It’s the 21st century’s most common way of scamming and defrauding people. Phishing poses a threat to your security, data and finances. The Xpress Money tech team tells you what it is, and what you can do to stay safe.
So what is phishing?
Phishing is a broad term. Basically, it refers to any form of fraud in which an attacker tries to learn your information – such as login details or account information – by posing as a reputable person or entity.
Phishing used to be restricted to email, but isn’t anymore. It can be used on any communication and social media channel.
The term was coined around 1996, and is a play on the word “fishing.” Just as anglers use baits to attract fish, phishers use emails to lure people into responding with their information.1
Why is phishing so powerful?
Phishing is a very effective technique because it relies on social engineering, and not brute force. It doesn’t attack technology, but instead gets people to respond. Users reply to messages that seem legitimate, and give away their details.
The other reason that makes phishing so dangerous is that it’s used in chains that build up to cause devastating accounts. For instance, phishing can be used to gain access to an email account in a government office. Hackers can then use that official account to send emails carrying malware to other government departments. This malware can be used to steal data or install ransomware, and cause widespread damage. Some of the recent data leaks from the US government came from attacks that gained access through phishing before installing malware.
How many types of phishing are there?
Phishing comes in many flavours. As users and IT security experts get wise to attacks, hackers adapt their methods to keep targeting users. The most common types of phishing are:
Deceptive phishing: The most commonly employed, deceptive phishing is when fraudsters pretend to be a legitimate company to steal people’s credentials and login details. They send out urgent emails, asking people to log into a fake page to pay outstanding bills, or secure their accounts, for instance.
Spear phishing: This is a more targeted and deadly type of deceptive phishing. Rather than sending out mass emails, spear phishers research their target and personalise their emails with the right designations and details to make the message appear more convincing.
Whaling2: CEOs are time-poor, but their email accounts are very valuable. The logic behind “whaling” attacks is to spear these big fish. Whaling works well because CEOs are often too busy to closely look at messages for signs of fraud, and often don’t participate in phishing awareness training with their employees.
Search Engine Phishing: A very dangerous form of phishing where hackers create legitimate-looking websites for goods and services, and get them listed on search engines such as Google. Users have no reason to suspect anything, and get lured into entering their details.3
How to avoid phishing
Remember that phishing is a social attack. Defeating phishing attempts requires educating users, and less on installing firewalls and technological safety mechanisms. The easiest ways to combat phishing are:
Regular training: Give all employees in your organisation regular training on the newest form of phishing techniques. Phishing is getting more and more sophisticated, and some of the fake emails and websites look very real.
Constant vigilance: Really, this is the only effective way to handle phishing. We must all stay vigilant all the time. If an unlikely email drops into your inbox, scrutinise it carefully for legitimacy. Look for the smallest signs that things aren’t what they seem. No matter how realistic fake webpages (such as login pages for banks, Dropbox or Facebook) look, their URLs will be different. Keep an eye out for these details.
Keep your technology up to date: Ensure you’re always running the latest versions of operating systems and browsers. While they won’t protect you against the most sophisticated phishing attacks (only vigilance will), browsers are becoming good at pointing out dangerous websites and links that appear fake.
So now that you know how scammers are after you, stay alert and keep your eyes open. Happy emailing!