What is Phishing and How to Protect Yourself from It

With the rapid development of technology, the complexity of phishing attacks improves. The more technologically advanced people become, the more advanced the phishing attacks. Last but not least, now that everybody spends more time online, the number of phishing attacks also rises. Here is our short guide on simple things to remember in order to stay safe from phishing attacks, while browsing online.

What is Phishing?

Born circa 1995, just 4 years after the first site appeared, phishing refers to the practice of using deceptive emails and websites to illegally get personal and corporate information from users. That information – usernames, password, credit cards – is later used to steal either money or more information. 

The word “phishing” itself is a combination of “fishing” and “phreaks” which was what hackers used to call themselves. The practice of phishing is considered a form of social engineering, which is a term for manipulating people by falsely representing oneself in the context of web security. 

Types of phishing techniques

Spear phishing

What is spear phishing? Spear phishing targets a specific person or organization rather than random users. This scam usually intends to steal sensitive data or information from the specific victim, such as account passwords or financial information for malicious purposes. It requires specific knowledge about the victim such as some personal details. The cybercriminals use this information, usually in an email, to pretend they’re a trustworthy organization or person and acquire the data they need.

Spear phishing vs phishing

Both of them are online attacks that intend to steal sensitive information. However, phishing is the more general term for this type of attack, as this is basically any attempt to trick victims to share sensitive data. 

As per the spear phishing definition, it is personalized to the specific victim. It requires more thought, time and knowledge to achieve its goal. Since spear phishing’s messages are personalized, it’s more difficult to identify these types of attacks.

What helps protect from spear phishing is generally being careful with your online presence. Here are a few tips to follow in order to avoid spear phishing:

• Be careful what personal information you post on the internet
• Use smart and strong passwords
• Update your software regularly
• Watch out when opening emails and clicking on links

Microsoft 365 phishing

These types of attacks are phishing emails that target Microsoft 365 users. One of the most common things that attackers usually do is tricking victims into downloading a file by disguising its extension. Attackers use a special Unicode character, the right-to-left override. It allows them, for example, to disguise an “.exe” file as a “.txt” file. As a result, the victim downloads the “.exe” file which installs malicious software on their computer or laptop.

Whaling phishing

Whaling phishing is a highly targeted attack. This type of phishing attack targets particular individuals, such as senior executives, and disguises as a legitimate email. It attempts to encourage victims to do a particular action, usually related to transferring money or giving out specific information. Whaling phishing emails often target large financial institutions and are more complicated than general phishing emails because they target C-level executives.

These emails usually contain personalized information about the organization/C-level executive, create a sense of urgency, comply with the business tone, and they encourage you to do some of the following:

• Click on a link that eventually brings malware
• Transfer money to the attacker’s bank account
• Provide further information about the business or individual

Voice phishing

Voice phishing is an attack which tricks individuals to provide important financial or personal information over the phone to third parties. You can become a victim of a voice phishing attack over various channels and devices, such as voice email, smartphone, landline phone, voice over IP, etc.

The message of such an attack usually informs the victim of a suspicious activity, related to their bank account/credit or debit card, etc. Then the attacker encourages the victim to call a phone number and provide more personal information or verify their account/identity. 

To protect yourself from such an attack, the best approach is to call the given institution via a valid contact channel you have and make sure that your account has not been compromised.

Business email compromise (BEC)

Business email compromise is an email message that appears legitimate, requests a particular action, and targets a specific company. The request in the message is usually about transferring funds to the attacker’s bank account that:

• Pretends to be the “regular supplier” that has sent an invoice from an updated mailing address
• Pretends to be the CEO of the company
• Pretends to be an employee of the company and has hacked their email address
• Pretends to be the lawyer of the company

Social media phishing

Social media phishing is related to attacks via social media such as Facebook, Instagram, Twitter, LinkedIn, etc. It aims at stealing your personal information or taking over your social media account. Such an attack can also result in financial loss due to getting data for access to financial accounts. To protect yourself from a social media phishing attack, follow these simple rules:

• Don’t add/accept strangers as friends
• Don’t click on links to update your personal information
• Don’t use the same username and password for all your accounts
• Use the latest version of your operating system

How Can You Prevent Phishing?

Because phishing can truly cost you a lot – from stolen money to huge data breaches in your company – taking proper safety precautions is a must. We’ve put together a shortlist of the things you need to keep in mind in order to stay safe online.

1. Pay Attention To The Sender and The URL in Your Emails

One of the most common phishing scams is to spoof a big brand by sending an email with their name (and usually color palette), and say there is something wrong with your account and ask you to log in “to fix it”. Usually, the look of the email is very similar to the original brand, however, there is a sure way to distinguish whether you’re looking at the real deal. 

A good way to identify phishing emails is to check the email address: scammers cannot create email addresses with the actual domain name of the company, so instead of help@bigbrandname.com it will usually look like bigbrandname@somethingelse.com. Look carefully at the email address and not just the name appearing in your email client!

You should also check the URL before clicking. This can be done by hovering the mouse over the URL provided in the email, it will usually reveal the domain it’s pointing at, so you can see where this email actually wants to take you. If it’s not the official domain of the brand, don’t click on it.

2. Avoid Downloading Email Attachments You Don’t Expect

Sometimes the email looks like legitime business emails, and they don’t pretend to be a big company, but instead send over an attachment containing some sort of malware. The email is often structured as a business offer or аn email sent by the recipient’s own company/management containing files with sensitive information.

If you don’t know who the sender is, definitely don’t open any attachments. If you know the sender, but you don’t expect anything from them, or there is something fishy about it, it’s better to be cautious. Call the sender and ask them if they meant to send you anything, as sometimes scammers hack into people’s email boxes and use them for phishing attacks by spamming their contacts.

The most common format for the attachments is zip (.exe is usually not allowed), however, even Microsoft Office files can contain viruses, which can contain macros that need to be enabled. Overall, keep an eye for all kinds of attachments.

3. Always Check The Site You’ve Landed On

If you happen to click on a phishing link (usually via email or through instant messages), it will often take you to a website with a form of some sort. The purpose of these forms most often aim to gather your most sensitive information – usernames and passwords.

In order to be sure you’re at the correct site and before filling in any data, check the website address in the browser address bar.

Scammers can create a website closely resembling the design of the respective brand, but they can’t use their official domain or have the brand name in the domain (assuming the brand is trademark protected). So, often, these domains may resemble a brand’s name, but will never be the original one, and will have additional symbols, letters, or words. 

Usually, the scammy domains look completely nonsensical and sometimes the design and flow also feels odd, especially if it’s a known brand that you often see.

For example, when signing into Gmail, Google will never ask you to select your email provider or enter both your email and password on the same screen. So the flow you will often see on phishing sites is designed to resemble the original one, but it’s not. 

4. Ignore Money Requests

Another type of online scam that social engineers often use is misrepresenting themselves and asking for money under some form. An example of such phishing emails is a person in trouble, asking for financial help; you’re asked to send a small amount of money with the promise you’ll get way more in return. 

Sometimes these scams can take the form of extortion. A popular one was an email circulating in the past couple of years, stating that users have been recorded through their own webcams watching adult content and asking for money. Actually, this scam attack was so scary, it made the news as people were terrified – understandably so!  

Either way, if you are getting a money request under any form by strangers, it’s usually a scam; never give out money or financial information no matter how the situation is presented.

What should you do if you receive a phishing email?

Every time you receive an email, you need to be extra careful of the email address, the URL, their spelling, etc. After checking these and identifying that the email is actually a phishing email, you need to follow all of the steps below:

1. Don’t click on any links & don’t open any attachments & don’t reply;
2. Contact the alleged sender via official channel for communication;
3. Report the email to your company & email provider & government body & the organization that allegedly sent the email;
4. Mark the sender as junk or spam;
5. Delete the email & remove from recycle bin/deleted items folder.

How to report phishing emails?

As previously mentioned, you need to report the phishing email to several people/institutions. Here we’ll show you how to report the email both to the email provider and to the government body.

How to report phishing emails to your email provider 

Let’s take as an example, Gmail accounts. Next to the “Reply” option in Gmail, click the “More” option and select “Report phishing”.

If you are an Outlook user, you need to select the phishing email message from the message list and above the reading pane, select Junk > Phishing > Report.

Other email providers have similar easy to use options for reporting phishing emails.

How to report to a specific institution, based on the country you’re in

The Anti-Phishing Working Group (APWG) is an international coalition that attempts to eliminate cybercrime. If you receive a suspicious or malicious email, forward it to this organisation at reportphishing@apwg.org. Below you can see some other country-specific institutions that can help you too:

• For the USA, forward phishing emails to the National Cybersecurity Communications and Integration Center (NCCIC) at phishing-report@us-cert.gov.
• For the UK, report the phishing email to Action Fraud, the UK’s fraud and cyber crime reporting center.
• If you’re living in a European Union country, here you can find the reporting website, corresponding to your country, in case you are a victim of a cybercrime.

Final thoughts

Now that you know what is a phishing attack, you are much better prepared to protect yourself from it with our simple actionable advice. You can further explore our blog for similar topics and read how to protect your reputation by protecting your email.