While some hackers use stealth methods like infecting your computer with malware to steal your most valuable info, others simply ask for it up front. This practice is called “phishing” and it’s one of the most effective methods for duping unsuspecting victims.
Phishing is a type of cybercrime that enables hackers to pose as authority figures, customer service representatives, or other trusted sources, in order to steal your most valuable personal information.
Phishing attacks usually occur over email, but can also take place via text message or even phone calls. So how can you know what’s really legit and what’s a scam?
Here’s our complete guide to recognizing phishing attacks, how to defend against them, and what to do if you’ve been targeted by a cyber criminal.
How Do Phishing Attacks Work?
The basic premise of phishing, while it can take many different forms, is that a criminal will try to trick you into willingly handing over personal information like credit card numbers, passwords, account numbers, and more.
It might look like this:
Imagine you get an urgent email from your credit card company. There seems to be a problem with your account, and it has been locked for security.
The email may prompt you to click through to a login page where you can confirm your identity and unlock your card or account.
You might complete this entire process without even realizing that the email and login page are fraudulent, and that you’ve been targeted by a phishing attack.
Some common examples of phishing emails include prompts to:
- Unlock your credit card or bank account
- Update your official contact information
- Restart your account or membership
- Confirm receipt of a package delivery
- Claim a refund or payment
- Send your or someone else’s W2
- Facilitate a wire transfer
These emails could look like they’re from anyone; from your Internet provider, to the United States Government, and even your boss at work.
Often, the requests in these messages are urgent (your credit card account is locked) or highly-enticing (claim your refund).
Phishing attacks are usually carried out in bulk using “phishing kits,” or clones of legitimate looking emails or websites. For example, a criminal might clone a popular bank login page and modify the code to send him or her your credentials after you enter them.
In rarer cases, however, individuals might be targeted by custom-made phishing attacks. This is called “spear-fishing,” and will usually consist of personalized emails that include information about you or people you know. For example, you might get an urgent email that looks to be from your boss, asking you to send over the W2s of everyone in your department.
“Whale-fishing” is a particularly personal and sophisticated phishing attack aimed at a high-value target, like the CEO of a major company.
How To Spot And Prevent Phishing Attacks In 2019
Phishing attacks can be really scary, precisely because they can target anyone and they’re designed to perfectly mimic legitimate day-to-day transactions.
You don’t need to access shady websites or share files over torrent sites to get hit with a phishing attack. You could easily find a fraudulent email in your inbox tomorrow that looks like it’s from Amazon, Netflix, or your bank urging immediate action.
That said, phishing attacks aren’t that difficult to spot and prevent, if you know what to look for.
Here are a few tips to keep you safe when going through your email and other messages.
1. Be Wary Of ‘Too Good To Be True’ Offers
Develop a healthy skepticism of messages you receive in your inbox, especially if you don’t personally know the sender or aren’t expecting the message ahead of time.
Bank error in your favor? Huge refund waiting for you on Amazon? IRS wants to send you free money?
These are big-time red flags that you should examine more closely.
Beware, as well, of highly-urgent messages that seem to require immediate action without much context.
2. Check URLs And Email Addresses Carefully
So, you got an email from Amazon asking you to claim your refund for a mistaken charge. It seems too good to be true, but what you should do about it?
Look carefully at the email address of the sender. Does it look right to you?
If someone claiming to be a representative from Amazon reaches out via email, their email address should look like “firstname.lastname@example.org,” or include a variation or subdomain (like support.amazon.com, for example).
If the email is from a domain with a subtle misspelling (like Amazonn.com) or has been forwarded through an unrecognizable or gibberish domain, that’s a good sign you’re dealing with a phishing email.
Make sure to hover your cursor over any links in the email before clicking, which should reveal the target URL of the link. These should be recognizable and applicable to the sender, as well.
Don’t visit websites with unrecognizable URLs and don’t respond to emails that have been forwarded through gibberish domains.
3. Confirm Authenticity Before Giving Out Critical Information
It’s rare that a legitimate customer service provider will ask you for your full account number, full credit card number, or other complete pieces of personal information. Most often, they’ll use partial information (last 4 digits of account number or your street address) to verify your identity.
However, in some cases, you may truly need to give more information.
If the interaction seems suspicious in any way, try to confirm the authenticity of the request in any way possible.
One good strategy is to call the legitimate customer service phone number listed on a company’s website and speak with someone there, or find other official modes of contact that are completely separate from the email message in question.
4. Use A Reputable Email Provider
Most good email providers in 2019 will provide some level of protection against phishing attacks and other spam emails.
Outlook and Gmail, for example, have access to tons of data on reported scams and malicious messages. They’re often better able to filter out harmful emails before you even see them than some smaller providers.
Whoever you choose to run your email account, be sure to investigate their spam settings and, if necessary, ask customer support if they have recommendations to protect against phishing.
5. Be Leery Of Charity Efforts Surrounding Major World Events
When a natural disaster or terrorist attack strikes, scammers will often form fraudulent charities in hopes of capitalizing off of the sympather of do-gooders.
Always practice safe email behavior, but keep your guard especially high during periods of heavy fundraising activity and don’t give out your credit card number unless you’re 100% sure the cause is legitimate.
If you’d like to contribute to a political or humanitarian cause, seek out a trusted organization directly to make your donation.
6. Install An Antivirus With Phishing Protection
The best antivirus programs include extra features to help keep you safe from phishing scams.
They’ll be able to supplement the protection you get from your email provider and better filter out spam by accessing their large library of reported phishing cases and other attacks.
7. Report Potential Phishing Attacks
Be a good citizen and let your bank, Internet provider, or other company know if attackers are conducting attacks under their names.
They may be able to take security measures like sending out warnings or adjusting the design of their login pages to help keep more people safe.
Conclusion – To Stay Safe, Stay Skeptical
Phishing attacks are relatively easy to avoid if you’re educated about how they work.
Unlike computer worm attacks or brute force malware attacks, phishing relies on you letting your guard down and handing over your information.
The easiest way to stay safe is to never give sensitive or important information to anyone online unless you’re 100% positive they represent a trusted source.
It’s easier said than done, of course, with modern phishers perfectly replicating checkout pages, login pages, and other important web portals.
But if you take a keen and eye toward inspecting email address and URLs before you engage, you’ll usually be able to spot an attack before it claims you as a victim.