Phishing (a play on the word fishing and pronounced the same) is a method used by cybercriminals to dupe you into disclosing personal information such as username/password, credit card, and banking information. The goal for the cybercriminal is to steal your identity and/or your money. The information gathered can be used to open fraudulent accounts in your name or make purchases using your financial information. Phishing attacks commonly use email, phone calls, or social media to trick you into giving out your personal information.
With phishing, the cybercriminal casts a wide net to see who will “bite.”
These campaigns are typically done through email by creating a message that appears to come from a person or organization with whom you are familiar; such as a bank, the IRS, or online shopping site. These well-crafted messages will be sent to thousands or millions of email addresses in an attempt to get some of the recipients to fall prey to the attack. These emails will often contain links to a web site or contain a file attachment that appears for all purposes to be legitimate. This is done in an effort to trick you into entering your personal information, financial information, or infecting your computer with malware that collects any personal information it finds. Cybercriminal collects this information for their own purposes or they will sell it to other identity thieves.
Simply applying common sense is the best defense to avoid falling victim to these types of schemes.
If the email or phone call does not seem “right,” then it is most likely a scam. A bank, online shopping site, or government agency will never send you an email, or call you, asking you to verify your personal information, financial information, or your password.
Clues that the message may be a phishing scam:
- The message or phone call tries to stress a sense of urgency to complete the action that is contained in the message. (e.g. Items such as your email account or bank account will be closed soon if you do not respond with the requested information. )
- The email contains and attachment with the message along with some type of threat to get you to open the attachment. (e.g. IRS audit, salary information, layoffs, etc.)
- The email or phone call does not identify you by name but instead by a generic salutation (e.g. Dear Customer or Sir or Madam). Any company, financial institution, or government agency attempting to contact you already knows your name.
- Any email or phone call that requests any sensitive private information. No legitimate email or phone message would ask for your password, credit card, etc.
- The email contains very poor grammar or spelling mistakes even though it may appear to be coming from a legitimate organization or business.
- The email comes from someone you know but the wording or flow of the email does not “sound” like that person to you.
- The email contains a link that seems odd for the organization from which the email is purporting to represent. (e.g. The email is from your bank but the URL of the link does not match your bank’s normal web site address.)
If the IRS or government needs to contact you, they know how to reach you. If an issue with your bank or credit card does occur, your bank will reach out to you through official channels not an email. If there is any doubt about whether an email or phone message may be a scam do not act or follow any instructions laid out in the email/phone call. Look up the phone number of the company or organization in the yellow pages and verify that the message is real.
It is human nature to trust but, in today’s world of cybercriminals, it is always best to verify
Other common terms associated with Phishing:
Spear Phishing: A phishing scam that is more targeted using information about the victim (you) that was gleaned from other sources. An example could be an email addressing you by name that comes from your bank asking for personal information. This term derives from using a spear to hook a particular fish instead of just casting a net.
Whaling: A phishing scam that is directed at upper level officials in a company or organization in an attempt to elicit company or private information. These attacks are highly personalized and customized to fool the executives of a company. These are often targeted at C-level individuals within a company or organization (CEO, COO, CFO, etc.) This term derives from going after the “big fish.”
Vishing: (Voice Phishing) A phishing scam that is carried out over the phone or through voicemail. It is an attack using social engineering to fool the target into divulging personal or financial information over the phone.
Smishing: (SMS Phishing) A phishing scam that is carried out using SMS (text) messaging. The attacker will send out text messages that appear to be from a legitimate organization to get you to either call or go to a web site to verify some personal or financial information.