the cost of phishing attacks?
It’s hard to put a total cost on the fraud that flows from phishing scams, because losses can range from a few dollars for a phishing attack against one person, to successful phishing attacks against large organizations potentially costing millions of dollars.
What are some phishing scam examples?
The “spray and pray” is the least sophisticated type of phishing attack, whereby basic, generic messages are mass-mailed to millions of users.
These are the “URGENT message from your bank” and “You’ve won the lottery” messages that aim to panic victims into making an error — or blind them with greed. Some emails attempt to use fear, suggesting there’s a warrant out for the victim’s arrest and they’ll be thrown in jail if they don’t click through.
Schemes of this sort are so basic that there’s often not even a fake web page involved — victims are often just told to respond to the attacker via email. Sometimes emails might play on the pure curiosity of the victim, appearing as a blank message with a malicious attachment to download.
These attacks are mostly ineffective, but the sheer number of messages being sent out means that there will be people who fall for the scam and inadvertently send details to cyber attackers who’ll exploit the information in any way they can.
For cyber criminals, they take little time and effort to spam out — the activity is often outsourced to bots — which means that they’re likely making a profit, even if it isn’t much.
A simple phishing email — it looks basic, but if it didn’t work, attackers wouldn’t be using it.
How can I spot a phishing attack?
At the core of phishing attacks, regardless of the technology or the particular target, is deception.
While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it’s easy to forget that there are billions of internet users — and every day there are people who are accessing the internet for the first time.
Lots of internet users won’t even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it. Why would they even suspect that the message in their inbox isn’t actually from the organization or friend it claims to be from?
But while some phishing campaigns are so sophisticated and specially crafted that the message looks totally authentic, there are some key giveaways in less advanced campaigns that can make it easy to spot an attempted attack. Here are four such giveaways to look for.
Many of the less professional phishing operators still make basic errors in their messages — notably when it comes to spelling and grammar.
Official messages from any major organization are unlikely to contain bad spelling or grammar, and certainly not repeated instances throughout the body. A poorly written message should act as an immediate warning that the communication might not be legitimate.
It’s common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these services, they still struggle to make messages sound natural.
