Phishing is a type of online scam that has been a constant, unfortunate accompaniment to the digital age. Research shows nearly one-third of all data breaches in 2019 involved phishing in one way or another. As online services such as banking become commonplace, phishing scams grow more sophisticated, attempting to catch out even the most computer-literate executives, investors, and employees. But by practicing continued wariness and engaging in top-up education, detecting and thwarting online banking scams and other types of phishing attacks becomes instinctive.
What is phishing?
In a covert quest for information, insidious scammers send emails, texts, or calls in which they pose as companies or familiar people. Phishing emails are intended to get the recipient to click on a link or disclose a password, Social Security number, or other useful personal detail. Once scammers receive this information, they can use it to steal the phishing victim’s money, or worse, their entire identity.
What tricks are commonly used in a phishing scam?
Some signs that a message is a phishing email are more obvious than others. The most obvious telltale signs are when an email:
Has a link that, when hovered over, reveals a URL that does not relate to the scammer’s claims;
- Appears to come from a company with which the recipient has no account or connection;
- Asks the recipient for private information such as a bank account number or password;
- Has many grammatical errors, unprofessional formatting, or somehow just does not seem “right?”
But other signs of a phishing scam are less obvious. These include:
- A pixelated logo. Scammers sometimes grab a low-resolution logo and include it in their phishing email to make a message appear as if it comes from a reputable source.
- A fake website. A new phishing website launches every 20 seconds. Phishing websites usually use URLs that are similar real websites — for example, Gmaiil.com or LunkedIn.com
How can you protect yourself from becoming a phishing scam victim?
Hover over links — but whatever you do, don’t click! When hovered over, some links reveal a .CF. domain name in your browser’s address bar. That stands for Central African Republic — a known source of well-designed online phishing scams.
Two-factor authentication, or 2FA, is one of the best ways to protect your personal or financial information from phishing scams. Once you log into your account, 2FA contacts your mobile phone to verify your identity. You’ll be prompted to either click on a texted/emailed link or type in a number sent by an authenticator app.
Be aware, however, that phishing scammers even try to use 2FA to extract information, using social engineering — exploiting human behaviors and psychology. These 2FA scams set up emotional triggers and other psychological tactics to try to get users to give up personal information.
In a social engineering attack via 2FA, a hacker may already know your username and password and you may be sent a message, such as: “Your user account has been accessed from a suspicious IP address. If the IP does not belong to you please reply with the verification code sent to your number.” Or, they may not know your username and password, so they guide you to a convincing fake website where you input your information, which is then stolen by the hacker, who was waiting to pounce.
Email is not the only avenue
Phishing is often associated with email, as that’s how 94% of malware is delivered. But in 2020, we must be vigilant about more than the inbox. Messaging, gaming, and social media apps, all on smartphones, are a hotbed of phishing activity. In fact, this is where 87% of mobile phishing happens. It is critical to use only authenticated accounts.
How will your employees react when targeted by a phishing scam?
It’s a matter of time before an organization receives a phishing email. But in its 2020 Phishing By Industry Benchmarking Report, leading cyber-awareness training company KnowBe4 states that nearly 38% of users who don’t undergo cyber awareness training fail phishing tests. Have your employees been trained in detecting and responding to the threat?
Phishing During COVID-19
The coronavirus outbreak has provided another chance for scammers to get their foot in the door. In one April week alone, Google reported that it blocked more than 240 million COVID-related email spam messages per day. In 2020, awareness of tactics remains the best form of protection. Training sessions are a wise investment. They involve mock scenarios and simulation hacks, and have become a common, effective way of helping users understand how social engineering and other tactics are used in phishing attacks.