The term “phishing” (pronounced “fishing”) was coined around 1996, when hackers were stealing AOL passwords from unsuspecting users. It’s since developed into an increasingly sophisticated way to obtain personal information using deceptive tactics. You probably know not to click on links in sketchy emails—most of us know—yet people fall for phishing attacks all the time. If they didn’t work, they wouldn’t still be around.
Here’s what you need to know about the dangers of phishing and how not to end up on a cybercriminal’s hook.
What is phishing?
Phishing is a type of social engineering attack involving fraudulent communications that appear to be from a trusted source, used to steal your private data, such as your login credentials, credit card numbers, and even your identity. Phishing can also be used to install malware on your device.
Cybercriminals conduct phishing attacks by impersonating legitimate organizations with emails, text messages, and advertisements, among other means. A phishing message typically informs you of a time-sensitive problem with your account and includes a disguised link to a phishing website—a malicious site that spoofs, i.e. imitates, one you trust, like your financial institution’s login page—where, in order to resolve the non-existent problem, you’re asked to fill in your information, which is sent to the attacker. Other kinds of phishing attacks appear as solicitations for charities or too-good-to-be-true deals.
Phishing scams depend on your engagement. Clever attackers prey on your emotions, and conduct attacks particularly around stressful periods, such as during natural disasters, elections, holidays, and—most pertinently—pandemics. As worldwide stay-at-home orders went into effect last year, COVID-related phishing lures cropped up worldwide. Verizon’s 2020 Data Breach Investigations Report suggests phishing rose 25 percent from the previous year.
Attackers start by targeting a group of potential victims. They then go to great lengths to design their message, mimicking emails from the trusted organization, imitating phrasing, typefaces, logos, and signatures, and adding subdomains to their URLs to make them look like secure links. Attackers push you by creating a sense of urgency, fear, or curiosity, making you less diligent and more prone to error, and are constantly innovating their approach, adapting to new trends with new tactics.
Phishing scams work because they’re hard to recognize, and despite two decades of regular cautionary reminders and security awareness training, they still happen. The Anti-Phishing Working Group reports about 200,000 new phishing sites each month, impersonating more than 500 different brands and entities; and the FBI’s Internet Crime Complaint Center found that in 2019 alone, US phishing victims lost almost $58 million.
The dangers of phishing
Sometimes attackers go after individuals’ personal data. This can result in:
- Stolen funds or financial information, and/or fraudulent credit card charges.
- Stolen digital data, including files, documents, and media.
- Stolen identity, including social media posts or messages sent from your accounts, often as further phishing attempts.
Other times, attackers will attempt to gather employee login information or other details for larger, sophisticated attacks against groups or entire companies. These attacks are often attempts to bypass security perimeters and gain privileged access to corporate or governmental networks and secured data, and might result in:
- Large financial and corporate losses.
- Declining market share and consumer trust, and damage to company reputation.
- Disclosure of customers’ and workers’ personal information.
- Locked and inaccessible data.
Common clues that you’re getting phished
Phishing attacks are more likely to succeed when you act impulsively. Next time you see a questionable message in your inbox, stop clicking and look for common signs of phishing:
- Urgent call to action. Most legitimate correspondence doesn’t require you to act instantly. Be wary of emails and messages inviting you to click on a link or open an attachment. Don’t rush. Take the time you need to think or consult someone you trust.
- Suspicious links and attachments. If a message seems suspicious, the last thing you should do is click on a link or open an attachment. Instead, hover your mouse over the link without clicking to reveal the destination URL, which should match the link in the message. You can also preview web pages on mobile: On Android devices, long-press the link and tap Preview page; on iOS devices, simply long-press the link (to preview the URL instead, tap Hide Preview at the top of the pop-up window).
- Mismatched email domain. If a message claims to come from a legitimate organization, the sender’s email domain should be the organization's official domain, not a Yahoo or Gmail domain or something similar. Also watch for subtle misspellings of the legitimate domain such as, like micros0ft.com or rnicrosoft.com.
- First time or infrequent senders. An unknown sender may be a sign of phishing. Examine the message carefully if it comes from someone outside your organization or if your mail client flags the new sender.
- Poor spelling or grammar. Legitimate organizations have the time and resources to produce high-quality, professional content; attackers, whose success depends on how many phishing messages they send, do not. They often awkwardly translate their message from other languages. Read carefully for subtle mistakes. If a message contains errors, it could be a scam.
- Generic greetings. A legitimate organization you do business with should know your name, and would typically address their message specifically to you. A generic greeting, like “Dear sir or madam” or “Dear Customer,” is a red flag.
Types of phishing attacks
Phishing has evolved into a variety of specialized tactics. Attackers find new ways to exploit vulnerabilities as technologies change. But all of their methods involve deception and disguise. Here are a few techniques that fall under the phishing umbrella:
Email phishing is the standard and the most widely-known form of attack. Using email spoofing—when an email is disguised to look like it comes from a, say, major bank, an online payments system, or a delivery company—an attacker tricks you into clicking on a link to a fake website, where you might unwittingly dispense your sensitive information.
Email phishing is a numbers game. It’s about casting a wide net. Phishing emails are mass-mailed, not targeted, and most don’t work. Unfortunately, some do. They might reach millions of people, and can yield significant sums for the attacker, even if only a slight percentage of recipients fall victim.
Malware—or malicious software—is an umbrella term for any kind of software that invades, damages, and/or disables computer systems, often by taking partial control of its operations. Malware phishing is pervasive, and uses the same techniques as email phishing.
In this case, clicking on a link or opening an attachment gives you malware. A common form of infection is ransomware, which locks you out of your device and damages, encrypts, or renders your sensitive data otherwise inaccessible, then demands a ransom and threatens to destroy your data unless you pay.
Spear phishing is targeted phishing. It uses relevant information to garner your confidence and trust, increasing the attacker’s chances of success.
An attacker starts by identifying their targets, gaining special knowledge about an organization, such as its power structure, sometimes by studying social media accounts. The information is then used to make the phishing message appear authentic. The attacker might mention specific names or projects, or might include content tailored to your known interests, making you more likely to bite.
The bigger the fish, the bigger the prize. Whaling is a form of spear phishing that targets specific individuals: CEOs, top executives, or other high-value targets given their access to sensitive company information and funds. Attackers spend considerable time profiling targets, gathering information, such as legal subpoenas, in order to deceive their victims. Whaling scams often target board members, who have a great deal of authority within a company, but often use less-secure personal email addresses for business-related correspondence.
The word smishing is a combination of “phishing” and “SMS,” the protocol used by most text messaging services. Smishing is phishing through text messaging. Using misleading texts, often disguised as account notices or prize notifications, attackers deceive you into clicking links. These can lead to malicious websites, which can attack your browser, potentially allowing an attacker to install malware on your device.
Smishing is on the rise. People are more likely to read and respond to text messages than email, and are less prudent about messages on mobile devices than computers. One common indicator of smishing is an unfamiliar area code or phone number.
Search engine phishing
Phishing bait can also appear in search engine results. Search engine phishing occurs when a link—either in organic search results or as an ad for a popular search term—appears to be from a trusted source, but in fact leads to a malicious site. You might find offers or messages enticing you to visit the site in the result’s description. Search engine phishing happens even if the search engine is legitimate. Generally speaking, search engine ads lead to more phishing results since they are so dynamic; phishing in organic results tends to be more rare.
Clone phishing is when an attacker creates a nearly identical replica of a legitimate message by swapping links, attachments, and other elements with malicious ones, tricking you into believing it’s safe. The message is usually sent from an address resembling that of the original sender, and often includes a justification for the repeated message, perhaps claiming it’s an “updated version.” In the same way, an attacker might clone a legitimate site using a spoofed domain.
Voice phishing, also known as vishing, is a phishing attack using phone communications. These calls often impersonate financial institutions or governmental agencies.
An attacker might pretend to be a company representative or support agent, asking you to call another number to dial in your account information or PIN for security purposes. These are sometimes robocalls, and sometimes spoof caller ID credentials to enhance trust. New employees, who lack training and knowhow, and elderly people, who tend to trust phone communications and aren’t as active online, are especially vulnerable to voice phishing.
How to prevent phishing
- Stop and think. Consider the content and the reason for the message. If the sender is unknown, or if the sender is known but something seems off, double check the origin of the message, or give the sender a call to verify. Email filtering systems can catch some phishing attempts, but not all.
- Don’t click. Never open links or attachments in suspicious emails. If you use a product or service from the purported sender, navigate to their official website on a web browser, and login there. Otherwise, look up their official phone number and call them. If the suspicious message is legitimate, you’ll likely find the same information in your account.
- Check the links. To examine a link in a message, hover over it with your cursor. The destination URL should appear next to the link, and should match the organization’s official web address. Look out for abbreviations and strange characters. On a mobile device, tap and hold the link; a pop-up window with a preview should appear.
- Use a spam filter. Spam filters are based on user behavior, and can help you detect and ignore fraudulent messages in your email inbox. If your spam filter can be tuned or trained, set it to high.
- Use a browser filtering extension. Search engine phishing is real. Some browser extensions grade search results based on known characteristics, and can help you avoid malicious sites.
- Use a password manager. If you use the same password for all of your online accounts and a phishing attack succeeds in stealing your login credentials, you’re in trouble. Use a password manager to organize strong, unique passwords for all of your accounts. If an attacker steals one, they can only access one account, making it easier to mitigate the fallout.
- Use multifactor authentication (MFA). MFA is can be an effective method for countering phishing attacks. It allows you to protect your account even if your password is exposed. MFA relies on (1) something you know, i.e. a username and password, and (2) something you have, i.e. a mobile device. With a MFA login, you enter a dynamically-generated key code sent to your device on top of your login credentials in order to gain access to your account—a worthwhile extra step.
- Educational campaigns. If you manage a company or an organization, educating your team can enforce secure practices and diminish the threat of phishing. If an attack makes it through your security, employees are your last line of defense. To start, if you found this article helpful, share it with others in your network.
Ready to protect yourself from online scammers and advertisers? Try Neeva, the world’s first 100% ad-free, private search engine that never shares or sells your data with anyone. And, we are committed to showing you the best results for every search. Sign up at neeva.com/signup.