The first example of phishing was recorded in 1995 when hackers impersonated AOL staff and messaged users, asking them to share their passwords. Nearly 30 years later, this notorious type of cyber attack shows no sign of letting up.
It is estimated that around 3.4 billion spam emails are sent daily. Furthermore, according to a survey of 300 North American cybersecurity professionals, between the fourth quarter of 2022 and the end of 2023, there was a 1,265% increase in phishing emails sent. Not good.
Now that you’re suitably concerned let’s dig deeper into phishing — what it is, what it looks like, and how to protect yourself.
What is phishing?
Unless you have been managing to lead a life free of digital devices up until this point, there’s a high likelihood that you have been an attempted target of phishing at some point.
Phishing, based on the word ‘fishing’, is a type of cyber attack where a threat actor sends a message to the victim that acts as a lure for them to take some sort of action. This message can be sent across various mediums, from email to SMS, and the desired actions can include handing over passwords, bank details, social security numbers, and other sensitive details, as well as downloading malware to your device.
Very often, these scammers pretend to be a known organization. For example, a popular shopping website or bank. They’ll request you either click a link and be sent to a convincing copy of the site, where you’ll be asked to enter your personal information for them to swipe. This could lead to theft, identity fraud, and sensitive data being sold on the dark web. Other times, you’ll be asked to download an attachment, leading to your device getting infected.
Usually, the message will have an element of urgency, so the victim doesn’t stop to scrutinize the message or site too closely. For example, messages informing you your account has been hacked and you must log in through a specific link, or that you’ve won a special prize you must claim immediately or you’ll lose it.
The different forms of phishing
Phishing can take place through various mediums on different devices. The most common forms are the following:
Email phishing
Email phishing is the classic form of phishing. It can range from the notorious prince-style email scam — where someone claiming to be an important person who needs help, requests a large sum of money from the victim, with the promise that they will be paid back with a hefty profit — to hackers pretending to be retailers or official institutions. Sometimes they can be pretty general, while others are more targeted.
Social media phishing
Social media sites like Facebook, Twitter, LinkedIn, and Instagram have significantly expanded the reach and potential of phishing scams. It can take many forms and has the potential to be even more harmful because of how much more personal it can be. Oftentimes it can be easy to spot, with a bot sending a a generic private message with a URL that leads to a fake website requesting personal information or a malware download.
Other times, bad actors might create a whole fake profile with images stolen from another person’s profile and a whole host of fake friends. In this instance, the attacker may initiate contact with a victim and build a rapport with them before requesting financial help.
SMS phishing
SMS phishing, smishing, has been on the rise in recent years. It involves getting a message through traditional text messages or messaging apps such as WhatsApp or Telegram. Smishing can be harder to spot at first because of the truncated nature of SMS messages, while telltale signs like typos will immediately expose the illegitimacy of a phishing email. Smishing messages can be even more insidious when the sender’s name appears to be from a familiar source. It can be more difficult to distinguish as false than an email. Typical forms of smishing messages claim to be package delivery notifications, informing the victim they’ve won a gift card or prize, or even telling victims to be careful of scams while linking them to their scam site.
Spam vs targeted phishing attacks
Spam phishing attacks lack specificity, with the same generic email being sent to every target. It might not seem very sophisticated and easy to spot for someone who knows what to look for. However, the sheer volume of these messages sent out means that attackers get the occasional bite.
Targeted phishing, or spear phishing, can get a lot more specific. It occurs when attackers gain access to privileged knowledge about the target and use it to inform their message. They can then use this knowledge to manipulate the target into handing over even more sensitive information. Typically the target is a department or individual within an organization to steal data, money, or infiltrate their servers. The message could be a fake invoice from a contractor, a fake message from a company, or even pretending to be the CEO.
How to spot a phishing email
No matter how professional and legitimate a phishing email may at first appear, there will inevitably be oddities when you examine it closely. This could include:
- Bad grammar and spelling errors
- Unusual URLs, email address, or domain name
- Suspicious attachments
- Requests for credentials or payment information
An email from a business or retailer will never directly ask for sensitive data from you, so be on guard if you receive such an email.
What to do if you’ve been successfully targeted
If you were duped by a suspicious email and handed over your personal information or clicked a suspicious download, don’t panic. There are steps you can take to alleviate the situation quickly.
- Change all your passwords
- Enable 2FA or MFA on your accounts
- Check out your email spam filter settings
- Scan your device for viruses and malware
- Inform the relevant organizations, whether it be your bank or an online store.
- Monitor your account for suspicious activity
Afterwards, try to learn from your mistake and be aware of the signs to look out for in future emails.
The future of phishing
Phishing is a widespread issue, so everyone with an email, phone number, or digital device needs to be aware of the signs if they don’t want to become victims. Unfortunately, it may soon become even harder to spot phishing attempts. Experts have warned that cybercriminals have started using generative AI to create more convincing and sophisticated phishing messages. Deepfake technology is even making it possible to make voice phishing and video call phishing more convincing.
Arm yourself with the knowledge gleaned here and protect yourself by treating every suspicious email, message, or call with caution.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.