What is Phishing?

Have you ever received an email warning you about an issue with your bank account? Such emails often present a dire situation where the bank is about to freeze your account unless you agree to verify your identity by providing personal information.

You also get a link with this type of email to click on, and it directs you to a page that looks exactly similar to your bank's website. The most common information requested on these pages is your personal information, bank account details, username and password. Sometimes the webpage also asks you to provide the Social Security Number (SSN).

So, what is the problem with that? First thing, if you have ever received such an email, it is most likely not from the bank. Instead, it is one of the phishing attempts made by cybercriminals using social engineering and scamming tools.

Cyber security companies and professionals are continuously developing new protocols to protect users from phishing attempts. However, online fraudsters are also getting smarter and devising more sophisticated phishing emails that are hard to spot.

Whether it is you are a homemaker or working for an organization, it is important for you to understand phishing, how to recognize it, and protect yourself against phishing attacks. Remember, clicking on a phishing email can endanger your personal identity, financial details, and company security.

So, without further ado, let us dive right in to explore what phishing is, its types and what you must do to spot phishing attempts.

Phishing Definition

Phishing is a form of cyber-attack using social engineering techniques with an aim to steal your personal data, including login, bank account, credit card, and other financial details. Phishing attempts occur when a cyber attacker masquerades as an authentic entity such as a business partner, bank, or someone important within your organization.

The purpose of phishing is to dupe you into opening an instant message, email, or text message. The email reads a luring message or warning and tricks you into clicking a malicious URL. As you click on the link, it will take you to a webpage with instructions to enter your login id and password, personal details, and other important information.

Sometimes, the link may initiate a download that installs malware or Trojan on your system. The software freezes your device. This type of phishing attempt is known as a ransomware attack.

The cyber attacker will steal your personal information from the computer or device while you watch helplessly. Alternatively, the cyber attacker will ask you to transfer money if you wish to regain control of your computer or device.

Phishing attempts can have devastating consequences. If you are a victim of computer phishing, the attackers can steal financial information and use it to steal your funds or go on an online shopping spree using your credit card details. To add to an injury, the fraudsters may use your personal identity to carry out other frauds in your name.

7 Types of Phishing

Phishing was born soon after the Internet as cybercriminals executed the first phishing attack in the mid-'90s. The email attack used America Online (AOL) platform to steal users' credit card and login information.

Although the basics of social engineering stay the same, fraudsters have come up with more modern tactics to make it look legit. There are 7 most common phishing threats lurking out there, and to ensure your cyber security, you must familiarize yourself with all of them.

1. Email Phishing

This one is the most common and well-known phishing attempt. A malicious impersonator will send you an email pretending to be someone you might trust. It can be your employer, bank, or brand you shop with on a regular basis.

The fraudster will use social engineering techniques to instigate a heightened sense of urgency, leading to downloading something or clicking on a link. While a link takes you to a malicious webpage, a download can be a PDF file or malicious software to transfer control of your computer to the hacker.

How to recognize email phishing?

Most internet users with a bit of technical knowledge are already aware of some primary indicators to spot phishing attempts. If you are a novice internet user or have never heard of phishing before, here is how you can identify email phishing attempts.

• You must check the legitimacy of the email id or sender. You can check for any misspellings in the sender's name or look if the domain is correct. For example, phishing at PayPal attacks may contain email ids such as paypal@paypall.com or paypal@paypal.org, and both are incorrect.

• If you are unable to find any misspellings, the next step is to check for benign and malicious code. Such coding tries to dodge your Exchange Online Protection (EOP), including links and downloads with misspellings.

• Always refrain from clicking on any shortened links. Instead, you can hover your mouse pointer over the shortened URL, and it will display its original/intended webpage.

• Check if the brand logo or any other images used in the email look fake.

• If you receive an email with images with very little text, do not click on the images as sometimes these pictures have malicious code to affect your computer.

2. Spear Phishing

Speak phishing attempts also use emails but focus on a more targeted approach. In this case, cyber attackers or hackers will initiate the attack by using open-source intelligence (OSINT). The purpose is to gather information about the victims published on publicly available domains such as the company's website, social media accounts, etc.

This means the hackers will do proper homework and research on who you are and what may entice you into falling into their trap. The attacker most targets specific individuals working for an organization using real names, job titles, and working telephone numbers to make the phishing email look legit.

One of the most recent and infamous data breaches happened when cybercriminals hacked the Democratic National Committee via spear phishing. The first of many phishing attempts sent emails with malicious attachments to over 1000 email ids. The success of this phishing attack led to another scamming campaign tricking committee members into sharing their log-in ids and passwords.

How to recognize spear phishing?

Follow the below-mentioned 3-steps to identify an email with spear-phishing on social media or computer.

• If an email appears to be an abnormal request, it probably is. Therefore, you must be really careful when catering to any requests coming from within the company. If the request for information is out of the ordinary, this is a red flag.

• You must also beware of clicking on any links to documentation stored in shared drives such as Google Suite, and Dropbox, as these can redirect you to fake/malicious websites.

• Any document that requires you to enter your user login and password is definitely an attempt to steal your credentials.

3. Whaling

Whaling is another type of corporate phishing attempt, also known as CEO fraud. An impersonator will use a corporate website and/or social media accounts to find out the name of your company's CEO or any other senior employee. They will then impersonate that person to contact the victim.

For example, you are working in the accounts department in the company. The attacker may pretend to be the CEO of your company, asking you to send financial details or transfer a certain amount of money to an account. If you are not vigilant, this can cause severe financial damage to the company.

How to recognize whaling? There are 2 simple steps to spot a CEO fraud attempt.

• Ask yourself if a senior leadership has ever contacted you or someone in your position for any request? If not, then this is an abnormal incident, and you must be diligent in catering to such requests.

• There are email applications that allow users to connect all their emails on a single platform. Therefore, you must ensure that any request you receive is actually sent to your work email id and not your personal account.

4. Vishing

Vishing refers to "voice phishing." In this type of phishing attempt, a hacker will leverage phone calls to create a heightened sense of emergency. The aim is not to give you enough time to think and trick you into taking immediate actions to ensure your best interest.

One most common example is receiving a call from your computer/laptop vendor informing you about a virus on your laptop. The hacker will further ask you to share your email id and pay a certain amount so they can send antivirus software for you to download immediately.

The damage does not stop there. If you fall for the trap, the email you receive will have a malicious link or downloadable attachment that can install ransomware on your device.

How to recognize a Vishing attack?

The three main identifiers to spot a Vishing attempt are:

• You must check the call number and ensure it is not an unknown number or from an unusual location.

• Suppose the timing of the call coincides with a particular event or season that may cause stress and panic. These are two main factors that may force you to take action for the hacker's benefit.

• Never cater to any request for personal information. Your bank or any other entity that uses your personal information will already have it on the record, so why ask you to share it again.

5. Smishing

Smishing is a more evolved form of Vishing. The impersonators will apply the basic technique of Vishing to texting technology. Once again, the purpose will be to create panic or a moment of urgency and trick you in to completing a specific call to action.

The text will most likely include a link to install malware or ransomware on your device or redirect you to a malicious website.

How to recognize smishing?

• Spot smishing by looking for the 2 main elements in the text you receive.

If you receive a text requesting you to take any action in order to change a delivery status and contain a link, be careful when proceeding. You must look for the email id mentioned in the text or visit the delivery service webpage to check the status of your delivery.

• Always review the area code mentioned in the text. Compare it with people in your contact list before responding to the text or completing the suggestion action.

6. Angler Phishing

Phishing on social media is becoming a common form of cyber attack as cybercriminals explore different mediums to trap the victims. Just like smishing and Vishing, angler phishing attempts involve cyber attackers using direct messaging and notification features to orchestrate phishing on social media.

The direct messaging or notification will ask you to complete a certain call to action. This may lead to a complete hack of your social media account or transfer of your personal information to the hackers. Criminals can alternatively use the data you post on social media account to create a more targeted attack.

One of the most popular phishing on social media occurred in 2016 when thousands of Facebook platform users received a message. The message told the victims to mention the name in the post. This was a two-phase attack. In the first phase, the message downloaded a Trojan on the user's computer and contained a malicious Google Chrome browser extension.

The next time the victims logged into the Facebook account, the compromised browser sent their login details to the hackers. The hackers were then able to change users' passwords, steal data, change privacy settings and send infected files to Facebook friends of the victims.

How to recognize an angler phishing/phishing on social media?

Always be wary of what type of messaging and notification you click on your social media accounts. You can prevent an angler phishing attack by following these 3 steps.

• Always be cautious of the notifications in your feed that indicate you are being added to a group or post automatically. Clicking on such links out of curiosity may lead you to a malicious website or link.

• If you receive any abnormal direct message from someone who rarely sends you direct messages, treat it with suspicion. Chances are it is either a fraudulent or spoofed notification or a chain or phishing attempt coming from your friend's account because they clicked on a malicious link.

• Never click on a URL in the direct messaging, even when it looks completely legit. If the message is from someone you know, it is best to be 100% sure about its authenticity. For this, you can call or text the user to confirm if they have sent you a safe link to look at.

7. Pop-Up Phishing

You may be amongst many who use pop-up blockers to prevent annoying web pages and advertisements from appearing on your computer and mobile screen. However, you are still at risk of pop-up phishing attempts.

A cybercriminal can embed a malicious code into a small notification box known as pop-ups. These boxes appear when you visit a website. The newer pop-up phishing attacks use the notification feature in your web browser.

For example, when you visit a website, the browser will prompt you with “www.xyzwebsite.com" would like to show you a notification. If you click on this link and allow the pop-up, it will install a malicious code onto your browser and laptop/computer with severe consequences.

How to recognize pop-up phishing?

Identifying pop-up phishing is a 2-step process.

• First, you must look out for irregularities and review the notification for any spelling errors and abnormal color schemes.

• Second, shift your browser to full-screen mode. A malicious pop-up can turn your browser to full-screen mode. Therefore, any automatic change to your screen size will indicate the pop-up to be a phishing attempt.

Phishing at PayPal

PayPal is undoubtedly one of the world's largest and most popular online payment processing gateways. The service efficiently acts as an intermediary or middleman between online buyers and sellers and allows secure money transfer through its digital portal.

If you have never used PayPal before, it is one of the most widely used services with more than 403 million users worldwide. However, the success of the platform also puts a target on its back, and hackers cannot resist the temptation of phishing at PayPal. The reason is pretty obvious, where else would cybercriminals find financial records and details of almost half a billion people.

Similar to other digital financial service providers, this platform deploys a range of stringent security protocols and tools. PayPal has the most advanced anti-fraud technology and data encryption to protect its users' financial and personal data from any malicious attempts.

While hacking into PayPal may not be a piece of cake for online criminals, it is easier for malicious actors to target the users. Therefore, scammers and impersonators have developed cunning ways to bypass the security protocols of the service by tricking the users.

Types of phishing at PayPal

There are various forms of phishing at PayPal attacks. Let us have a quick look at all of them.

1. Phishing at PayPal – emails

Have you ever received an out-of-the-blue email by PayPal notifying you that there is a problem with your account? If yes, then you have most likely received a phishing email. Unless you are trying to log in and have entered the wrong password, PayPal will never send you an email to recover your id or confirm your identity, etc.

In any other case, where you receive a so-called "email from PayPal" saying "Your account is suspended," "suspicious activity detected on your PayPal account," or "verify your account." All of these emails are fake emails with malicious links to steal your information.

2. Phishing at PayPal – website

As you click on the malicious URL in the email, it takes you to a website that looks identical to PayPal's official website. Cybercriminals are so committed to getting your financial information that they go to extreme lengths to make this webpage look as authentic as possible. It will be really hard for you to spot any changes between the original and this evil-twin/clone of the PayPal website.

The attackers will also use the same logo, branding, color scheme, and text that you usually see on the official website. The purpose is to make sure that you do not question the credibility of the website or the message you received in the first place.

3. Social media PayPal phishing

In the last few years, there has been a spike in the number of phishing at PayPal on social media. Such phishing attempts will often appear to use shared or promoted social media posts.

The aim is for you as a PayPal user to click on the link and land upon a phishing website asking you to enter your personal information. There have been various PayPal phishing attempts on platforms such as Facebook and Twitter.

4. The prize winner phishing scam

If you ever receive an email from PayPal informing you to be a prize winner of a lucky draw and asking you to pay a small amount as a handling fee, this is a phishing attempt. Think logically, why and how on earth would you win a lucky draw prize or a competition that you never entered into?

Secondly, if PayPal or any service is about to hand you a prize-winning amount of hundreds if not thousands of dollars, why do they need a small handling fee from you? This type of email message has "phishing at PayPal" written all over it.

How to recognize PayPal phishing attempts

Use the following 6-step process to identify a phishing attempt on your PayPal account.

• You must ensure that the email you receive from PayPal comes from the official account with the "PayPal.com" domain. Check the sender's real email id by clicking your email address bar. If the email origination does not match the official PayPal domain, this is 100% fake.

• Similar to other fake or scam emails, a Fake PayPal email will also use a generic and impersonal greeting such as "Dear User" or "Dear Customer," etc. When PayPal sends you an official email, they will always address you with your first name, last name, or your business's name.

• Similar to other phishing scams out there, PayPal phishing scams will also try to trigger a sense of urgency for you to take immediate action or lose your account forever. The email will often come with warning words that your account has been used for some kind of criminal activity, and you must change its password not to protect your money. PayPal advises its users that if they have an urgent matter regarding your account that needs addressing, it will appear in your account when you log in through the official website. PayPal does not send you emails for such matters.

• No matter how official and legit the email may appear, you must always be skeptical about clicking on the link in an email. Once again, why would PayPal send you a link to download a file or software when all your details and dealing are through its official website?

• Never provide your personal or financial details in reply to the email, even if it says "PayPal" in the domain's name. Remember this rule of thumb; if an email or message asks you to provide sensitive information, it is automatically a phishing email. Plus, PayPal will never send you an email asking for your full name, password, login id, bank account number, or answer your security questions.

• An official email from service as big as PayPal will never have grammatical errors or spelling mistakes. Such errors are very common in phishing attempts as cyber attackers tend to make mistakes or deliberately change the spelling even by an alphabet and hope that you will not notice.

How to report a suspicious PayPal phishing email?

In case you are suspicious of an email you received from PayPal, the best way forward is to report it to PayPal. The platform will then investigate the email, take preventive measures, and even send out a precautionary email to all its users. So, a little bit of vigilance from your end can save millions from a possible PayPal scam.

PayPal has designated a special email to report any suspicious emails i.e., spoof@paypal.com. You must forward the email as-is without altering the subject line and do not send it as an attachment. Once you have forwarded the email to PayPal, you must go back into your inbox and delete it.

It is also a good idea to report such phishing attempts to your internet service provider (ISP) and to the one the scammer used to send the phishing email.

For example, if you received an email from a Yahoo account, you should report it to yahoo by forwarding it to abuse@yahoo.com. In case of an email coming from a Gmail account, you can simply click on the "Report Spam" button. If the domain of phishing email is Hotmail, click on "Report Phishing Button."

It will be upon the Internet service providers to investigate and blacklist or close the fraudulent email account used for the phishing attack.

How can I protect myself from phishing?

If you are wondering how to protect yourself and your device from any phishing attempts, here are all the tips you need.

1. Implementing Adequate Security Protocols

In order to protect yourself from phishing attempts of any kind, you must deploy robust cyber security protocols. This will help you prevent a wide array of phishing attempts from penetrating your defense walls. For a home user, you can use antivirus software and firewalls as a guard.

If you are an enterprise, there are additional steps you can take to mitigate email phishing and spear phishing.

• Using two-Factor Authentication (2FA)

2FA is definitely the most efficient technique to counter phishing attempts. The 2-factor authentication adds an extra layer of verification for the users when logging into sensitive accounts. The method relies on you to enter 2 pieces of information to access your account. First, you must enter the correct password.

In the next step, the system sends you a verification code on your email id or smartphone. You must enter this code to log in to the desired account. This is a great strategy because even if you fall for a phishing scam and end up giving out your credentials to a cybercriminal, the 2FA will prevent them from accessing your account.

• Strict Password Policy

To complement your 2FA security protocol, you must enforce a strict password policy. For instance, your employees must frequently change their passwords and should not be able to use an old password again.

2. Building a Positive Work Culture

Phishing is successful because of the art of manipulation mastered by cybercriminals. Therefore, do not penalize your employees for falling victim to phishing attempts. On the contrary, you must encourage the staff to report such incidents so others can learn from their mistakes.

A culture of blame will only prevent your employees from reporting any incidents. This will certainly put your organization’s personal information and financial assets at risk.

3.Training Your Employees

Any employee within your company's rank can fall victim to a phishing attempt. It can be an accountant or the CEO. Therefore, you must invest in training your employees about phishing threats and how they can prevent them from succumbing to such attacks.

You can run regular awareness training and drills to help your staff learn about the signs of phishing attacks. You can also test the effectiveness of your training by sending out simulated phishing attacks. This will help gauge your staff's competency level to spot and report phishing attacks.

4. Reporting the Phishing Attempts

If you have been a victim of a phishing attack, you must alert relevant authorities. For instance, you can report a phishing attack to the Federal Trade Commission by visiting its Complaint Assistance Page.

You can also report phishing attempts to the Anti-Phishing Working Group (APWG). Feel free to forward a phishing email to APWG's email id, i.e., reportphishing@apwg.org. For phishing attempts via text messages, forward them to SPAM (7726).

Conclusion

It is clear that you cannot stop cybercriminals from trying to steal your data. However, you can surely educate yourself to identify the most trending phishing attempts. This will not only help you prevent your personal and financial information but report it to the right authorities to warn others.

Use the information in this post as your guide for everything you need to know about the major types of phishing, and feel free to share this information with others in your circle.