Phishing uses bait to hook an unsuspecting user into a scam. The bait can be an email, text message or call from someone you would normally trust and follow their written or verbal instructions.
Although phishing emails are the most talked about phishing scam, attackers have adopted creative ways like using QR codes to phish users. This article details key information about a phishing scam, how to identify it, and basic steps to help you avoid it.
What is a Phishing Scam?
Phishing is a tactic used by cybercriminals to primarily target email accounts to gain access to the user’s personal and financial information or access to the device and connected accounts.
Cybercriminals and scammers can use other forms of contact, like text messages or phone calls, even fake QR codes, to carry out a phishing attack. Despite the mode of delivery, the premise is the same. The attacker uses a sense of urgency, excitement or fear in their message to convince the user to perform actions like downloading a file, clicking a link, entering key information like login details or bank account details, wiring money to the attacker or giving privileged access to the user’s device or accounts.
Also read: What to do if you click on a phishing link?
Targeted phishing scams
The methods used for phishing scams overlap, each having its technical name. Generalised phishing campaigns are trying to bait many users, possibly using exposed emails or contacts in a data breach, and then there are highly targeted attacks aimed at individuals or organisations with alarmingly high success rates.
With the amount of information netizens post on social media, attackers can create a customised campaign based on the target’s interests, friends and relatives and the employment company and use social engineering tactics to lure them in.
Spear phishing is a highly targeted cyber-attack targeting an individual or an organisation. The attackers use intel like spoofed user names and company-related and personal information to make emails, SMSs or phone calls seem as believable as possible.
Spear phishing is an umbrella term with more sophisticated tactics like Business Email Compromise (BEC).
Business Email Compromise (BEC)
Microsoft Threat Intelligence detected and investigated 35 million BEC attempts between April 2022 and April 2023, with an average of 156,000 attempts daily.
BEC is a cyber-attack where the email of a person of authority in an organisation is hacked or spoofed. This email address is then used to trick other users in the company into performing actions to the scammer’s advantage. As part of a BEC scam, company employees have received messages from their CEO asking them to purchase gift cards or gifts for clients urgently.
Short for voice phishing, vishing is a type of attack where the scammer poses as an IT operator, customer support, or other representative from a reputed firm and instructs the user to perform certain actions like logging into their account, entering bank account details or other sensitive information, and transferring funds to an account under the pretext of helping the target.
Vishing attacks have become more sophisticated with the advent of voice cloning and deepfake technology. In 2020, a branch manager of a Japanese firm received a phone call from the director of his parent company asking for a fund transfer of nearly $35 million to make an acquisition. Little did he know that this was an elaborate scheme using deepfake technology to clone the director’s voice to make the call seem legit.
Also read: Fake QR code scams explained
How to identify and safeguard against phishing scams
In this section, we’ll explore how you can protect yourself against targeted phishing scams.
Watch out for messages that require urgent action
Scammers use deceptive messages to manipulate users into taking immediate action without thinking twice about their actions. For instance, scammers may email stating that your account has been locked and needs immediate action to remedy the situation by logging in through a link they provide or giving them remote access to your device.
Check the sender’s authenticity
When you receive messages asking you to take critical action, always look for anomalies like spoofed email addresses and domain names. For instance, you could receive an email from [email protected].
In 2022, Microsoft was impersonated in 45% of brand phishing attempts globally, followed by DHL and Amazon.
To avoid falling for a BEC scam, if you receive an email from a higher authority in your organisation demanding immediate fund transfers or purchases, personally cross-check with your line manager before taking action and follow company protocol.
Be cautious of links and attached files
Cybercriminals can add a link to a spoofed website that may look much like a well-known website to trick you into entering your login details or bank account details for the attackers to steal.
Alternatively, when visited, the link could redirect you to a malicious website, prompting malware download onto your device.
Scammers can attach a file, especially a zipped one, to get past spam filters, which, when downloaded, will execute malware onto your device.
Don’t fall for enticing rewards
Scammers can spoof known companies to send enticing rewards, deals or discounts to compel users to perform activities like clicking on links and entering important details about them for the scammers’ perusal.
Look for signs of suspicious websites
If a link from an email, message or a QR code leads to a website that asks for sensitive information, look out for signs of spoofing. Check if the domain name has any typos. Scammers buy a domain name very similar to that of a trusted and known company to trick users into thinking it is a legitimate website. The website may display an urgent message that requires immediate action to manipulate users into divulging information or transferring money.
Scammers impersonate web pages to collect the user’s information. However, they may not always spend time and effort building the page. Obvious signs of a spoofed website are typos in the messaging, slightly off branding, poorly designed web interface or a mismatch between the URL link and the destination.
To check the authenticity of a website URL, visit the Google Transparency Report page and enter the concerned URL in the search bar to check the site status.
Avoid clicking on pop-ups on websites
Known or unknown websites can display enticing pop-ups leading to another malicious website or to download malware in the guise of a harmless document, app or API. Avoid clicking on pop-ups. If the pop-up promises gifts, rewards or discounts on behalf of a popular company, visit the company website directly to avail of the offer rather than clicking on the pop-up.
If the pop-up offers an app or an API download, go to your app store to download it directly. The pop-up could be scareware tricking you into thinking your device is infected and can be protected by downloading the advertised anti-virus software.
Despite the latest defence technology, cybercriminals have found ways to bypass it. The success of phishing scams comes from the volatility of human emotions and the possibility of human error. Although there are several tactics and techniques used by scammers, the quickest way to identify a phishing scam is to watch out for scare tactics in emails, messages or phone calls to persuade users to take some action.
Also read: What is Smishing? How does it affect you?