How to Prevent and Identify Phishing Scams
By: Erich Maas
Next up in our cybersecurity series for National Cyber Security Awareness Month, we are spreading awareness about phishing, a tactic used by criminals to obtain information from people on the internet.
What is Phishing?
Mr. Mackey is right—broadly speaking, phishing is a bad thing, and falling victim to a phishing attack can have devastating effects.
The Anti-Phishing Working Group—or APWG—defines phishing rather eloquently in their quarterly phishing activity trends reports: “Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.”
Basically that means that criminals trick you into giving them your personal information by making you think they are helping you or that they are someone you trust. With the information they obtain, they could gain access to one or more of your online accounts, and depending on the information they get from you, they could use it to steal your identity.
If you read our article about ransomware, you’ll notice the methods of phishing attacks are very similar. Sometimes the terms “ransomware” and “phishing” are even used interchangeably. The fundamental difference between ransomware and phishing, however, is that ransomware most often targets people for money, where phishers go after data (which often leads them to money in the end).
Phishing can be done through email, over the phone, by text message, or through paper mail. We’re going to focus primarily on email in this article, but remember that many of the phishing tactics described can apply to any of the aforementioned media.
In the first quarter of 2016, there were 657,348 unique instances of phishing email campaigns reported to APWG. Granted, in the 2nd quarter, that number more than cut itself in half to 315,524, but the number of phishing websites was higher than ever before at 466,065. We think that more than warrants spreading awareness about phishing.
What Does a Phishing Attack Look Like?
These emails and websites often appear to be from trusted and respected sources like your bank, Ebay, PayPal, or social media platforms like Facebook and Twitter. It could even be someone pretending to be from the IRS or another government agency for example.
You may not know right away that you’re looking at a phishing email. Attackers often use what’s called “email spoofing” to mislead you about the true sender of the email. This means that you might get an email that appears to be from your spouse or a friend, but it’s actually from the attacker. And if you follow the hyperlink in the email, don’t be fooled if the website looks legitimate. Attackers copy legitimate websites to fool you, and they’ve been getting better and better at it.
Spelling Mistakes and Over-Dramatization
One of the first red flags might be spelling mistakes, typos, or a strange writing style. Especially if you know the supposed sender fairly well, you’ll probably recognize something off about the way they are writing. Before opening any email, it’s a good practice to check the subject line as well. Pay special attention to subjects like “ATTENTION!!!” or “Immediate Response Required” or “Account Locked!” These should usually be giant indicators that are actually saying, “Click here to be thoroughly scammed!”
Think about it. Reputable companies and organizations are almost never going to use all capitals and multiple exclamation points, and if you see emails requesting an immediate response, stop and think for a moment before opening it. Is this a sender who would ordinarily need a quick response? Is this a sender I even trust in the first place? When in doubt, just ignore it and delete the email. If it truly is important, they can always contact you again.
If there haven’t been many red flags so far, you’ve probably opened the email. In its contents, there is usually a short message saying that some matter of importance necessitates following a link. The message might even be as simple as, "Hey, I thought you'd find this interesting." I have seen that one quite a bit myself. It's always from an old friend I haven't spoken to in years, and I would never expect them to take the time to send me something they thought I'd find interesting. Especially through email.
If you do follow the link though, you might be taken to a site that asks you to input some of your personal information. They may request a password for one of your accounts. They may also request your name, credit card information, social security numbers, or all kinds of other information. Don't play along. Type nothing. Close the window and move on with your life.
Be advised that real, law-abiding companies and organizations will never ask you for this kind of information through email or really any other medium. The reason it’s called personal information in the first place is because it’s meant only for you. The only people that need the information already have it, and they won’t ask you to verify it, unless you’re the one contacting them.
Some phishing emails are more sophisticated than others and are actually very difficult to tell apart from a trustworthy message. Subtler subject lines, correct spelling and grammar, and even passable writing style that you think the sender might actually use. When it isn’t totally evident that you’ve opened a phishing email, but you’re still suspicious, there are a few things you can check to help determine whether the email is fraudulent or not.
The hyperlink it’s asking you to follow may say one thing, but it will lead you to another. To explain, look at this link right here. I can make the text say whatever I want, but it will still take you to the Wildcard home page. But there’s a trick to see through that. Hover your mouse over the link in the email. The true web address should appear either near your cursor or somewhere on the edge of your window (it varies depending on your browser). If the true address doesn’t match where it’s asking you to go, or if the address just looks fishy to you (pardon the pun), you know it’s probably a phishing email.
Do You Even Have an Account?
Another good way to know if you’re being phished is if you don’t even have an account with the sender. You might get an email from PayPal or First Example Bank or some other service asking you to verify your information. But maybe you don’t even have an account with PayPal or you don’t bank with First Example Bank. Even if you do have an account, the message might reference some “recent activity” that you know you didn’t have anything to do with. That’s a sure sign that the sender isn’t who they say they are.
What to do if You’ve Been Phished
It’s too late, you’ve already followed a link, or maybe you’ve entered your information. What should you do now to minimize the damage?
Run Antivirus and Anti-malware
The first thing you should do is run an antivirus and anti-malware scan on your device. When you followed the link in the email, malware may have been installed on your system without your knowledge. Certain kinds of malware search through your computer to find personal information and send it back to the attacker. These can be stalled if you disconnect from the internet, since the only way it can transmit the information is over your internet connection. It might be in your best interest to disconnect from the internet while you run the scans. If you discover that you’ve been infected, take steps to remove the malware, whether that means removing it yourself or seeing a professional.
If you’ve given them any login information yourself, like usernames, passwords, and security questions, then you should change your passwords and security questions immediately. It’s also no secret that a lot of people use the same passwords for a lot of their online accounts (you know who you are!). If that sounds like you, you should change the passwords and security questions on all your accounts that use the same information. Although, making all your passwords different before an attack is the best way to go.
There are password storing applications that can help you keep track of your passwords. KeePass is very popular and easy to use, and it's available for Windows, Mac, and Linux users. There are even apps like Mini KeePass for mobile devices. It can also generate strong passwords for you automatically, so you don't have to keep thinking of new ones.
Enable Two-Factor Authentication
Along those same lines, something you can do to help stay secure before and after succumbing to a phishing attack is to enable two-factor authentication on all of your accounts. This means that in order to log in to your account, you’ll need more than just your password. Usually it’s a unique pass code sent to your mobile phone that changes each time you log in. If someone with your password tries to log in to your account, they’ll also need the code from your phone before they can get in, which stops criminals short. Enabling two-factor authentication may seem like a pain at first, but it really just takes a few more seconds, and it could save you a lot of trouble if your account information is disclosed.
Talk to the Bank or the Credit Bureau
Okay, but what if you’ve given them more than just login credentials? This attack just got more complicated. If you’ve given them any banking information, you should go into your bank and notify them immediately. Make sure you are able to tell them what information was released to the criminal. They will be able to help you figure out what you need to do next.
If you released credit card information, you should cancel your credit card immediately, and if you released social security information, you should call one of the three credit bureaus right away and request a 90 day fraud alert. If you call just one of the credit bureaus, they will call and notify the other two for you. There is also an extended fraud alert available, which lasts for 7 years. Keep in mind that you can continue renewing the 90 day alert for as long as you think is necessary.
There are other resources available online to help you make decisions if your information is stolen in a phishing attack. Just do some searching around for additional advice.
The best advice we can give is to stay aware of the tactics phishers are using, and pay attention online. Remember, no reputable company or organization will ask you for your information through email. If you’re unsure, call the company or organization yourself and have them verify the request. If it looks fishy, it’s probably phishy.