What Is Phishing?
Phishing is fraudulent behavior that involves trying to get information from you, often posing as a company or product.
These scams typically involve links to fraudulent websites within emails or SMS messages. They will attempt to get users to enter personal information, like email addresses, login credentials, and other sensitive information. It’s an essential part of the scam that these links appear to be from legitimate sources.
Emails may also contain malware that, once opened, installs itself onto a browser or a hard drive without you knowing. This code hides out on your device, quietly collecting and sending usage data over time, and impacting your computer’s overall functionality.
Common Phishing Attacks
A phishing email is a fake email that appears to be from a legitimate source (such as a bank).
They’re often urgent or threatening in tone, and prompt you to download an attachment or click a link that leads to a fake website. These will usually install malware on your device or elicit sensitive personal information.
Similar to email phishing, SMS phishing (or “SMishing”) sends the target an SMS (text) message, often promoting a contest, offer, or sweepstakes. Clicking the included link in a SMS phishing scam results in the same dangers mentioned above.
Phishing by phone
With phone call phishing call scams, you’re contacted via phone by someone impersonating a bank manager, tech employee, or a representative from a trusted organization (a bank or law firm, e.g.). They will typically try tricking you into sharing confidential details over the phone such as PIN codes, bank account numbers, passwords, contact information, etc.
Phishing Techniques Used by Attackers, and What To Do
Attackers may use one of several techniques to gain the information they seek. Be on the lookout for the following:
- Spoofing of the sender’s address in an email (to look like a reputable source). Emails like these are increasingly well put together. There are a few tell-tale signs. Often, while the name will say the company (eg: HSBC), the actual email address when viewed will be a lookalike, or sometimes not even. Clicking to reveal the full email is a good way of determining this. Also, be on the lookout for grammatical errors, in the email copy, or just ask yourself if it contains the tropes listed above (aggressive in tone, asking for information, etc).
- Installing “Trojan Horse” malware through a malicious email attachment or advertisement. The best prevention for this is looking out for the signs listed above. But, if you’re worried you’ve already clicked something, run regular anti-virus checks, especially from companies that specialize in malware prevention. If your device is running much slower than usual, and connections to other devices (such as printers) misbehave, it could be a sign of malware.
- Attempting to gather company information over the phone by posing as a known IT representative or company vendor. This one is more tricky as people can be convincing, and nobody wants to think they’re being lied to. If in doubt, don’t be afraid to question them on who they are and why they need the information. Offering to ring them back on an official number (that you’ll find yourself from the real website) is a good strategy if you want to be absolutely sure.
- Embedding a link in an email that redirects you to an fraudulent website requesting sensitive information. In a similar way to the email address, looking at the URL of the website you land on is a good tell as to whether something is legitimate. Also look for secure sites with the green padlock in the address bar. Click this to find out the name of the company who applied for the SSL certificate.
- Protect your personal information
To prevent yourself from being a victim of a phishing scam, be extremely cautious with your personal information, including your passwords and usernames.
- When you enter your password/username and other credentials on a fraudulent site, that information gets transmitted to the scammer, who can keep it and use it later, sometime without you ever knowing.
- Some phishing scams divert you to a fake website that looks like your bank’s website or a similar trusted source. When in doubt, delete the email and visit your bank’s website directly, or contact their fraud department.
Phrases like “verify your account,” or “confirm your identity” are stalwarts of the scammer’s arsenal. It’s also important to note:
- Legitimate businesses will never ask for sensitive personal information or your login information via email.
- Beware of emails that promote urgency or penalties (such as account suspension, fines, legal action, etc.).
- If you suspect email phishing activity, contact the spoofed company directly; do NOT click links or respond to other contact information provided in the email.
- Always look out for emails that do not address you by name. Some phishing scams use your name in the email, whereas many are sent out as spam messages to thousands of users simultaneously.
Suspicious about an email? Do NOT click the link(s) inside. Instead, type the web address of the named institution into the browser in order to access the (real) website.
- Trust authenticated websites:
As we mentioned earlier, the SSL padlock is a great way to determine if the site is authentic.
- When you visit a website with a padlock, click on the padlock.
- You will be shown the name of the organization that applied for the “padlock” security icon. If this organization name does not match the name you know, it could be a phishing scam.
Like anything in life, prevention is better than a cure: it is always a good practice to look at all the websites and emails with a bit of suspicion to avoid being fooled by email phishing and other fraudulent activities.
What To Do If You’Ve Been Scammed
If you think you’ve been the victim of a phishing scam:
- Change your passwords. Your computer, financial institutions, and any other password-protected websites you visit should be updated.
- Run a full system scan for viruses on your computer.
- Contact your bank to report that you may have been the victim of fraud.
- File a complaint with the appropriate anti-fraud bureau:
USA: Federal Trade Commission (FTC)
Canada: Canadian Anti-Fraud Centre