You can’t avoid being targeted by scammers, but you can and should avoid getting caught on a phishing hook
Despite smart spam filters, scammers’ messages sometimes manage to get into your inbox. They are luring users to click on suspicious links, download malware or submit their valuable data. With an increased number of people working from home and evolved schemes, phishing attacks are a major threat to your cybersecurity.
According to the FBI, phishing was the most common type of cybercrime in 2020. Moreover, the number of reported phishing incidents nearly doubled from 114,702 in 2019, to 241,324 incidents in 2020.
About the concept
To begin with, let’s recall what a phishing scam is. You’ve surely encountered it a thousand times, but may not know what you’re dealing with.
Phishing attacks take place with the help of spoof emails, pop-up windows and messages. They use social engineering techniques to make targeted individuals reveal their sensitive data. It happens in a few common ways. Scammers may trick you into visiting the given link or opening the attached file. Those sources may install viruses, spyware or ransomware on your device. It allows cybercriminals to steal your passwords, credit card numbers, customer lists, and other valuable information. This wouldn’t be obvious to the average Internet user though. Finally, phishing emails may also prompt you to willingly indicate your personal details in response to a lucrative offer.
The types of popular phishing schemes include:
- Fake shipping or delivery notifications
- Fake purchase confirmations and invoices
- Requests for personal information updates
- Promises of attractive rewards
- Charity or gift card promotions
- Claims about a problem with your account or payment information
- Suspicious activity or log-in attempts notifications
- Fake job offers
- Fake loan approval
- Free coupon offers/discount codes
In recent times, spear-phishing schemes (targeted attacks on the employees of particular organisations) have been more common. Losses from business email compromises have skyrocketed over the last year, reaching $1.8B. These schemes stand out among others with individually designed approaches and effectively personalised messages or fake websites. As a result, even top executives can find themselves opening emails they thought were safe.
Tips to avoid phishing
When you deal with phishing scams, general rules of Internet safety apply. Besides, there are also a few specific insights that will help you make your online communication safe.
- You should protect all your connected devices with trusted, constantly updated anti-virus software. These programs can block malware from being installed and can remove it if it gets onto your computer.
- Pay attention to email details. In the case of unknown sender(s), be careful about general email domains like Gmail or Yahoo. Most trusted businesses use corporate mail accounts. Check the “to” and “from” fields. If the person or business name is spelled incorrectly or there are a bunch of random characters instead of a clear email address, don’t rush to open the message. As for recipients, be careful when individual offers are explicitly sent to multiple customers.
- When dealing with suspicious emails, you should become a language purist. Scammers often don’t bother about grammar and spelling, not to mention correct punctuation. Besides, many of them are located abroad and are not native English speakers. Hence, they may unintentionally miss linguistic mistakes. Remember that legitimate businesses and organisations are very attentive to their public communications. They rarely send emails with mistakes or typos.
- Check the contact information and content. Any legitimate email from a company’s representative should have a signature line with the sender’s name, title, and contact information. Scams often don’t include those details at all, or give fake inconsistent data. Pay attention to the overall tone of the email. If it taps into your emotions, creating pressure, excitement or anxiety, you may be dealing with social engineering. If you receive an email from the company you’re a customer of, generic greetings like “dear friend” are strange, especially if it later tells about your specific account/payment problems.
- If the email includes any links, hover over those URLs and see if they look legitimate. If you don’t recognise the link of a familiar business, don’t click it. Links with strange character strings are also the ones to avoid. The actual domain portion of the URL is immediately preceding the final .com, .net, .org. Scammers may start their URL with a legitimate website name since most users won’t check the full URL that shows the real destination. It’s harder to deal with shortened URLs. However, there are link-expansion services such as CheckShortURL and browser plug-ins that will show you a short link’s destination without visiting it.
- You can tell if an email attachment is safe by assessing the file extension. The safest ones are GIF, JPG or JPEG, TIF or TIFF, MPG or MPEG, MP3 and WAV. Other types of file extensions are more dangerous and susceptible to malware. You should be exceptionally wary of files with double extensions, such as image.gif.exe. Files with double extensions are almost always deceptive and malicious in intent. The only extension that matters is the last one. As you may know, EXE extension represents an executable file that will automatically run software upon download. It shouldn’t be opened unless you 100% trust the sender.
- Never share personal or financial information via links found in emails or instant messages. Legitimate offers require you to apply or make payments using official forms provided on the company website. Businesses may also use their proprietary apps to request for additional details.
- Phishing emails and text messages may look like they’re from a company you know or trust (a bank, credit card company, social networking site, online payment website or app, or an online store). With the classiest fakes, most links will go to the real site except the ones that submit your username and password to the scammers. However, phishing pages may have some discrepancies with legitimate sites. Wrong colouring, bad user interface, weird formatting, http protocol, different logo, absent contacts, and more – look for any suspicious details.
- Install anti-phishing software. Organisations should consider corporate solutions to prevent their business data from being compromised. Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites, e-mail, or other forms used to accessing data and block the content, usually with a warning to the user (and often an option to view the content regardless). It is often integrated with email clients as a toolbar that displays the real domain name for the website the viewer is visiting. Most popular Internet browsers can be also customised with anti-phishing toolbars. They run quick checks on the links you visit and compare them to the lists of detected phishing sites. The toolbar will warn you if you come across a malicious site.