If you’ve followed cyber security news, you’ve likely heard of the term phishing. But what is phishing, exactly? It’s a type of scheme to steal your private information, drain your bank account, hijack your identity or maybe even all three.
Phishing scams are bad news and the number of victims affected is staggering. One 2016 study found that 91 percent of all cyberattacks start with a phishing email. The best way to avoid becoming a phishing scam statistic is to understand how these scammers operate.
The earliest phishing schemes were fairly crude—even laughable in hindsight. We’ve all heard of those emails in which some imaginary Nigerian prince urgently needed to transfer millions of dollars—and all you needed to do to earn your 20 percent cut was provide your banking account details to facilitate the transfer of cash.
Unfortunately, those days of obvious cons are gone. Today, phishing scams can be incredibly sophisticated and hard to detect, making even the most cautious internet users vulnerable.
6 common phishing schemes to watch out for
Phishing attacks are constantly evolving and anyone could end up taking the bait. While we may not be able to know exactly what the future of phishing may bring, we can learn to switch on our phishing scam radars by understanding some of the common methods used in the past.
To help with that, we identified eight common phishing attack schemes to be aware of.
1. The malicious Microsoft Office file
How does it work? An unknown person or organization sends you a Microsoft Office Word or Excel file and tells you to look at it and update information. To do that, you are tricked into enabling editing or macros. But when you do, malware, ransomware or Trojan software infects your computer.
How can this be avoided? Do not enable editing or macros in documents from unknown senders. Additionally, update your Microsoft Office software and stop using older versions like Office 2003 and 2007.
2. The irate customer
How does it work? This is a scam targeting businesses. These businesses will receive a message from a supposedly very upset customer who attaches a fake invoice. Unsuspecting employees hoping to rectify the situation will often rush to open the invoice file, unleashing malware into the company system. Dave Bourgeois, CEO of My IT, says this scam can take on extra layer of believability.
“To make things worse, the scammer often sends follow-up emails demanding a response and is seemingly more upset that you have not responded yet,” Bourgeois says.
How can this be avoided? Before clicking the attachment, check customer records to determine if the sender is a customer. If suspicious, ask the sender to explain the problem without opening the invoice.
3. The fake job listing
How does it work? Fake job postings on online job boards seek out applicants and follow up with an email saying that you’ll need to complete an application that includes sensitive personal information like your home address, date of birth and social security number. Brandon Ackroyd, Founder of Tiger Mobiles, says falling for this common phishing scam is often a product of job-seeker desperation.
“This scam preys on individuals who are looking for work and might be struggling to find it, so an email like this seems like a godsend.”
Of course, there is no job at the end of this process—only the hassle of a stolen identity.
How can this be avoided? There are several ways to sniff this scam out. Start by asking yourself some questions: Where is the website for the job post listing? Does this seem like a legitimate business? Do they have an address listed for their office? Does the job sound a little too good to be true?
Even if they seem to pass this initial set of questions, let it be known that you’re concerned about the security of your personal information and ask to speak with a recruiter. If they object, move on. Even if they aren’t a scam, sloppy practices like this likely won’t bode well for how they handle the rest of their business.
4. Requests to update personal Information or resolve a discrepancy
How does it work? Let’s say you get an email from a bank, credit card company or other business asking you to update your account record or resolve a discrepancy. They conveniently provide a link for you to access the account. Sounds like a plausible thing, right? But watch out—scammers can set up very realistic-looking fake websites. When you enter your personal information, you are handing it over to thieves.
How can this be avoided? First, take a very close look at the URL. Scammers are getting tricky with very subtle changes. For instance, a scammer could try sending a link to www.wellfargo.com instead of to the legitimate banking site, www.wellsfargo.com, by simply dropping the “s” in the URL. If you get a suspicious email, don’t click the link. Instead, if you’re concerned, manually type in the company’s web address in a new browser window, or call the customer service line to inquire about your account.
5. Links from a friend’s social media account
How does it work? When a friend’s social media account is hacked, you could get a message that appears to come from that friend. But the truth is that scammers hijacked the account, sending out messages that ask unsuspecting followers to click dangerous links or log into well-designed fake websites.
How can this be avoided? Even messages appearing to come from people you know should be handled carefully, especially if they ask you to click links or login to a site. Before doing anything, contact that person outside of the social media platform to ask if the message is legitimate. Additionally, give yourself extra protection by using two-factor authentication on accounts whenever possible.
6. Spear phishing attacks
How does it work? This attack method is often targeted at organizations. Scammers collect public data about an individual known to people within the organization. This information is then used to create believable, fake accounts to carry out their scam.
As an example, scammers could gather public information about the CEO of a company to create a fake personal email account. From there, they could send what looks like a message from the CEO of a company to an employee, asking them to click a link to deal with an urgent matter. The message could include a signature with the CEO’s name, phone number, office location and other convincing data that could convince the less-cautious to click. Clicking the link unleashes an attack against the company’s computer system. In some cases, these messages are actually sent from the CEO’s true account after a security slip-up of their own.
How can this be avoided? For one, CEOs and other important members of an organization should not be exempt from security training. Their clout with employees makes them a valuable target for scammers as it is much easier for employees to fall victim to messages from compromised accounts. Employees should also treat any link in an email, particularly from an external source, with extreme caution.
What should you do when you suspect a phishing scam?
Phishing email scams can range from being a frustrating nuisance to a national security threat—and they aren’t going away any time soon. But that doesn’t mean you can’t help fight their spread. If you find a suspicious email, you can help by forwarding phishing emails to firstname.lastname@example.org or email@example.com.
Help stop digital scammers
Does reading about these scams make you want to fight back beyond reporting suspicious emails? If so, you might be interested in learning about the information security field. If you’d like to learn more about the career opportunities available to would-be cybercrime fighters, check out our article, “5 Fascinating Infosec Jobs That Help Combat Cybercrime.”