Phishing is a social engineering attack aimed at tricking you into revealing your personal information or spreading malware onto your device. It is used to steal passwords, take over accounts, and enter systems without authorization. It can occur through any channel: via telephone, email, a web page, or even in person.
The word phishing refers to the term fishing, as in “fishing for passwords,” and is possibly a portmanteau of phone and fishing. It’s also likely related to an early hacking term, phreaking, as phishing was already a common social engineering tactic even before the rise of the internet.
Jump to…
12 ways to prevent phishing attacks
How to detect phishing attacks
Tools to prevent phishing attacks
Common types of phishing attack
FAQ: About phishing attack prevention
12 ways to prevent phishing attacks
Are phishing scams avoidable? They certainly are if you know how to identify and prevent them! We are sharing you with 12 effective ways to prevent phishing attacks.
1. Know what a phishing scam looks like
Knowing what a phishing scam looks like can prevent you from falling for one. They often imitate trusted organizations or promise you something for nothing.
- Phishing emails: “Account verification required” or “Password reset request”
- Advertisements: “You’re the lucky winner!”
- Typo-squatting: googel.com instead of google.com
- Search engines: “You searched for your bank, here is your ‘bank’” (sends you to scam site indexed on search engine)
2. Report phishing emails
Were you able to spot a phishing email that just sneaked into your inbox? Kudos to you! Don’t forget to report it to your email service provider. This helps your email service provider to identify similar messages as spam in the future and keep them away from you as well as other users. If the phishing email is posing as a business that exists in real life, let the business know as well.
3. Think before you click
Be cautious about any links provided in emails, text messages and social media posts coming your way unexpectedly. Do you recognize the sender’s email address or phone number? Modern email services often don’t show the sender’s full email address, so it’s important to look at that full email address before replying. Does the URL of the website look legitimate to you? Think twice before you click or tap on a link.
4. Install an anti-phishing toolbar
An anti-phishing toolbar is a browser extension that helps to detect phishing scams. They keep you on the radar of malicious emails, suspicious links, and fraudulent websites. Anti-phishing toolbars can be free or paid and cater for personal or enterprise uses.
5. Verify the target site’s SSL credentials
SSL stands for “Secure Sockets Layer.” A website that is SSL-certified, usually starting with “https” keeps your data encrypted from the moment it enters a web browser to reach its server. Meanwhile, websites that do not have an SSL certificate can leave your personal data exposed.
Checking whether a website is SSL-certified is just one way to see if it’s safe. There are other ways to find out if a site is safe to use.
6. Use a password manager
A password manager stores your logins safely. Some can even warn you if you’re on an insecure login page, helping to prevent you from falling for a phishing scam.
7. Don’t ignore those updates
Attackers are constantly looking to exploit app or system vulnerabilities to do harm to your personal data or devices. Keeping your apps or devices updated will give you the latest security fixes and protect you from hacks or data breaches. Are manual updates too much of a hassle? See if you’re better off with auto updates.
8. Install firewalls
Granted, firewalls probably can’t do much in helping you detect phishing emails or text messages in the first place. But they can warn you about malicious sites and prevent you from interacting with them, in case you have landed on one.
9. Be wary of pop-ups
Common pop-ups asking for our permissions to use cookies, save passwords, or send notifications are generally considered safe. However, watch out for pop-ups asking for your login credentials or credit card information. Any personal information you enter into a fake sign-in prompt will go to the servers of the attackers, who will then use them to access your account and other potentially linked ones. This phishing technique is called the browser-in-the-browser attack.
10. Don’t give out important information unless you must
This one seems to go without saying but we’ll touch on it anyway! If you want to sign up for an online service, you must provide some personal information like your name and email address, at the very least. Needless to say, you will also need to provide your home address if you’re doing online shopping.
Otherwise, feel free to leave out all the optional fields. The less personal information you put out there, the less the attackers can use against you. Better yet, instead of giving out real information, use a throwaway email address, burner phone number, prepaid credit card number.
11. Avoid using public networks
Public Wi-Fi networks are often open, unsecured networks. Not only can third parties see what you are doing online, but attackers can also create a fake Wi-Fi access point and harvest your login credentials once you are connected to it. If you must use a public network, take these precautions to stay secure.
12. Watch out for shortened links
Shortened links aren’t a new thing. They are often used in social media posts to leave more character space for the rest of the message. The problem is they usually conceal the original link and turn it into random numbers and characters. This makes it difficult for us to gauge where the link will actually take us. For all we know, they can direct us to a fake website used to steal our login credentials or do harm to our devices.
How to detect phishing attacks?
While there are different ways phishing attacks can occur, there are also warning signs you can watch out for, which we’ll go over below.
The message is sent from a public email domain
Legitimate companies or organizations have their own domain, for example, username@netflix.com. They never use public domains, like username@google.com or username@outlook.com, which generally belong to personal accounts. If an email poses as a large corporation but uses a public domain, it’s likely to be a phishing attack.
Verifying a caller’s identity can be difficult, as numbers that show up on caller ID are easy to spoof. Banks, governments, or courts will hardly ever call you to request personal information. If they do, ask for the caller’s name, title, and department, then call back with a publicly listed number.
Obvious grammar and punctuation mistakes
Many phishing emails contain spelling and grammar mistakes in the body text, subject line, or URLs provided within. This is uncommon for any collaterals sent out by large, professional organizations which uphold a high standard of content quality.
Asking for personal information
Unless you’re expecting to hear from a company or service (for example, after you request a password reset), they won’t reach out to you asking for your personal information like your passwords or credit card number. If you receive an unsolicited call requesting your personal info, ask for their name and contact number, then make an independent check with the organization in question. For unsolicited emails, it’s always safer to ignore them.
Threats and potential consequences
Phishing attackers can pose as the government, tax department, or your bank. They’ll start off by saying you have an overdue payment or haven’t done your tax return, and threaten you with legal action if you don’t transfer the money to them.
Including suspicious links or attachments
As a rule, most companies don’t send you unsolicited emails. So ask yourself, why should you have received this email? Your alarm bells should be ringing especially if the email contains links or attachments.
Urgent deadlines
It’s common that phishing scams use a false sense of urgency to trick you into taking immediate action. For example, they can say that there have been unexpected activity on your account and ask you to click on some instructions or risk getting your account shut down. Another example of opening would urge you to claim an offer or prize that’s only available for a limited time.
Tools to prevent phishing attacks
While staying alert is usually the best defense against phishing, we are only humans. Even the most vigilant person cannot stay alert 24/7. That’s where automated tools come in. They provide you with passive set-and-forget protection against phishing attacks.
- Avanan protects email and a range of cloud applications against phishing, malware, and viruses.
- Barracuda Sentinel prevents phishing attacks that bypass traditional email gateways.
- BrandShield monitors social media and detects phishing sites and pages.
- Cofense PDR detects phishes that have bypassed SEGs from all major vendors.
- RSA FraudAction keeps you safe from phishing and malware, rogue mobile apps, and fraudulent social media pages.
- IRONSCALES combines human and automated intelligence to fight back against business email compromise, fake login pages, and more.
- KnowBe4 is a platform for security awareness training and simulated phishing attacks.
Common types of phishing attacks
Spear phishing
Spear phishing is one of the most common phishing techniques. It typically takes the form of emails appearing to be coming from a legitimate business or organization. The goal is to get you to reveal your personal information like your passwords, credit card numbers, bank account information, or spread viruses onto your device.
The email includes your name and other information that looks legitimate. It makes you think it’s real and ultimately do as asked in the email, like opening an attachment or clicking the links inside the email.
Examples of spear phishing
A common spear phishing email pretends to come from a legitimate online store—telling you about a successful transaction, incomplete order, or shipping notice. In 2015, attackers pretended to be Amazon and sent out almost 100 million emails titled “Your Amazon.com order has dispatched,” making recipients install Locky ransomware.
Whaling
A whaling attack targets senior executives within an organization typically in emails by posing as a legitimate client, partner, or member of the organization. The goal is to get the victims to authorize high-value wire transfers, provide sensitive corporation information, or click on a link that delivers malware.
The term whaling stems from the size of the attack. Whaling emails are more sophisticated than typical phishing emails. Their content is highly personalized—containing the target’s name, job title, and other relevant information. Not only that, the emails are also crafted with fluent business terminology, industry knowledge, and personal references.
Examples of whaling
- A whaling attacker posed as the Snapchat CEO and emailed a senior employee of the company for payroll information.
- A fraudster pretended to be the new CEO of Mattel and emailed the company’s senior executive for a money transfer.
- Fraudsters posed as the CEO of Seagate and sent an email to the company’s HR department, which unknowingly handed them valuable staff information, including social security numbers, and salary information.
Smishing
A smishing attack takes the form of text messages and tricks victims into sharing their personal data. Smishing, vishing, and spear phishing essentially have the same goals, except they use different means of communication to target the victims. Smishing uses SMS messages and texts, vishing uses phone calls, and spear phishing uses emails. Learn more about how smishing works.
Examples of smishing
Smishing attackers usually say one of the following things to make you give in your personal information:
- “A suspicious purchase has been made with your credit card”: Posing as your bank, the attacker will ask for your identifiable information, claiming to revert the purchase for you.
- “Congrats! You’ve won”: The message will say you’re the one lucky winner. Needless to say, you will have to verify your identity first.
- “Your package has been dispatched”: Want to check on the delivery progress? Tap the link provided.
Vishing
Vishing lures victims into providing their personal information in phone calls. As said, it has the same goals as smishing and spear phishing, which use different means of communication to target the victims (text messages and emails respectively).
Examples of vishing
A vishing attacker typically pretends to be calling from the government, tax department, police, or the victim’s bank. The impostor coerces the victims into providing the information being asked—by making them believe they are doing something in their best interests, like avoiding a criminal charge or having their bank accounts shut down. A similar trick is done through voicemails which tell the victims to call back immediately to avoid serious repercussions.
Search engine phishing
Search engine phishing is a new technique. Attackers get a victim to access malicious websites they have indexed on legitimate search engines. The search engine results page shows the fake website matching the keywords entered by the victims. The trick exploits our reliance on search engine results as they are convenient and secure.
Examples of search engine phishing
A search engine phishing website can do one of these things:
- Highly discounted products or services: They want you to make the purchase with your credit card info they’ve been waiting for!
- Posing as a legitimate service: Fake Coinbase sign sites showed up for keywords like “Coinbase login.” This form of phishing usually involves banking or financial services.
- Fake job Offers: They’ll ask you for your social security number. Don’t give it out!
Angler phishing
In angler phishing, an attacker poses as a customer support agent and answers a disgruntled customer who takes to social media to complain about a product or service. The impostor suggests an immediate fix—one that typically requires the customer to click on a link to troubleshoot their issue. Clicking that link, however, will install malware onto the target’s device or steal their login credentials.
Examples of angler phishing
A fake customer service rep will provide a link that they claim can help you regain access to your account. Not satisfied with a service? The impostor will say they want to “make things right,” prompting you to follow a link or send them a private message to provide additional details for compensation.
Pharming
A pharming attack redirects a victim to a fraudulent website when they enter a correct website address into a browser. It starts off by installing malicious code on a computer or server. The code will change the destination address in the background and redirect the victim to a fake website that resembles a legitimate one. It will then prompt the victims to log in to the malicious website with their real credentials.
Examples of pharming
Pharming often targets banks or financial institutions to intercept login credentials and banking information of customers. A pharming attack in 2007 targeted customers from over 50 financial entities including Barclays Bank, PayPal, and eBay, and infected over 1,000 devices per day.
FAQ: About phishing attack prevention
Who are the victims of phishing?
Anyone—including individuals as well as businesses—can be a victim of phishing. That said, higher-ranking employees are common phishing targets as they have access to sensitive and important information that attackers want. The less tech-savvy also succumb to phishing since they are less conscious of scam techniques.
How do you know if you are phished?
An email or text message asking for your personal information when you’re not expecting it is a giveaway you’re being phished. You can also be offered something that’s too good to be true, like free items or highly-discounted products. No matter the content, there’s usually a deadline to take the required action or serious consequences will follow.
What is the difference between spam and phishing?
Spam is unsolicited information about products and services sent to your email inbox. Phishing is a technique that aims at stealing user login credentials, sensitive information, or spreading malware. While spam is generally harmless, phishing has malicious intent.
Who created phishing?
The first time that “phishing” was used was when AOL users had their user passwords and credit card numbers stolen.
Comments
Very good examples. It is too easy to forget about the trivial Phishing attack while concentrating on a more sophistic attack. Be vigilant, and most of all, be lucky.
i was told i was hacked my e-mail accounts taken I tryed to be safe and had some bills go to my sons paypal it got worst he got charged 10 times stating it was samsung it should of only been 2 times and my bank was charged 19 times 500.00 . the bank is saying my son did this there was no way he could have he did not have my bank infromation i was also supposed to have been in internt court with samsung on a disbute said i had to pay 5000 plus 500.00 up to 5000.00 .i still do not use samsung it keep saying i was bluetoth to a samsung tv i never had a samsung tv there is a lot more i dont know who to contact or how to get help