what-is-phishing

Phishing 101 – What is Phishing & How You Can Avoid It

14 Mins Read

Privacy & SecurityOnline PrivacyPhishing 101 – What is Phishing & How You Can Avoid It

“Dear Valued Customer,

It came to our notice that there was an attempt to withdraw $1,000 from your account from another country. If you didn’t withdraw the amount, we believe it was attempted by an unknown third-party.

Please go to the following link to verify your account information to secure your account: URL.”

Does this statement ring any bells?

Well, we all have seen our fair share of fraudulent yet tempting emails asking us to share our personal information. It is often an email from a lawyer informing us of the death of a millionaire who has left us a fortune. And to claim that fortune, we have to meet some important requirements that include sharing sensitive details.

This is what experts call Phishing. If you fall into the trap of one of these fraudulent emails or messages, it means that you’ve been phished, robbed, tricked, deceived, or whatever you name it.

Fraudulent emails are one of the many shades of phishing. There are many nefarious ways through which a cybercriminal phishes potential targets. If you don’t want to fall victim to it, we recommend you to learn what phishing is, its types, how you can spot it, and most importantly, how you can avoid it.

What is Phishing?

Definition

Phishing

/ˈfɪʃɪŋ/

noun: phishing

The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Oxford Language Dictionary

Phishing is the most common yet effective digital weapon that cybercriminals have in their arsenal. Cybercriminals conduct phishing attacks, usually through emails, disguising themselves as a trusted source and tricking recipients into clicking a malicious link or downloading an attachment.

Every cyberattack has a purpose behind it, and so do phishing attacks. Cybercriminals use these attacks to obtain personal or business-critical information from the recipient.

If it is personal data, such as bank or credit card details, the hacker will use it for financial gains like stealing the victim’s personal funds. If it is corporate data, such as credentials to the business network, it can be used to sabotage the business or cause reputation or financial losses.

In its GDPR Benchmark Survey of 1,650 respondents, Deloitte found that 59% of people would be less likely to buy from a company that is involved in a data breach, while 25% reported less trust.

To give you a clear picture, here’s a breakdown of the type of data that hackers extract through phishing attacks:

  • Personal information: Name, email address, social security number.
  • Credit card information: CC number, PIN number, username, password.
  • Business information: Patents, sales forecasts, product insights.
  • Banking information: Online credentials, account number, PIN.
  • Medical information: Insurance claims.

Phishing isn’t a newly created cyber weapon. It’s been around since the mid-1990s, and with time, phishing attacks have become more advanced and efficient enough to target large networks or groups of people.

If we take facts into account, approximately 88% of businesses globally experienced spear-phishing attacks (one of the types) in 2019 alone.

Okay, let’s put statistics aside for a moment and look at the history of this pervasive threat that’s been a force to be reckoned with since the day it reared its head.

A Brief History of Phishing

The term phishing is parallel to “fishing.” The attack is used to bait unsuspecting users like a fisherman uses baits to catch fishes. Now, you may wonder: why not just call it “fishing” then?

Well, in the early days of hacking, hackers would call themselves phreaks. At the time, phreaking was a technique that hackers would use to breach telecom systems. Now, do you get the reason why it is called “phishing?”

So, where did phishing start? It all started with AOL, one of the largest internet service providers of the 1990s, with over a million subscribers.

Timeline

1990

Hackers started a warez community on AOL where they initially traded pirated tools. (Warez is shorthand for “software.”) Later, they started stealing AOL users’ usernames and passwords. Together with an algorithm they created, they started generating credit card information through the stolen data.

The fake credit cards were then used to create AOL accounts to spam other AOL users.

1995

When AOL created countermeasures against the algorithm and the fake accounts, hackers turned to spoof emails. It was where phishing first started. Hackers disguised themselves as AOL employees and started sending fake emails to AOL users.

Since phishing was a new concept then and the emails look exactly similar to that of AOL, hackers found it relatively easy to bait unaware users into sharing their personal information.

2003

Cybercriminals turned their attention towards the first digital currency, then, E-Gold. Using the same impersonation tactics, cyber scammers were successful in tricking E-Gold customers into sharing their credentials. As a result, users’ accounts were drained before they even knew it.

However, the scammers could not make any significant success in draining E-Gold out of businesses, as the online payment system took immediate actions to stop phishing.

In the same year, when phishing gained immense popularity in the hacker community, scammers started registering fake domains that resemble genuine entities, such as eBay and PayPal.

They used fake emails to trap unsuspecting eBay and PayPal users, and they convinced the users to share their personal information as well as credit card details.

2004

By practicing their newfound weapon on smaller targets and polishing their skills, cyber scammers turned to bigger and more rewarding targets like global banking websites.

2004-2005

It was not until 2004 and 2005 that the world started seeing the significant damages caused by phishing attacks. It was estimated that US users suffered a huge loss of approximately $929 million due to phishing attacks.

Regardless of the myriad of security measures and awareness messages, individuals and organizations alike are still falling victim to phishing to date. One likely reason is that phishing has become fairly sophisticated over the years, and scammers have devised various ways to target prey.

4 Most Common Types/Techniques of Phishing

There are a number of ways through which phishing attacks are conducted globally. We have created a detailed guide on phishing types, which you can read. However, here, we will talk about the four most common techniques that are cybercriminals’ most favorites:

1. Spear Phishing

The ancient Chinese hailed spears as the “King of all Weapons.” It is probably because of its efficiency, range, and the damage it can cause. Spear phishing is equally efficient and powerful.

Image Credit: Cofense

Spear phishing is one of the targeted forms of phishing. It is used to target specific individuals or entities. The hacker first identifies the target, learns everything about them as possible, and then tailors a spoof email with higher chances of delivering the desired result. Unsurprisingly, it does!

According to the SANS Institute director, 95% of successful attacks on organizations are the result of spear phishing.

2. Clone Phishing

Clone phishing may be more efficient than the clone troopers from the Star Wars film series. As the name suggests, hackers clone a genuine email from a trusted source. They use the same communication of the email in its cloned, or spoofed version, except the links or attachments are replaced with a malicious version.

The malicious link takes the victim to either another spoofed website or just installs malware to the user’s system for other nefarious reasons like creating a botnet.

3. Smishing

Smishing attacks are commonly referred to as text phishing. Here, the victim receives fake text messages from scammers who may impersonate as a lottery host or a tax officer.

Image Credit: Digital Trends

The spoofed text message often contains links that direct users to malicious sites that install malware on users’ devices. The malware is used to steal users’ personal information like credit card details, location, pictures, etc.

4. Pharming

If clone phishing is used to trick users through fake cloned emails, pharming attacks are conducted by presenting users with a fake version of a legitimate website. Since the hacker hosts the website, they can easily steal information that the user uses on the website.

Some pharming attacks used even genuine websites that are hijacked by hackers for stealing users’ data.

Other well-known types include vishing and social engineering.

Phishing Scams in Real Life

Let us look at some of the real-world phishing cases to better understand how to expose you to this widespread cyber threat.

Coronavirus Phishing Scams

The pandemic, COVID-19, has taken hundreds of thousands of lives across the globe, forcing people to stay in their homes. Every person on the planet is suffering the consequences of this pandemic either financially, emotionally, or both.

In these times of need, when people have to stay stronger and be more compassionate to each other, some corrupt individuals have taken it upon themselves to turn this dreadful situation into an opportunity.

Scammers have taken different routes to trick fear-stricken people into phishing scams for fraud and other nefarious purposes. When COVID-19 first struck us, scammers began sending fake text messages that appear to be coming from the US Department of Health and Human Services.

Image Credit: BBC.com

The text contained registration links with the message that it is mandatory for Covid testing. In reality, the links contain malware that the scammers were using to collect the victims' personal information.

To put things into perspective, over 18 million Covid-related phishing emails and websites were blocked, as reported by Google’s Threat Analysis Group.

Presidential Election Phishing Scams

Phishing scams have taken a front seat during the Presidential Elections. As voting registrations have been switched to online, it has given a crazy opportunity to scammers to trick voters. On the other hand, on-call registrations aren’t safe either. In fact, the US department discourages on-call voter registration.

Scammers send phishing emails and text messages to voters, claiming that their registration is incomplete and they need to add personal information for registration, which include their social security number.

Some email contains spoof websites where the voter is redirected to fill out fake forms with real personal information which ultimately expose them to fraud and other threats.

How to Spot Phishing Attacks

Phishing can be an effective tool for hacking. But if you are aware of a few fundamental telltale signs of phishing, you can spot it right away. Let’s take a look at some of the common identifiers of phishing:

1. Unsolicited Request

Phishing emails are sent to collect sensitive information like usernames, passwords, or social security numbers. Keep in mind that genuine companies never ask you to share these sensitive details over a call or via email. In fact, genuine emails rarely contain any attachments or ask you to download the attachment.

From the example image below, you can see that the unsolicited email has a very generic message and how bluntly they are asking you to download an attachment or update your credentials.

2. Generic Written Emails

One of the easiest ways to spot a phishing email is to check the email's writing quality. Some phishing emails contain poor language, having typographical and grammatical errors. Such emails are often littered with those errors.

Both big and small businesses would never send an email that is plagued with errors, as they have professional writers crafting their email. A poorly written email hurts the brand image of the company.

That said, some believe that these emails are deliberately sent to filter out targets that are easy to prey on.

3. Incorrect Domain Name

Legit businesses have their branded domain names that they use for emails as well. For instance, an email from PureVPN looks like this: [email protected]

This is yet another clue that can help you identify an unsolicited or fake email address. Hackers would use incorrect or misspelled domain names that slightly resemble a genuine domain name to trick unsuspecting users, such as [email protected]

Since such misspelled domain names aren’t caught, at first sight, it gives hackers an opportunity to convince users to successfully impersonate an employee or representative of a legit company.

4. Non-branded Email Address

As mentioned above, if you were to receive an email address from one of PureVPN’s representatives, the email address would look like this: [email protected]

Some spoofed emails, on the other hand, use generic email addresses to phish targets. They may use the name of a legit organization in the subject or as a sender name, but their email may come from a general email address, such as @gmail.com.

Image Credit: WeLiveSecurity

Legit companies don’t use generic email addresses. They only use their branded email addresses for all their marketing and non-marketing emails.

5. Urgent/Panic-Inducing Emails

The average open rate of email addresses is 17.8%, and the average clickthrough rate  of the links provided in the email is 14%.

If a hacker sends a generic unsolicited email to a pool of 2,000 potential targets, around 350 recipients will open the email, and 49 people would click the link, provided that they are successfully tricked.

Image Credit: Mail Guard

Scammers are well-acquainted with these industry statistics, and since they are a greedy bunch of people, they want to target as many prey as they can possibly get. Therefore, they create urgent or panic-induced email messages to generate as many clicks as possible.

To avoid such phishing attacks, it is important that you take your time reading the email thoroughly and judging with a calm mind, whether what is required of you in the email is reasonable or not.

Take These Preventive Measures Against Phishing

Now that you know how to identify phishing emails, it is time to learn about the preventive measures you need to avoid falling victim to this heinous yet clever cyber attack.

1. Learn How to Spot Phishing

The spotting techniques we have mentioned above are clear enough to help you identify phishing scams from miles away. Try to learn more about how you can sniff out scam emails, messages, or phone calls. The more knowledge you amass for spotting phishing, the more easily you can avoid it.

2. Install a Good Antivirus Tool

Sometimes, scam emails are so convincing that you can’t help but fall into their traps. Oftentimes, it is the weakest moments that lead us to those traps. Regardless, a good antivirus tool can protect you from the consequences of those emails.

Since some phishing emails contain malicious links that download malware to your system, you can block that malware from getting into your hard drives with the help of antivirus software.

These tools are continuously updated with viruses and malware data that allows you to protect your system against modern malware attacks.

3. Install an Anti-Phishing Browser Add-on

An anti-phishing toolbar or browser extension can be an added weapon against fighting phishing scams. These toolbars are also regularly updated to keep users safe against malicious websites or ad networks that are a part of big phishing groups.

4. Always Ditch Pop-ups

Pop-ups have always been a nuisance to our browsing experience. They hurt the eyes and distract our attention. Sometimes, hackers hijack even genuine websites and lace them with malicious pop-ups that target visitors.

These ad pop-ups also take you to malicious websites or install malware automatically to your system. Use ad or pop-up blockers to prevent your browser from opening these unsolicited websites.

5. Be Wary of Events That Attract Scams

Be wary of the world’s most popular events as they too tend to attract cybercriminals, which ultimately lead to phishing and other cyber threats. Take, for instance, Presidential Elections, when cyber criminals become actively involved in phishing voters.

Practice safe browsing if you wish to prevent these scams from making you their prey. Do not open unsolicited emails. Don’t click links in emails. And don’t give out personal information like you are offering charity.

6. Use Two-Factor Authentication

Two-factor authentication is one of the most effective ways to fight off many cyber threats. Since 2-factor authentication prompts double verification, it becomes difficult for hackers or scammers to get past the process for a successful hack attempt.

Try to implement 2-factor authentication on every important account you have, such as bank accounts, email accounts, etc.

Never ever click any links that you see in any email. If you must, then double-check the tell-tale signs of phishing emails like incorrect email address, spoofed domain name, or email message.

If you are asked to access your bank account or any social media account to update your profile, just go to your account directly and do it there. In other words, don’t click on the link in the email. Go to a new browser, open a new tab, and then type the URL to the banking website directly. If the request is legitimate, you’ll see a popup on the website informing you of that fact.

What to Do If You’ve Been Phished

If you think you were too late to spot phishing or take any preventive measures against it and you have been phished, here are some immediate steps you need to take:

  • Go to Identitytheft.Gov and follow their instructions to protect yourself from a potential identity theft that is often the result of phishing.
  • If you clicked a malicious link and ended up downloading malware, immediately upgrade your antivirus and run it to scan your system. Also, update your system’s operating system to patch any known vulnerabilities.
  • Change your accounts’ credentials, such as passwords, from a different device as soon as possible.
  • Take all the backups of your data, and run a system restore to a previous backup.

To Summarize…

So, what is phishing? It is a type of scam where the scammer impersonates a legit person or entity to steal your sensitive data, which may result in identity theft, blackmailing, and fraud, to name a few.

How can you prevent it? You can do so by learning about different phishing types, how you can browse safely, and how you can spot them.

Phishing is a global threat that has caused billions of dollars of damage to date. What makes this attack so effective is that it is targeted at humans; technology may be able to stop it, but we’re vulnerable emotional beings. Therefore, be proactive and update your glossary so you can easily spot and avoid phishing scams.

Mohsin Qadir An information security analyst in the making, a father of an adorable kid and a technology writer (Contributor). He can be found lurking around top network security blogs, looking for scoops on information security and privacy trends.

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.