Learn how to recognize phishing scams designed to steal your personal information and what steps you can take to protect yourself.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Types of Phishing Attacks
Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.
Smishing (SMS Phishing)
Smishing is phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website.
Link manipulation is the technique in which the phisher sends a link to a malicious website. When the user clicks on the deceptive link, it opens up the phisher's website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation.
While traditional phishing uses a "spray and pray" approach, meaning mass emails are sent to as many people as possible, spear phishing is a much more targeted attack in which the hacker knows which specific individual or organization they are after. They do research on the target in order to make the attack more personalized and increase the likelihood of the target falling into their trap.
The term whaling is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.
Phishing scams involving malware require it to be run on the user's computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.
Voice phishing is the criminal practice of using social engineering over the telephone system to gain access to personal and financial information from the public for the purpose of financial reward. It is sometimes referred to as "vishing." Voice phishing is typically used to steal credit card numbers, logon password, or other information used in identity theft schemes from individuals.
Tips to Protect Yourself
- Never give out personal, financial, or other sensitive information to anyone who requests it. Make sure that you're using a secure Web site when submitting sensitive information. To make sure you're on a secure Web server, check the URL in your browser's address bar — it should begin with https:// rather than the typical http://. Also, there should be a closed-padlock image in the browser's status bar. To ensure that the padlock image is not fake, double click on it and examine the Web site's security certificate.
- Be suspicious of e-mail that requests sensitive information because most organizations stopped making such requests via e-mail long ago because this tactic is used in phishing and spoofing schemes. If an e-mail asks for sensitive information, it most likely is a phishing attempt.
- Don't click on links embedded in an e-mail that seems to come from a bank, financial institution, or e-commerce vendor. In other words, for even a remote possibility of that e-mail being spoofed, don't click on any links in it. Open a new browser window and manually type the site's URL in the address bar.
- Enter a fake password. When prompted for a password, give an incorrect one first. A legitimate site will not accept the fake, but the phishing site will.
- Don't fill in forms contained in e-mail that ask for sensitive information. Most responsible organizations don't use an e-mail form for this purpose, as e-mail is not a secure medium. Submit such information only on secure Web sites.
- Keep your browser and operating system up to date with the most current patches available. Phishing attempts exploit browser vulnerabilities to fool users and install malicious code. Take note of this, especially if using Microsoft Internet Explorer.
- Thoroughly check your credit card and bank account statements regularly and look for any unauthorized charges.
- Always use updated antivirus and firewall software to protect yourself from phishing attempts that try to surreptitiously install malicious software, such as key loggers, on your machine.
- When in doubt, check. If you doubt the authenticity of a message, check directly with the institution.
- If you think you are a victim of a phishing attack, notify the Federal Trade Commission (ftc.gov) and the Internet Crime Complaint Center (ic3.gov) and immediately notify your bank, credit card companies, and other stakeholders.