One of the most common, and dangerous, ways cybercriminals steal other people’s identities is through phishing — sending fraudulent texts or emails that look like they’re from legitimate and reputable sources. Their goal is to conceal their identity and deceive you into completing a desired action, such as opening an email or attachment, so they can access your login details, steal money and/or install malware on your devices.
“Phishing” is a term that dates back to at least 1996, when hackers began stealing AOL accounts using email-based lures to capture passwords and financial data. Drawing from the conventional word “fishing,” the “ph” spelling instead of “f” comes from “phone phreaking,” an early form of hacking that took place on telecommunications lines from the 1970s.
Seven common types of phishing attacks
Over time, continue to use more sophisticated methods of stealing personal information online. Here are six common types of phishing attacks that hackers launch using emails, phone messages, text messages, social media and QR codes.
1. Email phishing
Email phishing is still the most common type of phishing attack, with hackers sending out mass emails in which they impersonate trusted entities like banks or government authorities. Often, these emails are delivered with high importance, requesting immediate responses and soliciting sensitive information through fake links that enable attackers to perform numerous malicious activities such as installing viruses or malware and stealing money from user accounts.
2. Spear phishing
Spear phishing is a more targeted type of phishing attack. Hackers send malicious emails to specific individuals — often Chief Experience Officers, or CXOs — in an organization. Attackers use the target’s name, position, work phone number and other seemingly legitimate information to trick recipients into believing they have a connection with the sender. The goal is the same as it is with email phishing: to get the recipient to click on the fake URL and provide personal information.
3. Whaling
With whaling attacks, hackers target (“spear” or “harpoon”) top-level executives. They infiltrate company networks and follow up with a phone call routed through a trusted agency and send emails from trusted partners of the organization. Once an executive’s email is compromised, the hackers obtain sensitive authentication information, conduct fraudulent wire transfers and publish tax and benefit information of employees on the dark web.
4. Vishing
Hackers launch vishing attacks on the phone instead of through emails. The hacker uses VoIP (Voice over Internet Protocol) servers to deliver mostly automated messages that resemble an Interactive Voice Response System (IVRS). That’s an automated phone system that uses pre-recorded messages to interact with callers and route them to the right person. Like fraudulent emails, these phone messages are designed so they appear to come from legitimate entities such as banks, insurance companies or government institutions. During the call, a recipient is informed of an urgent action he or she needs to take, such as renewing their insurance, after which their personal information such as credit card details and other personal credentials are solicited, obtained and used to steal data and/or funds.
5. Smishing
Smishing is SMS phishing — attacks made via SMS text messages that appear to come from legitimate sources and contain malicious links, often disguised as offers or discounts.
6. Social media phishing
Social media phishing is a type of attack in which hackers exploit users on social media by impersonating trusted brands and creating fake accounts or luring victims to share personal and sensitive information on social media. The hackers track users’ preferences and choices and then invite them to click on malicious links.
7. Quishing
Quishing is a newer type of phishing attack that uses QR codes to trick victims into visiting fraudulent websites or downloading malware.
How phishing scams target financial information
It is extremely important to protect yourself from these types of scams, and others, because thieves can use the information they obtain from you to take out loans, obtain credit cards and even get driver’s licenses in your name. They can do significant damage to your financial history and even your personal reputation. It can take years to undo some of the damage these scams can inflict on individuals and businesses.
In financial services, hackers’ communications might mimic regulatory agencies, executives within an organization or key clients.
Here is an example of a real-world phishing scam. An email from a credit card provider arrives, telling recipients their bank account has been compromised and will be deactivated unless they confirm their credit card details. The link in the phishing email takes the victim to a fake bank website that looks like the actual bank’s site, and the hackers use the stolen credit card information to commit further crimes.
How to recognize a phishing scam
If you know what to look for, you can spot some phishing scams fairly easily. Here are some red flags to look for; they can help you spot, and avoid, a scam.
- Suspicious sender: Delete messages you receive from unfamiliar email addresses and those that contain misspelled domain names and other misspelled words.
- Urgent or threatening language: Be very suspicious of any messages that warn you that if you don’t act quickly, your account will be suspended.
- Suspicious domain names, links or attachments: The domain name on the email you receive should match the name of the organization the email claims to come from. For example, if an email looks like it’s from Bank of America, but the link provided is a jumble of letters and numbers instead of from https://www.bankofamerica.com/, it is not from Bank of America. Hover over links to see if they lead to legitimate websites.
- Grammatical errors or inconsistencies: Poor language quality often signals a scam.
- Generic greetings: If a message is not addressed to your name, with the correct spelling, but is addressed to a generic noun like “customer,” “account holder” or “Dear,” it’s likely that the message is part of a mass phishing attempt, not a personal message from a legitimate sender.
How to avoid falling for a phishing scam
- Avoid opening unsolicited emails or messages from suspicious sources, don’t respond to them and don’t open any links or attachments in them if you do open the messages. Always verify the source before interacting.
- Double-check website URLs; ensure that websites have a secure connection (https://).
- Use multifactor authentication (MFA) to add an extra layer of security to your financial accounts.
- Educate your family members: Discuss phishing risks with your loved ones to ensure everyone knows what to look out for and how to avoid suspicious activity. If you run a buusiness, educate all employees in your organization about how to avoid scams.
- Avoid phone calls from unknown numbers, and never give out personal information over a call.
- Do not respond to texts from suspicious numbers, such as those that begin with a two-digit country code.
- Avoid posting sensitive information on social media.
________
We want to help you protect your identity, information, data, assets and reputation. We are happy to help you enhance your cybersecurity so you can obtain an optimum level of security for your financial accounts. It’s worth a little bit of time and effort up-front if we can help you avoid a damaging scam. As the old saying goes, “A ounce of prevention is worth a pound of cure.”
