Phishing Explained: what you need to know to protect your data
From small frauds to corporate data breaches, phishing is rising. Here's how you can protect yourself from scammers.
Phishing is a type of cybercrime that happens when a cybercriminal impersonates a person, company, or government agency to attract and deceive someone. The name phishing comes from the English “fishing”. That is, the purpose of phishing is to "fish" the victim so that they provide data and personal information. The vast majority of phishing scams occur via malicious emails. This is how criminals, also called phishers, attack most. But they often also use fake text messages, phone calls, social media, and websites.
Why is phishing so common?
Phishing is one of the main threats and one of the most used attacks by criminals these days. According to the FBI, phishing is the most committed cyber scam in the world, affecting thousands of people and businesses every day. There is a simple explanation: it's a lot easier to persuade someone with a fake email, for example, than to break into a computer. In recent years, we've witnessed a massive increase in the number of complaints involving phishing. The estimated value in terms of financial losses amounts to almost USD 58 million (Crazy, huh?!).
How the phishing attack works
Phishing attacks do not focus on vulnerability in machines, systems, or software. The focus of phishing scams is human vulnerability. This is what we call the human factor. In other words, the hacker launches the scam and expects the victim to take the bait.
In cases of email phishing attacks, victims often receive a message with an urgent request, which may contain malicious links and attachments. Another characteristic of phishing scams is that these emails are always sent by people or companies that are trustworthy, such as your bank manager, universities, or giant tech companies such as Apple, Microsoft, Netflix, and so on. Everyone has at least once in their life received a suspicious email that tried to persuade them to click a link, download a file, fill out a form, or provide them with their credit card information. That's what phishing scams are all about.
Phishing with malicious links
When you have a URL or a malicious link in phishing, the email message will ask the person to click on the link and update their payment information, for example. What the victim doesn't know is that the link will direct them to a fake page that looks a lot like the official website, expected by small details that might go unnoticed when someone is worried about a certain payment or any other alarming update regarding your personal accounts. By providing the data, the victim ends up sending their information to the cybercriminal.
Phishing with malicious attachments
If phishing contains a malicious attachment, the main risk is to click on the file and be infected with malware such as trojan, virus, spyware, and ransomware. The big problem with malware is that it can jeopardise important information and even cause irreparable damage. In the case of ransomware, for example, data and systems are hijacked and blocked, which can paralyse the operation of an entire company. To release them, criminals demand payment of a ransom. To give an example of how not only individuals, but large enterprises as well, a ransomware hit Renner, Brazil’s largest clothing department store chain. A ransomware gang claimed the attack, carried out by gaining access via a major Brazilian IT and digital services provider.
What are the most common types of phishing attacks?
Scams that happen via phone or voice.
Attacks that occur via text messages or SMS.
Scams that occur when malicious code is installed to redirect you to fake websites.
What is the relationship between social engineering, spoofing and phishing
As we are talking about persuasion and lying, one of the main techniques used in phishing scams is social engineering. Social engineering includes manipulation methods to gain access to confidential information that will later be used for fraudulent purposes. Basically, in information security, social engineering is the act of persuading and manipulating people after extensive research on them.
Spoofing is about creating spoofed email and website addresses. When spoofing, the phisher is trying to impersonate a legitimate address. Again, minor details, such an extra letter, might go unnoticed, especially when logos and visual IDs are easy to copy. Be attentive to the URLs, and anything that might look slightly different or suspicious.
Features of phishing scams
Over time, phishing scams have considerably evolved, making them more difficult to be detected. However, the vast majority of phishing attacks have a few common characteristics that might help you to spot them:
1. Urgent matters that require a quick (virtual) response
Sense of urgency is one of the main characteristics of phishing. It also explains why even people who understand the risks might take the bait. Stay alert with subject lines offering fantastic deals or urgent security alerts. Recently, a very convincing PayPal scam suggested a lack of response would result in huge financial penalties.
2. Incredible products and promises
Product messages and miraculous promises are a huge part of this kind of scam. From fast weight loss to uncomplicated financial solutions that seem to be the solution to your problems, pay attention to anything that looks too good to be true - it usually is.
3. Suspicious senders and similar email addresses
Carefully checking the sender of your emails is a good idea to spot a phishing attack. Phishers often use email addresses that look almost like the legitimate ones, but maybe just adding or inverting letters.
4. Spelling and grammar errors
One of the main signs of phishing is grammar and spelling errors in the email. Remember this would hardly happen if the email was actually coming from the person or company they're attempting to sound like.
5. Suspicious links
Phishers use a lot of malicious links. Always carefully review links and, if you accidentally clicked on a link, review the website address as well. If you're still not sure: close the page and check the authenticity of this email.
6. Suspicious attachments
Attachments are very dangerous because they involve malware and other threats such as ransomware, trojan and spyware. So don't interact with attachments you weren't expecting, it might cause serious and irreparable damage.
7. Request for Confidential Information
Regardless of the sender, be suspicious of any message requesting confidential information, such as credit card details or the contact list of company employees.
How to protect yourself from phishing
Prevention tips for users
In the case of a regular user, you need to read messages and emails carefully and be suspicious of any unusual requests. Also, never click on links or open attachments without being sure of their source and authenticity. If you're not sure, try to contact the person or company by different means, such as by phone calls, checking the app or any other official channel.
Prevention tips for companies
In the case of companies, building a successful cybersecurity strategy starts with addressing it properly, as part of the company culture. Invest in educating your team to recognise different types of threats, including phishing.
Moreover, relying on top-notch technology to keep your business (and your data) protected is an effective preventive measure.
More from our blog
What you need to know to strengthen your human firewall and keep your data safe
Why fully functional data-in-use encryption is THE tool to help financial institutions mitigate the costs of data breaches.