Have you heard the tale of the Nigerian prince who wanted to give away his money?
During the late 90s and early 2000s, a Nigerian prince was supposedly emailing random people as he looked for a lucky person to give his fortune to. He’d then ask for that person’s credit card information so he’ll know to whom he should address his fortune.
If you think this is too good to be true, you’re right. This was actually one of the most infamous phishing scams from that time. Now, people who hear that story can already tell that it’s a scam and we’ve wisened up to the psychological tactics used by scammers.
Scammers are also wising up to their targets. What makes things worse is that not only are these scams getting more sophisticated, they’re also becoming more rampant. ZDNet reports that one in every 61 emails will contain malicious links.
Victims of phishing scams may eventually find themselves at the receiving end of a malware attack, identity theft, data breach (and the consequences it entails), and possible business operations stoppage.
Here, I write about what you can do to avoid getting hooked by phishing scams. I’ll teach you the different types of phishing scams, how to identify phishing attempts, and what tools you can use to add extra layers of protection.
The different types of phishing scams
In order to avoid phishing scams, you have to know what constitutes them.
Generally, a phishing scam is done by using social engineering and psychological tactics to get random targets to click on malicious links or provide information (personal, credit card, banking, etc). This the most common and well-known form of phishing attack.
A higher form of phishing attack is called “spear phishing”. This type of phishing attack targets particular individuals in an organization, usually those with high-level access and authority. These attacks are harder to catch because the hackers investigate and study their target to customize their tactics before making any attempts.
There is an even higher form of spear phishing called a “whaling” attack. This type of spear phishing targets the “biggest fish” in an organization like the CEO. Falling for a whaling scam often means substantial losses for that organization since CEO credentials can open a lot of doors for the scammers.
While the most common type of phishing attacks are sent through email, it can also be done through other ways such as instant messaging, legitimate-looking websites that use SSL, and even phone calls (Vishing). Each type employs different methods, thereby, making them harder to identify.
The following are the most common methods used in any phishing scams:
- Account verification– This method employs a convincing message (whether a fake or a cloned one) from a website to which the target is registered in (such as Facebook or Gmail). The message will say that the site encountered a problem and that the target can fix it by simply clicking on a provided link.
- Business email compromise– This method targets high ranking officers of an organization to trick victims into initiating money transfers into unauthorized accounts.
- Clone or fraudulent sites– This method uses sites that look convincingly similar to popular sites (like Facebook, PayPal, etc) to trick users into providing their information.
- ICO scam– This is an example of a fake site scam. This method uses fake ICO (Independent Coin Offering) sites to funnel crowdfunds into their own accounts.
- Fake invoices– This method involves sending the target fake invoices that they will then innocently pay. Not even tech giants like Facebook and Google were able to prevent this type of scam — although they were able to recoup their payments.
- File sharing– This method aims to fool targets into clicking on a file-sharing link (such as one from Google Docs). The link, of course, is a malicious link.
- A friend in trouble– You’ve probably heard about this type of scam before as it’s been around even before the Internet was invented, although it has been “updated” for the modern times. This method involves hijacking a friend’s or relative’s email, messaging, or social media account. The fraudsters then use the account to ask for monetary aid from the account owner’s contacts.
- Government threats– Another oldie of a scam is the “you’re going to jail” scam. This method seeks to convince targets that the latter did something illegal (like downloading pirated movies or evading the IRS) and that they have to pay “the government” money through — you guessed it– a fake account.
- Nigerian scams– This is the tale of the Nigerian prince I mentioned earlier. These types of scams were called “Nigerian” scams because Nigerian fraudsters seemed to attempt them more often than those from other countries.
- Package delivery– This method is usually rampant during the holiday season. It involves sending a bogus email from a popular delivery service (like UPS or DHL) and requires the target to click on a link and provide login information in order to get their package.
- SEO poisoning– This method uses SEO (Search Engine Optimization) to get victims to click on the highest-ranking result on a search engine. Victims who click on the first “poisoned” result then unknowingly install the malicious software themselves.
- Sextortion– This method involves blackmailing targets with threats of exposing incriminating photos or information to the target’s family, friends, or the public. This method is used even if the fraudsters don’t actually know if the target has incriminating photos or information.
- Tech support scams– This method uses a fake email or website to trick targets into contacting the fraudsters for tech support. Once the victim does, the fraudsters will then say that they found several problems and that the victim needs to buy their software to fix the problems. Once the victim buys their software, the fraudsters will then be in possession of the victim’s credit card information.
Phishing scams can target anyone whether they’re normal everyday folk or CEOs of global corporations. It is always better to err on the side of caution when dealing with a potential phishing scam.
How to identify phishing attempts
Newer phishing methods keep popping up every year. It might be overwhelming to think that you have to watch out for all of them — including the ones not mentioned above. In one study by Intel Security, they determined that 97% of people can’t identify phishing emails. If you want to be part of the 3% that got a perfect score on that study, here’s what you need to know:
- When in doubt, get out– This is the most important rule. You can’t fall for a phishing scam if you don’t even open that suspicious-looking email or message.
- If it’s too good to be true, it probably is– If you’ve read the contents of a suspicious message, see if what it says is too hard to believe.
- Check the source– Inspect the source of the message for any missing/added letters, numbers, or symbols. You might find that the sender of that account verification email you just received was actually “G0ogle-admin” and not “Google”. Also, be wary of messages with no other contact information other than the sender’s email.
- A really urgent subject– Scammers will often use fear in the hopes of hooking a phish. Does that bank email say that you need to confirm your account information as soon as possible or your account will be terminated? Is the “IRS” or “FBI” telling you that you have to deposit money into a certain account or else you’ll be liable for tax fraud or some other crime? Never panic when faced with messages like these.
- Provides a link to a fake website– Legitimate messages like those from Google or Facebook may sometimes contain links. If you receive messages like these, make sure to hover over the link to see the full URL. This lets you see if the link really leads to the said site.
- Bad spelling/grammar– Bad spelling or grammar is often a dead giveaway for phishing scams.
- Non-personalized– Does the message address you as “Dear Customer” or “Dear Account Holder” without mentioning your name or username? This may be another dead giveaway since scammers often send hundreds of phishing messages at a time so they won’t have the time to address each recipient properly.
- Fake certifications/licenses– Phishing sites usually contain symbols and logos to look more convincing. If you find that these symbols and logos are unclickable, it may be a sign of a phishing scam.
- Confirm the sender– Spear phishing and whaling attacks are often harder to determine since they’re more personalized towards the target. They may seem to come from a higher up or even a friend or family member. If you feel like you received a phishing email, ask the higher up or the friend if they sent the email.
- Don’t trust the padlock– That green padlock icon before a fake website’s URL doesn’t mean that the site is what it purports to be. It simply means that whatever data that flows through that site is encrypted. Phishlabs states that 49% of phishing sites actually use SSL.
Here’s an example of a phishing emails taken from Phishing.org.
Just hovering over the links provided in a post like this will reveal that it’s a fake email from PayPal.
Make sure to remember these rules to lessen your chances of getting hooked by phishermen.
Tools to avoid phishing scams
Cybersecurity relies on different layers of protection. You may want to get the following tools as additional layers of security against phishing attacks.
- Anti-virus with built-in firewall- Most anti-virus software comes with built-in firewalls. A firewall prevents you from navigating to well-known phishing or malware sites. Here is a list of the top anti-virus software you can trust.
- Phishing toolbar- Most browsers have anti-phishing settings that act in the same way as firewalls.
- Password manager and 2FA – A password manager with an auto-fill feature will recognize a site that you’ve already visited. You will, therefore, be alerted that a site is fake if your auto-fill feature doesn’t recognize the site. Here’s a list of the best password managers available. Also, make sure to utilize Two-factor authentication as it makes sure that scammers won’t be able to access your account even if they somehow got your username and password.
Beware and be safe from phishing scams
Phishing scams are getting more sophisticated and more frequent. It’s up to you to defend yourself from them. You can get the best anti-phishing tools but the best one will always be your own mindfulness.