As scammers continue to get smarter and more sophisticated with their tactics, individuals and businesses alike need to be more aware than ever of how to recognise and prevent threats to their online security. Phishing is one of the most widely used (and unfortunately, most successful) methods of fraud. It works by tricking the victim into giving up personal information such as their username and password to their email, bank details or social media account, and usually takes the form of a fake email or website where the victim unsuspectingly submits their details. With that information, cybercriminals can illegally steal money or data – and in most cases, insurance companies are unlikely to cover these losses when it can be traced to a mistake you made yourself. No one is completely impervious to the phishing epidemic, and some of the world’s biggest players from the FBI and Department of Homeland Security to Snapchat and WhatsApp have even recently fallen victim to such a scam. In fact, phishing attacks have grown exponentially in both frequency and sophistication in recent years, costing Australian businesses more than $900,000 annually. As a type of scam that depends on natural human weakness just as much as technical ability, phishing attacks are only going to get more aggressive and advanced in order to outsmart evolving anti-phishing and URL protection technology. This is why it’s so important to not only be aware of such scams, but to also know how to actively defend against them.
Common Types of Phishing AttacksPhishing is an umbrella term for widespread but untargeted attacks, where a scam email will go out to a wide group of people but without targeting anyone in particular. Think of it like a fisherman casting a wide net, trying to catch whatever they can. In a similar way, the attacker knows that they won’t catch everyone, but they will catch some – and that’s usually enough. There’s also a range of other, more targeted types of phishing scams floating around that it pays to be aware of.
Spear phishingThese scams are highly personalised and directly targeted, making them more difficult to identify as fake. Attackers will customise their scam emails with personal information about you such as your name, company, position and phone number (often collected from social media), making the email appear more authentic and tricking the victim into believing the sender is legitimate. The goal is the same: to trick the victim into clicking on a malicious URL or email attachment so that the attacker can steal your banking details or personal data. These types of phishing scams are especially common on social media sites like LinkedIn, where attackers can pull numerous pieces of information about you to create a customised email.
Whale phishingThese types of attacks are aimed specifically at wealthy or high-profile business executives and the like – the big fish (or whales). Like with spear phishing scams, emails are highly customised and use information that is specific to the business to make it look like it was sent from a trustworthy source, such as an employer or another employee of the organisation. The email will usually be about a ‘critical’ business matter like a legal subpoena or a customer complaint, which is designed to convince you that the email requires urgent action – usually by clicking a link or downloading an attachment.
PharmingPhishing doesn’t just start and stop with scam emails – it also extends to scam websites, where it’s known as pharming. In these scenarios, attackers will hijack a website’s domain name to redirect visitors to a fraudulent or malicious website where you’ll be asked to enter personal information. Many of these imposter websites will be made to look just like the website you think you’re visiting, which means that many victims won’t realise the website has been intercepted – especially because they also entered in the correct web address.
VishingThis form of phishing uses phone or VoIP systems. Victims will usually receive an email, voicemail or text message asking them to call a certain phone number to resolve some sort of problem or discrepancy with one of their accounts. If you call the number, an automated recording will ask you to provide personal information in order to verify your account such as your credit card details, account number and date of birth – which can then be used to hijack your account.
How to Protect YourselfLuckily, because phishing relies largely on human error to succeed, simply being vigilant and careful will play a central part in your defence. The best ways to protect yourself from phishing threats include:
- Learn how to identify scam emails. Generic greetings, poor spelling and grammar, links within the email text and threats of your account being closed or suspended if you do not respond are all signs of a phishing email. The sender’s email address and included links may also resemble authentic addresses but with a slight alteration, and the email may look like it’s from a legitimate organisation and can even go so far as to replicate the logo and graphics – but genuine companies will never ask for personal information via email or ask you to follow a link to their log-in page. If you’re ever unsure, call them and ask.
- Be wary of unsolicited phone calls. Never provide personal information over the phone, and especially not to an automated voice recording.
- Use different passwords for all your accounts and change them frequently. If you’re the kind of person who uses the same password or variations of the same password across all your accounts, you’re making it very easy for scammers to get access to your personal and financial information.
- Check the security certificate of any website asking you for personal data. You should only ever enter log-in details on HTTPS-protected sites, which you can confirm by checking the URL of the website – it should begin with https:// rather than http://.
- Keep your security software up-to-date. Using best of breed anti-spam, anti-phishing and URL protection software is essential if you want to keep your personal information secure. This will not only provide round-the-clock protection against attacks, but if you do happen to click on a link or download a malicious file, the software will often catch it.