Social engineering scams that use email or websites into tricking users to reveal personal information or install viruses on their devices are known as phishing scams. Phishing scams can look like bank emails, or other corporate communication, and are crafted to fool the users into believing that it is a legitimate message.
The content of a phishing email is intended to cause a quick response from the user. One common scam will try to convince you that you’ve won a lottery or a prize, with a link similar to a website you already know of. This page will then ask for your personal information, which you will happily provide because you think you’ve won money.
Types of phishing attacks
There are three types of phishing attacks that you need to be aware of:
Regular phishing: These attacks are not targeted, and attempt to manipulate the user to click a link where they will enter their credentials. This is a generalized attack and no “one” person is a target.
Spear phishing: These are targeted attacks. The attackers have studied the organization or person they are trying to defraud, and will usually try and impersonate one or more parts of that organization. They may use social media to find information about the organization, and use it to create an email that will convince the reader that it is from their own business.
Whaling: This doesn’t refer to hunting for whales, but instead phishing the upper management of an organization. Done in the same manner as a spear phishing attack, it targets the highest level of the organization and often includes messages that request transfers of large funds.
How to identify phishing attacks
According to Intel Security, 97% of people cannot identify a phishing attack. Here’s how you can be prevent becoming a victim.
Don’t trust email communication: We have been trained to use email as the main mode of communication, and as far as it does not require you to divulge personal information, that is fine. Treat with care any email that asks you to click on a link, or provide personal information. Even if you receive an email from what seems like your own company, asking you to make a fund transfer, just confirm verbally with the relevant person to ensure this is not a scam.
Don’t fall for emails that sound urgent: Many phishing emails attempt to scare you into believing you need to respond or react urgently, but you must take the time to confirm that the email is from a legitimate source before responding.
Confirm links before you click on them: When you receive an email that seems legitimate with a link for you to click on, go to the actual website and then navigate to the relevant page. At the very least, always confirm that there isn’t a minor change—for example, BankofAmerica vs BankAmerica—that is meant to fool you.
Beware of online forms: Do not enter confidential information through online forms or websites. But if you have to, make sure all data you submit is done via a secure connection; that is, https. This is especially important when entering credit card information online.
One of the most important things to remember is to report a suspicious email to management immediately. Only 3% of targeted users report malicious emails to management, which is scary when you consider that 95% of all attacks on enterprise networks are due to a successful phishing attack.