Phishing is the most common type of cybercrime with over 200,000 victims of this crime in 2020 in the US alone. Phishing attacks are a form of fraud which prey on people’s lack of education about the internet and caution when using services such as SMS and email. The goal of phishing attacks is to obtain the target’s sensitive personal information for malicious intent.

 

What does phishing mean?

 

The word phishing, analogous to fishing, was coined during the early stages of the internet to describe the cybercrime that has become so prevalent in our age. Similar to the sport of fishing, attackers try to “phish” for the target’s sensitive and personal information, using methods such as email or text messages to lure them into handing over their information.

 

How does phishing work?

 

In a phishing attack, the victim is contacted, typically through email or text message, in an attempt by the criminal to steal sensitive information. The perpetrator poses as a legitimate institution such as the victims bank in order to lure them into providing information such as banking and credit card details, or personally identifiable information and passwords.

The information obtained by the criminal is then used to access the users personal accounts with malicious intent, which can result in severe financial loss or identity theft for the victims unfortunate enough to be caught out by these attacks.

 

Types of phishing attacks

 

The most common type of phishing attack is email phishing. This is where the attacker sends an email posing as a trusted institution in order to trick the target into giving them sensitive information.

Another common type of phishing is SMS phishing, which is similar to email phishing however, the attacker would contact the target through text message instead. These messages, as well as email phishing messages, are often sent to many people in the hopes that a few of the targets fall for their scam.

A more specialised form of phishing is spear phishing. This is a phishing method that targets specific individuals or groups rather than sending mass emails or texts in hopes that they are able to obtain someone’s information. Spear phishing perpetrators typically know relevant information to the target such as their name, job, bank account or service provider so that they can tailor their message, whether through text, email or other platforms, in order to make their attempt more convincing so that the target will trust the link they provide. These attacks usually have higher success rates due to it being tailored to the target and more sophisticated.

Pop-up phishing is a more complex form of phishing in which a pop-up ad lures the target into installing malicious software on their computer. Scare tactics such as warnings that their computer has been compromised are typically used to encourage the target to comply and install their software. The attackers would then have access to the computer and can use methods such as tracking keystrokes to obtain sensitive information from the victim’s computer, especially as they are often unaware that their computer has been infected.

 

How can I detect phishing?

 

One of the easiest ways to detect a phishing attempt which is carried out through email is if the message is sent from a public email domain. The email domain name is the part which is displayed after the @ symbol in an email address. A public domain email address is one provided by email service providers such as gmail, outlook or yahoo mail. Anyone can create an email address with these providers and so more than likely if an email claiming to be from a legitimate institution is sent from a public email domain, it is a phishing attempt. Almost all organisations will have their own email domain such as @santander.com or @google.com, so emails from addresses with domains such as these are likely legitimate, rather than addresses ending in @gmail.com or @outlook.com, which are free public domains.

Another clue that indicates a phishing attack is if the domain name of the email address is misspelt. Domain names are freely available to purchase from domain name registrars, and so even though every domain name is unique, criminals can purchase domain names similar to that of legitimate institutions. Often they will send emails from domains the same as the institution, but with a slight misspell that can be hard to notice if the target does not double check that it is in fact a correct domain name for the institution. 

 

Tips to help prevent phishing attacks

 

The easiest way to prevent phishing attacks is to always verify the domain name of emails claiming to be from a trusted institution, and make sure there is no incorrect spelling.

Another very easy way to prevent phishing attacks is to not click on links sent through email or instant message. If you are able to go straight to the institution’s website through other means such as a search engine instead of clicking on the link within the message, then it is highly advisable that you do that to ensure you are giving information to a trusted party.

Also make sure to never give your information to an unsecured site. To check if the site is secured, make sure the url starts with “https” rather than “http” or there is a padlock icon next to the url. Even though the website may not be intended to phish your information, giving information to an unsecured site means that third parties may be able to access that information even though it was not intended for them to receive it.

Another very important tip to defend against phishing attacks is to use different passwords for each of your accounts and use 2 factor authentication where available. Using different passwords enables you to mitigate the damage in the event your information is obtained by a bad actor as they will only have access to that one account. With 2 factor authentication, even if you are successfully phished for your passwords, they still won’t be able to access your account without the second authentication method (usually a temporary code sent to your phone).

 

SIGN UP FREE

 

Share This