What is Phishing?
‘Phishing’ generally or ‘Deceptive Phishing’ specifically is the attempt of a bad actor to gain access to your personal and sensitive data such as usernames, passwords, credit card numbers, PINs and sometimes personal details such as name, date of birth and address. This is done by posing as a trusted source, usually a company you have an account with or do business with.
A phishing scam can by done by phone, text message, social media and most commonly via email. Core to a phishing scam is the bad actor goes to the effort of making the communication appear as legitimate as possible. This includes utilising the logos, colours, fonts, style and structure of communication you have previously experienced from the business they are mimicking. Sometimes the domain email may be almost identical except for one letter being out of place or missing. For example, a phishing scam by email may come from @privcyrightfully (missing the ‘a’).
To the average person it looks like every other communication they’ve received from that particular business and they don’t look to identify any subtle differences or flags. Given our brain is designed to take short cuts – we don’t read every letter and every word in a familiar communication and miss these flags naturally. The content of a phishing scam is usually a request for one of two things from you:
Provide sensitive information: This is the most common and usually the communication claims your account has been suspended or breached and you need to ‘confirm’ your details to regain access to your account or to reset your password or PIN. You will be asked to click on a link which takes you to a malicious site which looks identical to the one it’s intending to replicate. Once you enter your usual username and password, they are sent back to the bad actor who can then access your account.
Download something: These scare you by claiming your device has a virus and to protect it you need to download a file which itself is malware that infects your computer and can be programmed to record your keystrokes which are sent back to the bad actor. Eventually this will lead to your various usernames and passwords as you log in to various accounts.
Pronounced the same as ‘fishing’ the terminology is an analogy for a bad actor fishing for you with a baited hook (the communication) and hoping you bite (the request within the communication). Phishing generally casts a wide net and is sent to entire breached databases with the expectation that of those thousands a number will fall victim. There are other types of phishing, the following two we’d also like to highlight get a bit specific regarding the targets:
Spear Phishing: Following the analogy above this is the bad actor targeting a specific fish rather than the typical casting of a wide net. It is particularly common in the workplace with a bad actor targeting an executive or finance department person. The communication is usually the sending of fraudulent invoices for immediate payment to suppliers, affiliates and even other executives in the same organisation. This can even trickle down to line employees and even come into your own LinkedIn inbox so be careful even if you don’t have any payment authority, it may not always be what they’re after.
Whaling: Continuing the analogy, a whaling attack targets the so-called ‘big fish’ from celebrities to artists to high profile CEOs. The idea is these people are extremely wealthy or have access to sensitive company information or fear reputational damage. Therefore, the scam usually poses as a serious affiliate or supplier complaint, subpoena, notice of legal proceeding etc.
The statistics
The good folks at PhishLabs have published their 2019 Phishing Trends & Intelligence Report which we encourage you all to read by pressing the link. Some key findings from the report are:
- Phishing grew 40.9% in 2018
- 83.9% of attacks came from these five industries: Financial, email, cloud, payment and SaaS services.
- Increases in phishing volume by country includes: USA +43%, Canada +170%, New Zealand +93%, Great Britain +9%, Australia +3%
How to recognise phishing
Sense of urgency: This is the biggest clue is the urgency of the request as companies being phished tend to find out within a few hours and alert their entire customer base to the scam. Phishing scams tend to only have a small window of opportunity, so they make serious claims that require your urgent action to resolve.
Threats: For similar reasons to the above any threat to close your account or the commencement of debt collection or legal proceedings should be treated with suspicion. Government agencies and most financial institutions rarely use email as their first means of communication for serious matters and would never send you a link for you to enter personal or financial details to.
Poor spelling, grammar and personalisation: Corporate emails to customer bases go through a few rounds of spelling & grammar checks. This is not just for professionalism but to ensure the message is clear and not worded in a way to be misunderstood – obvious spelling and grammar mistakes are very rare. Most companies also use your name so if the communication starts with “Dear Member” or “Dear Customer” that too is a flag.
Search online: Many scams are reused, search the name or wording within a suspicious email online and see if it has been flagged as a phishing scam previously.
Change of system performance: If you’ve downloaded a file and you suddenly have new icons on your screen or your computer is running slower, it may be malware and the source was a phishing scam.
No prior relationship: Not all phishing scams are negatively rooted, some claim you have won a prize or eligible for a government payment of sorts (especially at Christmas, following natural disasters, and of course pandemic type events such as COVID-19). If you haven’t entered a competition, applied for any financial measure, purchased from the company or used their services – be cautious.
How to prevent being a victim of phishing?
If you suspect you’ve received something that could be a phishing scam the best thing to do is not open any links in the email / SMS or provide any information if it’s over the phone. Instead, find the legitimate customer support phone number for the business in question and call them back directly to see if it is a genuine issue or phishing scam. Other preventative measures include:
- Check the email domain of the communication is letter by letter the same as the domain of a previous communication from the same company. Usually the initial welcome email is the best to compare against (being the oldest and most legitimate)
- Always hover over any link before clicking on it and ensure it leads to the website of the company in question (again check spelling letter-by-letter). This isn’t foolproof if the phisher has utilised link manipulation though
- Enable 2FA on as many accounts as possible to ensure even if you do give your username and password to a phishing scam the bad actors still won’t be able to access your account/s
- Visit the company website or social media accounts to see if they’ve made an announcement or post about being aware of a phishing scam
- Following from the point above, since you’re already on their website – log in from there rather than the link in the message to ensure you’re logging into the legitimate site. A good habit to get into bookmarking sites that require you to login when you set those accounts up. This will prevent you accidently landing on a phishing site in the future as you will login from your trusted bookmark list rather than relying on various links being genuine.
- Don’t pay any unusual or altered invoice without contacting the company and asking to speak to someone in accounts to confirm the new account details on the invoice are legitimate
- Ensure the spam filters of your email account are set to the highest antispam settings
- All mainstream browsers have a tool you can turn on to alert you if a webpage you land on is safe or malicious (browsers update these lists very regularly)
- Ensure you regularly scan your devices with a quality antivirus and antimalware provider
- Don’t post your birthday, address, phone number, or travel plans publicly on social media.
This obviously isn’t an exhaustive list but it’s the major things you can do easily and which have the biggest preventive impact. As discussed in Password Hygiene 101 – it’s important to not use the same password for all accounts as to minimise how many of your online accounts are exposed. Update your apps and software regularly as these updates are usually security improvements.
Conclusion
A common theme in the guidelines we’ve outlined today was to contact the company in question directly and ask about the communication they’ve apparently sent. There is nothing wrong or foolish with making this phone call to be safe and you can even tell them it looks suspicious as feedback – you may even be the first to bring to their attention that there is a phishing scam being distributed using their business name.
This is particularly important when it comes to invoices and cross checking the bank deposit details. Phishing unfortunately won’t go away any time soon and the bad actors are getting more and more sophisticated. Today’s article was about informing you what it is, how to identify it and how to take some precautions to ensure you’re not the low hanging fruit or an easy target. We will of course write a How-To Guide regarding what to do if you have been phished in the near future.
This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.