It doesn’t take much to get us to start ranting about the dangers of phishing, and it’s a topic that we won’t stop talking about for some time. Unfortunately, phishing comes in enough forms that it isn’t always so simple to spot. For this week’s tip, we just wanted to run through the different formats phishing can take, focusing on how to identify each type.
First, let’s briefly review what phishing is.
Phishing is a Form of Social Engineering, Plain and Simple
To sum up phishing, it’s effectively the attacker trying to hack the user, instead of the network. This approach just makes sense. Let’s say you were trying to illegitimately access a business’ network—does it sound more challenging to develop the technical skills and know-how to break past today’s cyberdefenses, or to fool someone into giving you the keys to the castle?
So, attackers come up with phishing schemes, either targeting people on a wide scale or crafting specific attacks with a certain target in mind, and share them through various means of communication. Let’s go over these methods, and the warning signs you need to look out for.
By sending an email that is purportedly from a trustworthy source or authority, phishers are able to extract sensitive information from their targets. As such, phishing emails currently feature a few hallmarks:
- Attachments—An unexpected attachment in an email can easily be used as a vehicle for malware and other attacks. These can be either individual documents, or in the form of a ZIP file.
- Spoofed Links and Senders—Many phishing emails will appear to come from certain senders or websites, trying to take advantage of the inherent trust that these senders or websites have in the public. Paying close attention to these links and senders will help you catch these efforts.
- Misspellings and Grammatical Errors—Most professional communications are (or should be) proofread fairly extensively before being sent. Therefore, an email that presents a lot of these issues is somewhat likely to be a phishing scam.
Smishing is a form of phishing that is sent via text message, and as such, offers its own warning signs. For instance:
- Messages from Odd Numbers—Messages that come from non-cell numbers can be a sign of a scammer using an email-to-text service.
- Unsolicited Messages—If a message purports to come from an organization and you didn’t prompt any communication with them, take it with a grain of salt and reach out to that organization through another means.
- Personal Details—If there are personal details shared in the message itself, it could very well be a phishing scam, as scammers will try to add pressure on their victims.
Vishing is a form of phishing where a scammer will call their intended victim directly, seeking to extract personal details from the call’s recipient. Watch out for these red flags:
- Too-Good Offers—Phishers will often place phone calls promising rewards or perks that are unrealistically appealing.
- Calls from Authorities—If you receive a call from some organization or higher authority, don’t be afraid to question its validity…particularly if they start pressuring you and/or trying to scare you.
- Excessive Personal Details—A lot of your information can be found online, if an attacker so wishes, so if a caller has more information than they should, that’s a red flag.
Social Media Phishing
Phishers will also utilize social media to their advantage, hijacking accounts and again, stealing personal information. To avoid this, keep an eye out for:
- Duplicated Accounts—Some phishers will find someone, make a copy of their profile, and start sending that person’s contacts invitations to connect. This is another time you should separately confirm that someone is who they claim to be.
- Bogus Links—Social media platforms offer phishers with a very convenient means to share out links to fraudulent websites, where personal details can be harvested from unwitting visitors.
- Integrated Phishing—Sometimes, phishers will use the messaging functions of these social media platforms to pose as authorities and extract key account information, like access credentials.
Hopefully, this will help you better spot phishing attacks in the future. For more assistance with your business’ IT and cybersecurity, give us a call at (505) 242-5683.