According to the FBI’s 2019 Internet Crime Report, the FBI’s Internet Crime Complaint Center received over 467,000 complaints of internet-related scams in 2019. Altogether, these internet crimes cost victims over $3.5 billion, and phishing, a form of cyberattack using emails, text messages and websites, topped the report’s list as one of the most commonly reported crimes.
Through phishing, hackers attempt to collect a victim’s most valuable and confidential information. This may include bank account numbers, Social Security numbers, or credit card numbers — anything the hackers can use to commit identity or monetary theft. Often using insidious tactics such as urgent language and copied company logos, these criminals trick individuals and businesses through some of our most frequently used means of communication.
Because phishing is such a commonly occurring and costly crime, it’s important to learn about the many forms it can take. Below, we discuss some of the most common features of phishing emails, the main types of phishing campaigns and tips on how you can protect yourself or your business.
Common Features of Phishing Emails
Emails are one of hackers’ common phishing weapons, but there are several indicators within phishing emails that can often make them easy to spot. If you receive an email asking for payment or important personal information, scan the email and ask yourself these questions before taking any sort of action:
- Does the email ask you for money or personal information? Because obtaining an individual or business’ money or valuable confidential or personal information is often a phisher’s goal, no matter who the sender appears to be, you should always be wary of any email that asks for these things. While it’s especially likely to be a phishing email if it’s from a sender you don’t recognize, phishers sometimes hack email accounts so they can send emails that appear to be from a person or company you know.
- Does the email contain an urgent or threatening tone? Often, phishers attempt to prey on an email recipient’s emotions through urgent language such as suggesting payments are past due, and an account is about to be closed. If you receive an email with this tone, take a few minutes to breathe and relax. Do not immediately click on a link, reply or act in any way. Because this is a common tactic hackers use, make sure you’re calm and level-headed before interacting with the email so that you can first determine whether or not the communication is legitimate.
- Does the email contain grammatical errors or misspellings? While not always the case, many phishing emails contain spelling, grammatical or even formatting errors that may indicate the sender is not who they claim to be. The email may read as if it’s not in the sender’s native language or may include unprofessional mistakes that would be unlikely for a company to send. Additionally, the greeting may be out of context by being too generic (“Hey you” or “Dear Customer,” for example), informal or formal for your relationship with the sender.
- Does the email ask you to click on a link? If an email asks you to click on a link to make a payment or provide your personal information, this should be considered highly suspicious behavior. A bank or financial institution will never use email to request your bank account number or identifying information. If you do receive an email with a link, before clicking on it, hover your cursor over the link. The link’s real website address should appear on your screen. If this website address does not exactly match the official address of the company the email is claiming to represent, do not click on it.
Types of Phishing Campaigns
The criminal world of phishing, as with any legal business or industry, is constantly evolving. Phishing criminals can be sophisticated and creative in capitalizing on advancements in the ways people use technology. Because of this, individuals and companies may be vulnerable to several types of phishing campaigns. The most common ones to recognize include spear, clone, whaling, and pop-up phishing.
Spear phishing occurs when a hacker specifically targets a group of people with something in common. Often by using “insider” information obtained through hacking an organization’s computer or pulling from social media or a website, spear phishers create a fake email that appears to be an official email from the organization or entity. These emails typically ask victims, targets such as university students or a company’s clients or employees, to click on a link that will take them to a website to update personal information, enter a password or pay a bill.
Like with spear phishing, clone phishing hackers prey on email recipients by taking advantage of their trust in other people or businesses. With clone phishing, hackers “clone” a real email someone already received and create a new one that looks like the original. They can also make it appear as if the sender of the original email sent it again. In these cloned emails, phishers add or replace a link or attachment with a harmful one.
Whaling is a form of phishing that targets specific victims, often the “whales” of a corporation or large entity such as a CEO, a board member or a wealthy individual. Whaling phishers typically use similar methods as those used in spear phishing.
Through pop-up phishing, hackers can also take advantage of people as they browse the internet. Hackers may infect certain websites and cause a pop-up to appear when a user visits the page. These pop-ups can be difficult to close, causing the victim to accidentally click on a link, and may direct a user to take some kind of action such as providing personal information, downloading something, or calling a certain phone number.
How to Prevent Phishing
Fortunately, along with having a general understanding of what phishing is and how it can appear, there are a few things you can do to help prevent phishing attempts:
Two-factor authentication may make it difficult for a hacker to access your online account by requiring a scan of your fingerprint or an additional code sent to your mobile phone. Because hackers don’t have access to your phone, unless you’re already using a compromised site or device, they should not be able to receive this code needed to log in to your account even if they already have your password.
Strict Password Management and Policies
Whether you’re trying to protect yourself or your business from phishing attacks, it’s important to implement strong password management policies. For instance, using a secure, reputable password management software can help protect you from logging in to a dangerous phishing website. If you use a password manager that securely stores your password and automatically fills it into authentic websites when you log in to an account, the same software will not automatically enter your password in a fake site that only looks like the original. Additionally, changing your passwords regularly and using a different, strong password for each online account can prevent hackers from being able to access more than one account if they ever do manage to steal a password.