Phishing is when criminals use fake emails to lure you into clicking on links or attachments and handing over your personal or financial information, or installing malware on your device. It’s also one of the most common cybercrimes, with an estimated 3.4 billion spam emails sent daily. It’s easy to avoid a scam email, but only once you know what to look for. Below are a few tips on how you can protect yourself from phishing:
Types of phishing
Email phishing
When you typically think of phishing, the first thing that comes to mind are phishing emails, which is one of the most common forms of phishing. Phishing emails use tactics like legitimate-looking email addresses and hyperlinks to lure recipients into sharing their personal information. They may also impose a sense of urgency, even claiming your account has been hacked, to get you to follow through.
Spear phishing
Where most email phishing attacks cast a wide net, spear phishing works by targeting a specific individual or organization. These attacks can be customized with personalized messages or important-sounding documents, which makes them appear more credible and unfortunately, more effective.
Smishing
With the increased use of mobile devices to manage so much of our lives, it’s no surprise scammers have moved to this medium to target your sensitive information. Smishing is a phishing message received via text message. Just like an email phishing attempt, the scammers are targeting your sensitive information—they’ve just changed tactics since we’re often more likely to click on a text than an email. SMS click-through rates are between 8.9%-14.5%, whereas emails have an average click-through rate of only 1.4%.
Vishing
Voice phishing, also known as vishing, is when you receive a call from attackers attempting to trick you into providing sensitive information over the phone. Like email phishing, these calls often involve a sense of urgency and pose as legitimate organizations and sometimes will use social engineering to try to get you to download an app that carries malware.
Telephone-oriented attack delivery (TOAD)
In between smishing and vishing lies telephone-oriented attack delivery (TOAD). TOAD attacks typically combine smishing with vishing to trick you into disclosing your information. Often the initial message contains nothing but incorrect information, but when you call the number, the attack chain is activated. Alternatively, TOAD attacks can start with a call, and once trust is built, they’ll send an email or text with a phony link. These attacks are on the rise—according to Proofpoint’s 2024 State of the Phish report, an average of 10 million TOAD messages are sent every month.
Phishing ads
Google is the go-to for answers, but it’s also a new go-to for scammers. Online criminals are targeting businesses and individuals using Google Ads by phishing for their login credentials through fraudulent ads that impersonate other businesses. Sponsored ads on Google can be purchased by essentially anyone, so scammers can set up legitimate-appearing sites with fake login pages to steal their information. It can be easy to assume than any ad is legitimate, but you should always verify before clicking on the link. The best way to check is by clicking on the three dots next to the ad and confirming advertiser. You can also verify the ad here. However, if you’re looking for a specific website, like your online banking for example, it’s generally best to type the web address directly into your browser instead of searching for it via Google.
Common phishing tactics
While the type of attacks may vary, scammers utilize a lot of the same tactics across the board to create the perfect storm. Regardless of attack type, scammers will do their best to legitimize their appearance. This can be through fake hyperlinks, fake email addresses, or simply by lying during a vishing attack. Scammers will also prey on your sense of urgency and create a perception of need. By exploiting emotions like fear and anxiety, coupled with other tactics like impersonating trustworthy sources like Microsoft or Google, they can trick you into acting before you even realize you’ve been duped.
Learn how to spot phishing attempts
New spam filters typically do a good job at filtering emails and now spam calls, but fraudsters are always trying to outsmart filters. The signs can be subtle, but once you recognize a phishing attempt you can avoid falling for it. Here are some quick tips on how to clearly spot a phishing email or ad:
- Contains an offer that’s too good to be true
- Language that’s urgent, alarming, or threatening
- Poorly crafted writing with misspellings and bad grammar
- Greetings that are ambiguous or very generic
- Requests to send personal information
- Urgency to click on unfamiliar hyperlinks or attachments
- Strange or abrupt business requests
- Sending email address doesn’t match the company it’s coming from
What to do if you receive a phishing message
Don’t worry, you’ve already done the hard part which is recognizing that an email, text, or call is fake and part of a criminal’s phishing expedition. If you get a phishing email or text at work, report it to your IT manager or security officer as quickly as possible. If you’re at home and the message comes to your personal email or phone, don’t click on any links (even the unsubscribe link) or reply, and delete the email altogether. You can take your protection a step further and block the sending address or number, and report it to the Federal Trade Commission (FTC). You can also report vishing calls here.
What to do if you accidentally click a phishing link
If you accidentally click a phishing link, you need to act quickly. Immediately disconnect your device from the internet. If you’re connected via Wi-Fi, locate the Wi-Fi settings on your device and disconnect from the network. If you’re connected using an ethernet cable, unplug it immediately. After disconnecting from the internet, back up your files using an external hard drive, like a USB thumb drive or cloud storage.
After, scan your device for malware. If you’re not technologically savvy, it’s best to leave this to a professional. Some malware can be disguised as a legitimate program. You’ll also want to change your credentials, so your personal or financial information can’t be compromised. If you don’t already, be sure to use different passwords across accounts, so it’s more difficult for scammers to access your information. Lastly, freeze your credit and set up fraud alerts with one of the three major credit bureaus (Experian, Equifax, and TransUnion). Once you’ve notified one bureau, they legally must notify the others.
You may also want to write down all the details of the attack as soon as possible, so you can report it to the FTC or law enforcement, especially if you’ve lost money or had your identity stolen. Unfortunately, once you’ve sent your information to an attacker, you’ll likely receive even more phishing messages, so be alert.
Key takeaways:
- Scammers are constantly coming up with new ways to try to trick you into revealing information.
- Always double-check the sender when receiving emails or texts, and review links before clicking.
Scams are becoming increasingly more common, especially in today’s age with technology. It’s important to remain vigilant and continue to educate yourself, friends, and loved ones on new tactics that may arise.
