Phishing scams: How to spot and avoid them

Last updated on: September 19, 2022

Phishing is one of the oldest cybercrime threats, having been around since the earliest days of the internet.

Yet, the phishing scam is also one of the biggest cybersecurity threats facing any organization, and it is unique in the fact that it targets people instead of software or hardware.

Meaning, that even if you’ve invested in the most expensive cybersecurity infrastructure, your organization can be at risk if one vulnerable employee is compromised by a phishing scheme. This is one of the key reasons why phishing is so dangerous.

Unfortunately, the danger of phishing has increased both in quality and quantity in recent years. According to the Anti-Phishing Working Group (APWG)’s phishing activity trend report, there will be 1,025,968 phishing attacks by March 2022, a 15% increase from Q4 2021. The sophistication and variety of techniques used in each attack have also increased in recent years.

In this article, we will learn together about what phishing is, how to identify them, and how organizations can protect their employees and customers from phishing attacks more effectively.

By the end of this guide, you’d have learned about:

• What is a phishing scam?
• Different types of phishing in 2022
• How to recognize phishing attempts
• How to protect your business from phishing 
• How to report both successful and unsuccessful phishing attempts and mitigate the damage
  

Let us begin this guide right away.

What is a phishing scam?

Phishing is a type of cybercrime in which the perpetrator contacts a target victim (or victims) while posing as a famous person or a legitimate institution to lure this victim into providing confidential, sensitive, and/or valuable information like Personally Identifiable Information (PII), banking details, credit card information, account credentials, and more.

The name “phishing” is analogous to fishing, referring to how the cybercrime “fishes” for credentials, passwords, and other sensitive information from its victims. 

The word phishing was first used around 1996 by hackers stealing the then-popular AOL (America Online) accounts. Hackers in the late 1990s tended to use the letter “ph” to replace “f” (i.e., “phreaks”), hence the name “phishing.”

Traditionally phishing was conducted over emails, but now phishing can happen in various different communication mediums from phone calls, text messages, social media comments, social media DMs, blog comments, and more.

Why do cybercriminals conduct phishing?

The short answer is to monetize stolen information.

As with most other criminal activities (including cybercrimes), the majority of phishing attacks have financial motivations behind them.

There are, however, cases where the motivation is not financial, like personal vendetta or political reasons (i.e., black campaigns) but they are relatively rare. 

So, how can cybercriminals make money from phishing? Understanding their monetization techniques may help you in recognizing phishing attempts, and here are a few examples:

• Stealing your credit card information and then using the credit card details to purchase goods on the internet.
• Extortion, for example, when cybercriminals successfully extract sensitive information, then extort the victim to pay them some money or else they’ll release the information to the public.
• Selling sensitive/personal information to other parties (i.e., your competitors, other hackers). A common practice on the dark web.
• Using your information to launch another scam/cybercriminal activity, for example, contacting your friends using your account to scam them.

The anatomy of a phishing attack

Phishing is a form of social engineering, which is the umbrella term used to refer to a broad range of criminal activities achieved through human interactions.

Phishing relies on psychological manipulation to trick its victims into divulging their sensitive information or making security mistakes.

While cybercriminals can use different techniques and schemes in their phishing attacks, typically, they will follow these patterns:

1. The perpetrator first researches the target victim and/or the environment they are in to collect necessary information such as potential security vulnerabilities and other weaknesses.
2. The perpetrator initiates contact attempting to gain the victim’s trust.
3. The perpetrator either:
   1. Offers something valuable to trigger the victim’s sense of urgency.
   2. Instill fear in the target victim, typically with fictitious threats (i.e., “your account will be deleted soon, and we’ll need to verify your identity”).
4. The victim is tricked into divulging their personal information or credentials.

For example:

1. The perpetrator targets Gmail users as its target victims and has researched the Gmail platform and its policies.
2. The perpetrator sent an email to Gmail users with an email address resembling Google’s official address (for example, with “Google.biz” domain name.)
3. The email alerts users of a policy violation requiring immediate action (i.e., password change, security question change, etc.), and the email will include a link to a fake website nearly identical to Gmail’s login page.
4. The victim enters their current credentials on the fake login page, and their credentials are effectively sent to the attacker. 

This is just one example of so many different phishing techniques and schemes performed by cybercriminals on a daily basis. However, we can categorize phishing attacks into several major types, which we will discuss below.

Different types of phishing attacks

1. Email phishing

The most basic type of phishing scheme, and as the name suggests, involves the perpetrator sending emails while impersonating a known brand or person.

The email will contain either a link to a malicious website or an attachment containing malware that will infect the recipient’s device.

How to identify:

While cybercriminals are getting more sophisticated in launching email phishing, you can generally look for the following signs:

• Check the domain name of the sender’s email address and make sure it’s legitimate.
• If the email contains any contact information, cross-check this contact information with the one on the website of the company the email claims to be from.
• Avoid clicking on any shortened links. This is a common technique used to trick Secure Email Gateways. 
• Double-check any logos that look legitimate and view the source code. They tend to contain malicious HTML attributes.
• Be reasonably suspicious when an email has very little text and only an image/photo in the body. The image may hide malicious codes.

2. Spear phishing

Spear phishing typically also uses email as the primary communication medium, so it can be considered a variation of email phishing. 

The main difference lies in spear phishing’s more targeted approach, typically targeting a single victim (or a small group of victims.)

The perpetrator first conducts thorough research of the target victim to gather information about the victim, for example, from social media, the company’s website, and so on, and then will target this victim with a personalized scheme leveraging the collected information like real names (of the victim’s boss or HRD manager,) work telephone numbers, and so on to gain the victim’s trust. 

Ultimately, because the victim believes the identity of the scammer due to the valid information they used, they fall into the perpetrator’s trap.

How to identify:

Identifying a spear phishing attack can be more challenging due to the amount of research conducted by the perpetrator and the seemingly valid information they used. However, look for the following:

• An email claiming to be from your boss or someone important in your company with password-protected files or documents requiring you to input your username and password. This is a common scheme to steal credentials.
• In general, be aware of any requests that seem out of the ordinary, considering the alleged sender’s job function.
• Another common scheme is to have links to documents stored on Google Drive, Dropbox, or other cloud-based storage services. These links often will redirect you to a malicious website.

3. Whaling

Another variation of the spear phishing tactic, whaling or also often called “CEO fraud” involves the perpetrator using open source intelligence (OSINT) techniques to find the name of an organization’s CEO or top-level management member and then impersonate that person using a fake email address. 

The perpetrator will then target the company’s employees, asking the recipient for their account credentials, banking information, or even asking the recipient for a money transfer.

How to identify:

• Double-check the sender’s email address, make sure it’s coming from the official company email address. A common trick is to claim that the email is coming from their personal address (i.e., that they can’t access their work email at the moment.)
• Don’t hesitate to confirm with others in your company or even give the person the email is claiming to be from a call.
• Be extra careful if the email claims to be from someone in your company who has never made any contact before.

4. HTTPS phishing

Many of us are trained that HTTPS websites are end-to-end encrypted and therefore are safe when it comes to submitting personal information and credentials.

Many scammers, however, leverage this knowledge in their phishing attempts, using HTTPS protocol in the fake website linked in the phishing email.

How to identify:

• Check whether the link is using hypertext to hide the real URL
• Re-check whether the link is not shortened, and all parts of the URL are shown

5. Vishing

Short for “Voice Phishing,” and as the name suggests, it is a phishing attempt that happens over a phone call. 

Typically the perpetrator will call during a busy time, coinciding with a stressful season, period, or event, claiming to be from an established company and creating a heightened sense of urgency. 

The idea is for the call to create a sense of panic, confusing the recipient into making security mistakes and divulging their sensitive information.

How to identify: 

• Be reasonably suspicious if the call requests unusual actions for the type of caller, especially when it requests sensitive or personal information.
• Double-check the caller number if it’s coming from an unusual location or blocked.
• Use mobile applications that allow you to check the identity of the incoming call from unknown numbers. There are plenty of such apps for both iOS and Android devices.
• It’s best to avoid picking up calls from unknown numbers during stressful timing or situations.

6. Smishing

Short for “SMS Phishing,” it is a phishing attempt made over text messages (SMSs.)

Typically the perpetrator will send a text message claiming to be from established organizations or companies, and the text message would include a link containing malware and/or that will redirect you to a malicious website.

Since many people tend to view text messages as more personal and “harmless,” smishing may catch its victims off guard.

How to identify:

• Before clicking on any link, check directly to the website of the company the text message is claiming to be from whether there are any notifications related to the actions requested by the text message. 
• Don’t hesitate to contact the number listed on the company’s legitimate website and confirm the legitimacy of the text message.
• Review the sender’s area code and number and compare it to your contact list before clicking on any link or taking any of the suggested actions.

7. Angler Phishing

Angler phishing is a specific type of phishing targeting social media users, mainly involving the perpetrator using fake social media accounts impersonating known companies or individuals.

Angler phishing is especially leveraging the fact that interactions between businesses and customers on social media are becoming more frequent and expected. The perpetrator engages with target victims via notifications and DMs to trick them into making security mistakes.

How to identify: 

• Double check the account for a blue tick (verified account).
• Be wary of notifications that include links that may redirect you to malicious websites.
• Avoid clicking on any link in a DM coming from those who rarely share links (or people/accounts who never messaged you) even if the link looks legitimate.
• If any DMs are coming from those you know who rarely messaged you, double check the account since it may be spoofed or newly created

8. Pharming

Pharming is a rather advanced form of phishing, with the name being a portmanteau of “phishing” and “farming.” 

A common pharming technique involves the perpetrator hijacking a DNS to redirect users trying to reach a specific website to a fake website instead.

A sophisticated pharming attempt can be very hard to detect. 

How to identify:

• Double-check the URL of the website if it’s using HTTP instead of HTTPS
• Look for inconsistencies like typos, mismatched colors, inappropriate designs, thin content, etc., that may signify a fake website.

How to protect your business from phishing

Above, we’ve learned how to recognize the major types of phishing techniques and the basic steps to protect yourself from them.

In this section, we will also discuss some important best practices to follow in order to protect yourself and your business from various phishing attacks:

1. Educate your employees

Since phishing is basically social engineering, the first line of defense you should have is to ensure your employees have the education and training necessary to recognize phishing attempts and protect their credentials/sensitive information.

Make phishing awareness training a part of your employee onboarding program, and regularly refresh the training to include newer methodologies and trends.

2. Require multi-factor authentication

Requiring multi-factor authentication can mitigate the risk of successful phishing in situations when your employees are tricked into divulging their credentials. 

With multi-factor authentication, you’ll require your employees to provide another piece of information besides their password before they can log in to your networks and applications. 

The secondary (or more) piece of information can be: 

• Something they are: biometric like face ID or fingerprint
• Something they know: another password, PIN, answer to security questions, etc.
• Something they have:  a device to pair, a keycard, a USB dongle, etc. 

3. Regular backup

Successful phishing attacks may cause malware infection, including ransomware, which may cause you to lose access to certain files/apps and even complete system failure.

To mitigate this risk, keep a backup of your data regularly.

We’d recommend following the 3-2-1 backup principles: 3 copies of your data, on 2 different mediums, 1 of them kept offsite.                            

Stopping impersonation of your brand in phishing attacks

Another concern related to phishing is when your domain or brand name is used by cybercriminals as a part of their phishing scheme. 

Although it’s not technically your fault, victims of phishing attacks may blame the brand the scammer is impersonating, causing a negative impact on the brand’s reputation.

While 100% prevention of cybercriminals from impersonating your brand can be very difficult if not impossible, there are steps your business can take to mitigate the risk:

• Use SSL certificates (HTTPS) on your website. This way, when a scammer wants to impersonate your website, they’ll need to get a legitimate SSL certificate in addition to a fake one. This may discourage them.
• Use protocols like DKIM or DMARC to add verification to the emails your business sends or receives. This can prevent external parties from sending false emails using your domain name, effectively preventing email phishing.
• Register variations of your domain names (different TLDs, potential misspellings, etc.) to prevent these variations from being used in phishing attempts.
• Use Red Points Domain Management to help safeguard your business’s domain names in real time. Red Points can effectively catch phishing attempts using your domain name on many different platforms on autopilot, not requiring any manual intervention. Red Points can also help you take down fake impersonating websites before they have any negative impact on your reputation.

What’s next

While there are many different types of phishing attacks performed by scammers and cybercriminals, all phishing attacks have the following common features:

• Creating sense of urgency: the perpetrator often urges you to act fast either by scaring you with a fictitious urgent threat or by attracting you with a limited-time offer. Some phishing schemes will even tell you that you only have a few minutes to respond.
• Too good to be true: phishing often involves attention-grabbing and attractive offers and claims. For example, claiming that you have won an iPhone and asking you to click on a link.
• Unusual sender: pay extra attention to the website’s URL and the sender’s email address. If the email comes from someone you don’t recognize or if you see anything out of the ordinary, avoid clicking on anything. 
• Suspicious links: don’t click on any links unless you are 100% sure. You can hover over the link so you can check the actual URL and look carefully at whether the URL is legitimate.
• Dangerous attachments: never click on any attachment on an email that you are not 100% sure of. The attachment may contain malware, ransomware, or other viruses.

While there is no single way to avoid phishing attacks, you can use a combination of the above tips to prevent them and mitigate the damage.

It’s also crucial to remember that besides establishing a strong cybersecurity infrastructure and best practices, another crucial element of preventing phishing is education. When it comes to phishing and other social engineering schemes, your organization is only as secure as the least knowledgeable person in it.