What are Phishing Scams and How Can You Identify Them?
The COVID-19 pandemic has seen countless businesses and organizations around the world transition unexpectedly to remote, online working. With more and more employees accessing organizational email accounts from home, there has been a surge in phishing scams by cyber scammers. The latter is hoping to take advantage of increasing fear and confusion.
Since many professionals aren’t exactly sure what a phishing scam is or how to identify one, we’ve decided to create a fool-proof guide to help you and your team understand what phishing scams are and what you can do to prevent being duped by malicious actors online. Read on for everything you need to know to stay informed and vigilant.
What is a Phishing Scam?
Phishing scams are a type of cyber-attack deployed by online scammers that attempt to exploit email, text message, phone, or social media communications. Scammers hope to dupe users into handing over sensitive information like account numbers or login credentials to allow for unauthorized access and theft. Sometimes, these communications will also include malicious links or downloadable files that will install viruses on user devices.
Why Is It Called Phishing?
These attacks are called phishing scams because the scammers are mostly trying to “fish” for unsuspecting victims. Coined in the 1990s, the term phishing indicates that scammers will send out fraudulent communications, hoping that unassuming tech users will consider the communications legitimate and “take the bait.”
What Does a Phishing Scam Look Like?
Every phishing scam starts with a request or an offer. Phishing scams sent to individuals may look like a legitimate communication from a familiar corporation or organization and often request money or login credentials. Phishing scams become especially tricky in the business world because scammers will send communications that look like important messages from internal HR, management, or IT departments.
In both cases, users often fall prey because they think they are responding to legitimate communication or request. Data can be stolen in a variety of ways, including through malicious links or downloadable viruses.
How prevalent is Phishing?
Unfortunately, Phishing is one of the most common cyber scams that exist. Accenture reports that 60% of Americans say they or a family member has been a victim of a phishing attack. Further, the number of phishing attacks has increased by 65% in the last year alone. Even worse? With the COVID-19 pandemic causing increased traffic online, phishing scams will likely increase exponentially during these uncertain times.
Is Phishing Illegal?
In America, phishing scams are a federal offense under fraud provisions. Nearly half of the states have implemented laws specifically against phishing attacks. Scammers who are caught deploying phishing scams can be sentenced to jail time and fined as high as $10,000 per convicted offense.
Types of Phishing Scams
One of the hardest parts about coming to understand what Phishing is all about is the fact that there are countless different types of phishing scams. Below, we have included a brief description of the main types of phishing scams to help you and your team identify them more easily.
Spear phishing scams are attacks that target a specific group or individual. Scammers spend vast amounts of time researching their target to learn as much information as possible. Once they’ve gathered this information, they launch very personalized attacks making it more difficult for users to see through the scam.
In pharming phishing scams, victims are not required to click a link to be exploited. Instead, these types of scams will automatically redirect users to a phony website to steal their personal information, or they will automatically install a virus on the user’s computer.
Smishing are phishing scams that are deployed through text messages instead of email. Smishing attacks rarely result in direct virus downloads. They commonly dupe victims into visiting a website where they’re then prompted to download malicious applications or content.
Vishing includes phishing scams that are deployed via telephone. Vishing scammers often use fake caller ID information to appear like they are calling from a legitimate business or organization. Vishing scams aim to convince unsuspecting victims to give out personal financial information.
Session hijacking phishing scams occur when a malicious actor uses stolen credentials to impersonate a legitimate tech user. When a user logs in, a security token is issued to the user, and a session is created. When a session is created, a user can perform essential functions like the transference of funds or online purchases. When the user is finished and logs out, their session is ended. However, session hijackers will steal the token created and gain unauthorized access allowing them to steal user data and funds.
Whaling phishing scams are also known as business email compromise (BEC) attacks. These are spear-phishing attacks that target high profile professionals like CEOs or CFOs. Whaling scammers usually send communication that expresses a sense of pressure, urging the victim to wire funds or share login credentials quickly to avoid some phony disaster or problem.
Cloning phishing scams are attacks that duplicate a legitimate email from a trusted sender. Scammers alter the original email slightly to include a malicious link or file that is designed to steal sensitive information.
Domain-spoofing phishing scams are attacks that try to duplicate a legitimate website or organization by only slightly changing certain aspects of the URL. For instance, they may add one or two letters inconspicuously or make alterations like using two v’s instead of a w. Scammers do this because it makes it more difficult for victims to notice any difference and more likely for them to follow a link they think is legitimate.
How Can You Identify a Phishing Scam?
With so many different types of phishing scams to consider, you might be feeling overwhelmed and unsure as to how you can protect your organization from all of them. Worry not. Phishing scams have a set of identifiable characteristics that you can look out for to prevent being hacked or exploited. Check out the top identifiers below:
- The communication requests sensitive information – Keep in mind that legitimate businesses and organizations will never ask you for sensitive data – especially financial account details, login credentials, or social security numbers – via email. They will also never send you a link to log into a system outside their legitimate domain. Any email communication that does either of these things is a scam.
- The communication uses an unfamiliar domain – Make sure that any email communications you receive have legitimate domain names. For instance, legitimate emails from Fed Ex will come from @fedex.com. You can check the domain by looking at the ‘Sent’ field. If the domain looks off or like it has been altered in any way from the original, it’s a scam.
- The communication includes links that don’t match the domain – Emails from legitimate companies or organizations will only contain links to their legitimate sites. If you’re wondering whether a link is genuine, hover over it with your cursor and make sure it displays the legitimate website. Do not click on any links that you are unsure about, and don’t click any link that doesn’t begin with https://.
- The communication contains unsolicited attachments – Email communications from legitimate organizations will never send you unsolicited attachments – instead, they will direct you to a legitimate website where necessary documents can be downloaded securely.
- The communication is not personalized – Any organization that you are conducting legitimate business with will address your email communications with your name. Be suspicious of any communications that use generic greetings like “Dear Valued Member” or no greeting at all.
- The communication uses poor grammar and spelling – One of the easiest ways to spot a scam is to look for glaring spelling errors or poor grammar. Legitimate business emails will be spelled correctly and well-phrased, so be suspicious of any communications that aren’t.
Protecting Your Organization from Phishing Scams: Staying Informed and Vigilant
Phishing scams can cause real damage, and with more and more people working from home in these uncertain times, scammers are waiting to take advantage of increased network vulnerability. Use this guide as a first step to keep your team informed and vigilant. Create policies and procedures for data-sharing and email communications. Encourage your team members to speak up if they’re suspicious about a particular email, text message, or phone call. Stay up to date on new and emerging threats.
With your team working together, scammers will be easier to spot, making it easier to protect your data. When in doubt, don’t hesitate to reach out to a team of IT security specialists. IT professionals are working tirelessly to help keep individuals and businesses secure during this remote working transition. If you’re feeling in over your head, lean on professional consultation to help keep your business assets acquired in any climate.