Every day, email inboxes fill up with annoying, unwanted messages. However, some of these junk messages are malicious/ phishing attacks. By using phishing emails, texts, or social media posts that lead to phishing sites, fraudsters attempt to deceive you into revealing your personal and sensitive information – bank account numbers, credit card info, Social Security number, or login IDs, usernames, and passwords. Once obtained, they use your credentials to steal your money, your identity, or both.
What does a phishing attack look like?
You get a legitimate-looking email with the subject line: “Your Amazon order confirmation.” This message is often referred to as a ‘lure,’ because it is disguised to trick you into taking the bait. Whether you recently ordered something from Amazon or not, you open the email. Inside, the message encourages you to follow a link entitled Your Account, but you aren’t paying attention when the link opens automatically in your browser.
Other phishing attacks target businesses. For example, an employee may receive phishing emails from imposters posing as a C-level executive within their organization. If an employee follows the email’s instructions, the phishers could gain illegal access to the company’s data. This is especially easy if an employee provides their login credentials. After tricking an employee into giving their login and password, the cybercriminals then have free reign over the company’s systems. Phishers could also pose as a bank or another financial institution that the company doesn’t hold accounts with. In this case, an employee who falls for a scam sends money directly to the phishers.
In a nutshell, phishing starts with fraudulent communication via email, text messages, or social media. A message appears to be from a trusted source like your bank, an e-commerce site, the IRS, Dropbox, your local public library, FedEx, or any number of others, but it isn’t.
Is phishing illegal?
Yes. In the United States, every U.S. state has its own laws that cover hacking, unauthorized access and computer trespass, along with viruses and malware. In the European Union, there are several EU laws governing cybercrime, including phishing. In Australia, the Australian Communications and Media Authority (ACMA) enforces laws regarding cybercrime.
Famous Phishing Attacks
Over the years, there have been several successful, high-profile phishing attacks. Here are a few:
- In the United States, a phishing scam during the 2017 tax season compromised the credentials of over 120,000 employees at over 100 companies.
- Within a three-month period in early 2017, businesses in Qatar received tens of thousands of phishing attacks. These attacks distributed malicious emails and text messages to businesses. The attacks compromised data and secure information at these companies.
- A February 2017 phishing attack compromised Chipotle, a U.S. restaurant. The attack, which originated in Eastern Europe, sent malware-infected emails to Chipotle staff. Eventually, the cybercriminals used the malware to hack the POS system and steal millions of credit card numbers.
- In May 2017, a phishing attack targeted Google docs users. Around the world, workers received bogus emails inviting them to edit documents on Google docs. The people who followed the links, gave the hackers access to their Gmail accounts.
What are the different types of phishing?
Below are a few common types of phishing scams:
- Spear Phishing— Some phishing attacks are random. In contrast, more sophisticated phishers do their homework, then specifically target certain groups, organizations, or people. For example, your company might get a message that appears to be from a contractor or supplier. Or an attachment could appear to come from someone within your organization who requests an employee’s company credentials. After stealing credentials, criminals can wreak all sorts of havoc once inside your system.
- CEO Fraud— This phishing scam targets employees within an organization by impersonating the company’s CEO. The message may ask the recipient to send a certain amount of the company’s money to pay for a contracted service or purchased products. Quite often, the messages are urgent in nature. However, if a person follows through on the urgent request, the money goes directly to the scammer.
- Social Media Phishing— Instead of using email or texts, these phishing scams use Facebook, Twitter, or other social media platforms. Phishers use this type of phishing to build trust with their targets before the attack happens. The messages might make offers for goods or services, or promise rewards, like gift cards. At the same time, unsuspecting victims may spread the attacks by sharing the offers with all their social media network.
- Mobile Phone Phishing— Phishers send messages via text messages or instant messaging platforms. The goal could be similar to any of the above types of phishing. This includes deceiving people into giving away sensitive information that lets them access financial accounts or steal identities.
What is the purpose of a phishing attack?
As stated above, phishing is a type of electronic fraud that uses emails, text messages, and/or fake websites to trick you into giving away your sensitive information or downloading attachments containing malware. The purpose is to commit fraud or open your business and your customers up to attacks.
How to identify a phishing attack
There are a few ways to identify a phishing attack. First of all, since false urgency is one of the phisher’s main tools, messages that sound extremely urgent could be phishing messages. Urgent messages about your bank account, credit card, a friend who needs money, or a package you ordered are common phishing lures.
In the case of business-focused phishing attacks, legitimate-sounding requests for money or requests to verify credentials via email are common. And of course, you should automatically be suspicious of any message that asks you to download a file, especially within your company’s computer system.
What are some examples of email phishing?
To educate computer users, UC Berkeley has collected phishing emails. Below are a few of these examples:
- Tax season messages — During tax season, scammers send messages regarding tax issues. A common tactic is providing a fake link for accessing your W-2s or other tax forms. Another tactic is requesting a copy of your W-2 form (or payment summary). However, by sending your tax form to a fraudster, you give them all the information they need to steal your identity.
- Google doc/ Dropbox/ file-sharing notification — The subject line might say something like, “John Doe has shared a Google Doc with you.” Within the body of the message is a fake link to the document or file. However, the link doesn’t take you to a file on Google Docs, Dropbox, or some other platform. On the contrary, it might link to a malware download.
- FedEx/ UPS/ USPS shipping notification — Using a fake notification about a package, this message might say something like, “We could not deliver your item. Review and print your order’s complete shipping details.” The message may provide a link or have an attached file for download, neither of which are genuine.
- Bank account or credit card concerns — The fraudulent message tells the recipient that there’s an issue with their bank account or credit card account. You may be informed of irregular activity or suspicious charges. Or the message may simply request verification of your account details. You could be directed to a fake website and asked to enter your credentials. On the other hand, the message might also have a malicious attachment.
What is a phishing email and how can one be recognized?
A phishing email is the bait that fraudsters use to deceive you and your employees. Usually, these emails spoof well-known brands with a strong online presence (Amazon, eBay, etc.). These messages often link to an impostor website where the victim inputs their sensitive information. Or they may have malicious attachments. Recognizing a phishing email is the first step to prevent being duped. CNET offers the following tips:
- The email address may be nonsense or have an incorrect format. In an Amazon spoof email, the address might be something like tEge3234@amazon.org or something equally nonsensical.
- Unlike legitimate companies, phishers ask you to send sensitive info via email or give links to a website for verifying your credentials.
- Hyperlinks (the links given in the message) which direct you to a different site. For example, an Amazon phishing message may lead to a misspelled address like Amazone.com. Or it could lead to a completely different site altogether. Always hover your mouse cursor over a link, to see where it will redirect to.
- Many phishing emails have grammatical and spelling errors.
- Phishing emails frequently have an urgent tone.
How can phishing be prevented?
Preventing phishing is simple for your company. The IRS advises you to not reply to, open attachments, or click on any links. Yet as simple as this sounds, there are other steps to take.
Before your people can be told not to follow certain links or download certain attachments, they must first learn about phishing. One of the most effective measures is education. All of your employees should be trained to recognize and prevent phishing attacks. Your people should also learn what to do if they receive a phishing message.
Another very important prevention step is having effective cybersecurity in place. For example, using malware protection helps reduce damage to your company and your customers in the event that an employee is tricked by a phisher.
Where do I report phishing?
There are several avenues for reporting phishing messages. In all of these cases, be sure to include the impersonated organization or company and the full email header:
- Within your company, report the suspected phishing message to your IT department. If there is no dedicated IT manager or department, report the message to a manager.
- Report phishing emails to the Anti-Phishing Working Group (email: firstname.lastname@example.org), which uses reported message to fight phishing.
- In the U.S., report the message to the Federal Trade Commission at FTC.gov/complaint or forward suspicious emails directly to the dedicated FTC mailbox (email: email@example.com). Identity theft can also be reported to FTC/Identity Theft.
- In Australia, report incidents of identity theft to local police, or through ACORN (Australian Cybercrime Online Reporting Network) or report scam emails to Scamwatch.
Preventing yourself and your company from being victimized by phishing attacks begins with awareness. Everyone in your organization should learn how to recognize, report, and prevent phishing messages.
To protect your brand and clients, FraudWatch International’s monitoring service uses proprietary anti-phishing software. Our tools look for phishing activity on the internet and take down these sites. In fact, we have some of the fastest takedown rates and a 100% success record.
Our industry-leading takedown times mean less risk to your business, less exposure for your customers, and less risk to intellectual property. Learn more about our anti-phishing services today.