What are Phishing attacks and how to avoid them?
Phishing is a type of a cyberattack where a given individual or group uses disguised emails, direct messages, fake advertisements or even fake news to represent another individual, persona or trusted institution in order to obtain sensitive information such as personal data, passwords, credit card details or other private materials such as photos, videos or other type of imagery.
It is extremely important to be aware of the principles behind phishing, especially during our current day and age, where our online security and privacy are being endangered each and every time we go online.
Such attacks are nothing new, dating back to the dawn of the Internet in the 1990s, however, phishing cases and variants seem to be steadily increasing rather than slowing down. Because of this, it is important to learn to distinguish these attacks in order to protect your information security and data privacy.
How does phishing work?
As we already highlighted, phishing attacks involve an individual, website, ad or business representing the identity of a trusted person, company or organization.
The attacker(s) then begin some type of a virtual correspondance with their victim(s). This could be through multiple channels - email, direct phone messages and social media among other platforms.
Most messages would be something that is either financially or password-relevant. Some of the most common phishing correspondence topics include billing issues, password resets or claiming prize winnings.
Such fake messages usually have a very generic opening line, a lot of flashy imagery or text and are grammatically and lexically incoherent, sometimes even illegible. Sometimes the victim might even find their full name, or other information inside of the correspondence due to potential database or email leaks.
Mass vs targeted phishing attacks
It is important to mention that there are both mass and directed phishing attacks.
Mass phishing attacks for example can occur when an email list falls into the wrong hands. In this scenario, the targeted victims are all users, who operate under the leaked email addresses. The main goal of such attacks is to get as much information or funds extracted as possible and they can be more easily spotted.
Directed phishing attacks are aimed at particular individuals and they are substantially more researched and tailored in order to persuade the victim to share their personal information.
However, each of these 2 categories can be broken down into subsections, as there are plenty of phishing variants.
Phishing attacks types
There are multiple different types of mass and targeted phishing attacks. The following list represents some of the most widespread ones.
Email phishing - the most common
Email attacks are the most common type of phishing. As we briefly touched upon previously, it is a mass attack and it involves sending emails to random emails that have either been obtained through a database leak or sold online.
These attacks use a very urgent or interesting headline that would get the attention of the recipient, leading to them opening the email or message and clicking onto a link or providing their sensitive information.
Spear phishing - the most dangerous
Spear phishing on the other hand is one of the most dangerous types of attacks as it is a lot more focused. Usually such attacks are carried out on particular individuals or a number of people within the same company, hence where its name derives from.
For this type of phishing, the attacker(s) carefully conduct their research using information from the targeted individual or business’ social media profile(s), online activity and any personal information that they already provide.
It is very difficult to spot and can have severe consequences depending on the type of information that is desired to be obtained.
Usually, the correspondence channel that is used is one that is very commonly employed by the victim and the representative of the attack is someone who is impersonating a trusted individual or company.
Whaling - targeted at CEOs, CFOs and management
Whaling, on the other hand, is a type of a phishing cyberattack that specifically targets people in positions of power in a given company. This could be CEOs, CFOs, managers and any other position that has access to information regarding high-profile projects or finances.
These attacks, similar to spear phishing, are very carefully conducted and the attackers usually collect data about a given victim for quite some time in advance. They could even provide them with corporate data and reach out through trustworthy platforms in order to gain their trust.
Smishing - text messages
This type of phishing attack involves deceiving the victim(s) into paying money or clicking on suspicious links by using text messages.
Social media platforms and traditional SMS messages are the most common places for this type of attack to occur.
Once clicked, a given link can download a virus or other malicious software on the victim’s device and monitor their activity or extract personal data.
Vishing - voice calls
Vishing is a type of a phishing attack where the victim is targeted over a voice call by a fake individual or organization, in most cases - a bank or insurance company that the victim is a client of.
Victims are forced into revealing personal information, in most cases bank details and credit card information. This particular type of attack is similar to phone call scamming, which is also quite widespread.
Finally, we have angler phishing, which targets individuals on social media platforms. The attacker disguises as a customer service representative and aims to find a victim who is dissatisfied with a financial institution or paid service.
Using the victim’s dissatisfaction and frustration, the attacker lures them into revealing their account credentials and personal information.
How to avoid phishing attacks
There are a number of different factors that you can take into consideration, which can help you avoid becoming a victim of such phishing attacks.
If you are going to be opening a link from any email, always do so by opening a new tab and manually inputting the link. Never open a link through an email! Additionally, make sure to carefully check the sender’s email address - sometimes just a single letter might be extra or omitted. You should also consider using a more secure email client that will respect your privacy such as ProtonMail.
Check if the webpage you are currently on has an active SSL certificate by looking for the green padlock icon in the leftmost side of the URL field.
Use a password manager. Many password managers have built-in functionalities that help them detect malicious websites, helping you avoid any potential phishing spots.
Make use of two-factor authentication. For example, you can use Google Authenticator when possible in order to avoid potential privacy breaches. Don’t use SMS verification as you might fall victim to smishing or SIM-swap attacks.
Make sure you update your software and enable your device’s built-in protection software like Firewall for Windows.
Consider employing principles like technological minimalism to further protect your privacy.
Never, under any circumstances, provide your password or personal credentials to anyone over the phone or the Internet. If you are contacted by a representative of a trustworthy institution, reach out to them first and double check that everything is in order so that you can manually verify the request.
If you are using any online financial services, make sure to periodically review their activities and updates to stay up-to-date with any changes. Staying informed from the official source will allow you to immediately identify any phishing attack.
Finally, consider using a trusted and secure virtual private network (VPN) to further protect your privacy while surfing online. There are many other reasons as to why you should be using a VPN, but one of the most important ones is that having an active VPN connection will prevent your data from being collected by websites, your ISP and other third-parties.
If you want some more tips on having a safe online experience, you can check out our article on how to protect your privacy online.
What to do if you fall victim to a phishing attack?
If you believe that you have fallen victim to any type of phishing, immediately contact your financial institution or the individual that the attacker was representing.
Manually verify everything that you have received in terms of information in the suspicious email or call.
Report any suspicious emails or messages to the respective company that was being impersonated so that they can help reduce future phishing instances.