
Phishing scams are a serious threat to online security, with over 40% of businesses falling victim to these types of attacks.
Phishing scams often rely on social engineering tactics to trick victims into divulging sensitive information, such as login credentials or financial data.
The most common phishing tactic is the "spoofed email" scam, where scammers send emails that appear to be from a legitimate source, but are actually fake.
Be cautious of emails that ask for sensitive information or prompt you to click on suspicious links.
Phishing scams can be incredibly convincing, with some scammers using fake websites that mirror the look and feel of real websites.
Expand your knowledge: Fake Microsoft Security Warning Email
Identifying Phishing Scams
Phishing scams can be sneaky, but there are ways to spot them. Be cautious of emails or messages that ask for personal or financial information.
Phishing emails often appear to be from a well-known source, such as an internet service provider or a bank. They might claim you need to update your account information or provide login credentials.
To avoid phishing scams, don't respond to emails or pop-up messages that ask for sensitive information. If you're unsure, go to the organization's website directly to verify the message.
Here are some tips to help you identify phishing scams:
- Never click on links or attachments in suspicious emails or messages.
- Go to the organization's website from your own saved favorite or via a web search.
- Call the organization using a phone number listed on the back of a membership card, printed on a bill or statement, or found on their official website.
- Report the message and delete it.
If you think you've responded to a phishing email, go to IdentityTheft.gov for guidance on what to do next. If you've clicked on a link or opened an attachment, update your computer's security software and run a scan to remove any problems.
Recommended read: You've Been Phished
Protecting Yourself
Never provide your personal information in response to an unsolicited request, whether it's over the phone or over the Internet. If you didn't initiate the communication, don't provide any information.
To verify the authenticity of a contact, contact the financial institution yourself using contact information from your monthly statements or a phone book. This way, you can be sure you're dealing with the real thing.
Never provide your password over the phone or in response to an unsolicited Internet request. Thieves can use this information to steal your savings.
Regularly review your account statements to ensure all charges are correct. If your account statement is late, call your financial institution to find out why.
If you think a scammer has your information, go to IdentityTheft.gov for specific steps to take.
Expand your knowledge: Apple Phone Scam
Reporting and Responding
If you got a phishing email or text message, report it. The information you give helps fight scammers.
You can report phishing to Microsoft 365 Outlook and Outlook.com by selecting the suspicious message and choosing Report > Report phishing from the ribbon. This removes the message from your Inbox and improves the filters to get fewer of these messages in the future.
Report suspicious messages in Microsoft Teams by hovering over the malicious message, selecting More options > More actions > Report this message, and then choosing Security risk - Spam, phishing, malicious content.
If you're on a suspicious website in Microsoft Edge, select the Settings and More (…) icon and then Help and feedback > Report unsafe site.
Signs of a scam include messages asking you to click on a link or open an attachment from a company or person you don't know.
If you see signs of a scam, report it and then delete it.
Discover more: Microsoft Security Phishing Email
To report a suspicious website, use the shortcut ALT+F to open the Settings and More menu.
If you think you've been successfully phished, write down as many details of the attack as you can recall, including any information you may have shared.
Change the passwords on all affected accounts, and create unique passwords for each account.
Confirm that you have multifactor authentication (also known as two-step verification) turned on for every account you can.
If this attack affects your work or school accounts, notify the IT support folks at your work or school of the possible attack.
You can contribute to monitoring and takedown of phishing scams by reporting phishing to volunteer and industry groups, such as cyscon or PhishTank, or to Google.
Expand your knowledge: How Phishing Attack Works
Types of Phishing Scams
Spear phishing is a targeted attack that uses personalized messaging to trick a specific individual or organization into believing they are legitimate.
It often targets executives or financial department employees with access to sensitive data. Accountancy and audit firms are particularly vulnerable due to the value of the information their employees have access to.
A study found that 43% of youth aged 18-25 years and 58% of older users clicked on simulated phishing links in daily emails over 21 days. Older women had the highest susceptibility, while susceptibility in young users declined during the study.
SMS phishing, or smishing, uses text messages to deliver a bait message, often asking victims to click a link, call a phone number, or contact an email address provided by the attacker. Many smartphones have fast internet connectivity, making smishing just as effective as email phishing.
Smishing messages may come from unusual phone numbers, and the limited display of URLs in mobile browsers can make it difficult to identify illegitimate links.
Related reading: Phishing Vishing Smishing
Spear
Spear phishing is a targeted attack that uses personalized messaging to trick a specific individual or organization into believing they are legitimate.
Spear phishing often targets executives or those in financial departments with access to sensitive financial data and services, making accountancy and audit firms particularly vulnerable due to the value of the information their employees have access to.
A fresh viewpoint: Spearphishing Email
The Russian government-run Threat Group-4127, also known as Fancy Bear, targeted Hillary Clinton's 2016 presidential campaign with spear phishing attacks on over 1,800 Google accounts.
A study found that 43% of youth aged 18-25 years and 58% of older users clicked on simulated phishing links in daily emails over 21 days, with older women having the highest susceptibility.
Voice Scams
Voice scams are a type of phishing attack that uses voice over IP (VoIP) technology to make automated phone calls to large numbers of people.
These calls often use text-to-speech synthesizers to claim fraudulent activity on the victim's account, and the caller may spoof the number to appear as if it's coming from a legitimate bank or institution.
The attackers will then prompt the victim to enter sensitive information or connect to a live person who uses social engineering tactics to obtain information.
Vishing takes advantage of the public's lower awareness and trust in voice telephony compared to email phishing, making it a particularly effective and insidious type of scam.
A different take: Voice Phishing
Sms
Sms phishing, also known as smishing, is a type of phishing attack that uses text messages to deliver a bait message.
The victim is usually asked to click a link, call a phone number, or contact an email address provided by the attacker.
They may then be asked to provide private information, such as login credentials for other websites.
Smishing can be just as effective as email phishing due to fast internet connectivity on many smartphones.
Smishing messages may come from unusual phone numbers, making them harder to identify as illegitimate.
Worth a look: Usps Smishing
Qr Code
QR codes are being exploited by scammers in a type of phishing called "quishing". This can happen when you scan a QR code with your phone or device, which redirects you to a fake website designed to steal personal information.
Scammers send QR codes via email, social media, or even place them over legitimate QR codes on posters and notices. You might trust QR codes more than URLs or email links, making you more likely to fall for the scam.
The risk of quishing is lower than other types of phishing scams, according to the UK's National Cyber Security Centre. However, it's still a significant concern as QR codes become more widely used for payments, event check-ins, and product information.
To avoid falling victim to quishing, exercise caution when scanning unfamiliar QR codes and ensure they're from trusted sources.
Phishing Techniques
Phishing attacks have become increasingly sophisticated, employing various techniques to trick victims into divulging sensitive information. One such technique is Man-in-the-Middle (MitM) phishing, which involves using intermediary tools to intercept communication between the user and a legitimate service.
Evilginx, a tool originally designed for penetration testing, has been repurposed by cybercriminals to bypass two-factor authentication (2FA) mechanisms. This allows attackers to grab login tokens and session cookies instantly, making it harder for security systems to detect. By doing so, attackers can break into accounts and use them just like the real user, for as long as the session stays active.
Phishers also use link manipulation to deceive users, creating fake links that appear to be from a legitimate organization. These links may use misspelled URLs or subdomains to trick victims, and some phishers may even bypass security measures that show the actual link destination.
MITM
MITM phishing attacks are a sophisticated type of phishing that bypasses two-factor authentication mechanisms during a user's active session on a web service.
These attacks employ intermediary tools that intercept communication between the user and the legitimate service, making it harder for security systems to detect.
Evilginx, an open-source tool originally created for penetration testing and ethical hacking, has been repurposed by cybercriminals for MitM attacks.
By grabbing login tokens and session cookies instantly, attackers can break into accounts and use them just like the real user, for as long as the session stays active.
Attackers often employ various methods, including phishing emails, social engineering tactics, or distributing malicious links via social media platforms.
The MitM tool intercepts the authentication process, effectively bypassing 2FA protections, allowing attackers to gain unauthorized access to user accounts.
Related reading: Social Security Scams by Email
Techniques
Phishing attacks often use technical approaches to deceive victims, such as creating fake links that appear to be from a legitimate organization.
Phishers may use misspelled URLs or subdomains to deceive the user, making it seem like the link will take them to a legitimate website.
To check the destination of a link, many email clients and web browsers will show the URL in the status bar when the mouse is hovering over it.
However, some phishers may be able to bypass this security measure.
Internationalized domain names (IDNs) can be exploited via IDN spoofing or homograph attacks, allowing attackers to create fake websites with visually identical addresses to legitimate ones.
These attacks have been used by phishers to disguise malicious URLs using open URL redirectors on trusted websites.
Fake news articles are also used to trick victims into clicking on malicious links, which often lead to fake websites that appear legitimate but are actually run by attackers.
Phishers may create a sense of urgency, like threatening to close or seize a victim's bank or insurance account, to trick users into performing actions such as clicking a link or opening an attachment.
Prevention and Education
Effective phishing education is an important part of any organization's anti-phishing strategy. It includes conceptual knowledge and feedback, which can help reduce susceptibility to phishing.
Simulated phishing campaigns are commonly used to assess the effectiveness of employee training. One study found that an organization received 858,200 emails during a 1-month testing period, with 16% being marketing and 2% identified as potential threats.
Legitimate emails from companies often contain personal information, but this alone doesn't guarantee a message is legitimate. For example, PayPal always addresses customers by their username, but some people don't pay attention to such details.
Educational games can effectively educate people against information disclosures and increase awareness of phishing risk. A study found that these games can mitigate risks in game environments.
The Anti-Phishing Working Group produces regular reports on trends in phishing attacks. These reports can help organizations stay informed and adapt their anti-phishing strategies accordingly.
Explore further: Anti-Phishing Working Group
Aftermath and Recovery
If you fall victim to a phishing scam, acting quickly is crucial to minimize the damage. Contact your financial institution immediately and alert them to the situation.
You'll want to report all suspicious contacts to the Federal Trade Commission, which can be done by calling 1-877-IDTHEFT. This will help them track the scam and prevent others from falling victim.
To prevent thieves from opening a new account in your name, consider placing a fraud alert on your credit file. You can contact one of the three major credit bureaus to discuss this option. Here's the contact information for each bureau's fraud division:
History and Trends
Phishing scams have a long history, dating back to the 2000s when phishing attacks became more organized and targeted.
In the early 2000s, phishing attacks started to affect major payment systems, with the first known direct attempt against E-gold occurring in June 2001. Phishing was soon recognized as a fully organized part of the black market, with specializations emerging on a global scale that provided phishing software for payment.
Between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling around US$929 million. The United Kingdom banking sector suffered from phishing attacks, with losses from web banking fraud almost doubling in 2005 compared to 2004.
Phishing attacks continued to rise in the 2010s, with the master keys for RSA SecurID security tokens being stolen through a phishing attack in 2011. Chinese phishing campaigns targeted high-ranking officials in the US and South Korean governments and military, as well as Chinese political activists.
Phishing attacks increased from 187,203 in 2010 to 445,004 in 2012, according to Ghosh. In 2013, Outbrain suffered a spear-phishing attack, and in November of that year, 110 million customer and credit card records were stolen from Target customers through a phished subcontractor account.
The 2020s saw a new wave of phishing attacks, including the July 15, 2020, Twitter breach, where a 17-year-old hacker and accomplices set up a fake website resembling Twitter's internal VPN provider. They used social engineering tactics to trick employees into submitting their credentials to the fake website.
Phishing as a service (PhaaS) platforms like Darcula have made it easier for attackers to fake trusted websites, allowing them to easily launch phishing attacks.
Check this out: Phishing Attack Website
Anti-Phishing Measures
Anti-phishing measures are a crucial step in protecting yourself from phishing scams.
Browsers like Google Chrome, Internet Explorer 7, Mozilla Firefox 2.0, Safari 3.2, and Opera contain anti-phishing measures to alert users to fraudulent websites.
Firefox 2 used Google anti-phishing software, while Opera 9.1 uses live blacklists from Phishtank, cyscon, and GeoTrust, as well as live whitelists from GeoTrust.
Some browsers send visited URLs to a central service to be checked, which has raised concerns about privacy.
To mitigate the problem of phishing sites impersonating a victim site by embedding its images, several site owners have altered the images to send a warning to visitors.
Anti-phishing websites like FraudWatch International and Millersmiles publish exact messages that have been recently circulating the internet, providing specific details about the particular messages.
Individuals can report phishing scams to authorities, which can be done through phone, website, or email.
Here are some examples of anti-phishing measures:
- Browsers alerting users to fraudulent websites
- Switching to a special DNS service that filters out known phishing domains
- Altering images to send a warning to visitors
- Using anti-phishing software
- Reporting phishing scams to authorities
Featured Images: pexels.com


