Phishing attacks have dramatically increased in number in recent years. But what is phishing? How do these scammers obtain user information? Moreover, most crucially, what are the best practices for avoiding a phishing attack?
Phishing: an overview
Phishing involves hackers attempting to obtain sensitive information such as passwords or credit card details from unsuspecting individuals by pretending to be a legitimate organisation via electronic communication channels. The “phishers” may use email, text, or even phone calls to trick the victim into inadvertently giving them information which the scammer can then use for nefarious purposes.
Although phishing attacks can take many forms, the aim is always to defraud from the victim while making them think that they are in contact with somebody they already trust.
Due to extensive media coverage, the general public has become aware of typical phishing schemes. As a result, scammers have had to become more creative in the manner in which they attempt to trick their victims. They have ramped up their eﬀorts in designing convincing emails. It is becoming increasingly diﬃcult to identify a fraudulent email or website. However, despite the increased challenge, there are some simple precautions you can take to ensure that you do not fall victim to one of these scams.
Spotting phishing emails
First and foremost, users should always be suspicious of emails asking you for login information. Legitimate and reputable banks or organisations never email you for passwords or any other sensitive information. If you get an email asking you to sign in to your account because of an unspecified “issue”, always open another tab and search for the website and log in from there. Do not attempt to access your account by following the link in the email. If there is an issue with your account, there would be a notification when you log in. If in doubt, call the organisation and ask the representative about any problems with your account. They can confirm whether the email is legitimate or fake.
If you get a call from an individual who claims to be from your bank or another organisation which holds some personal information belonging to you, always check the number from which they are calling and see if it matches the number listed on the company’s website. If it doesn’t, hang up and call the number on the website. They can tell you if a genuine employee or a phisher had contacted you.
In addition to user awareness, technical solutions can be implemented to reduce the risk of falling victim to a phishing scheme. Email inboxes usually have inbuilt spam filters which filter out large amounts of suspicious emails. If a suspicious email makes it through, mark it as spam and delete it to prevent yourself from receiving similar emails in the future.
Sometimes emails make it through spam filters and the user cannot immediately identify whether or not they are legitimate communications. These emails are often crafted to be as convincing as possible, including the brand logo and even personal information about the victim that the scammer has obtained from social media, they may contain telling clues which give them away as frauds. In such cases, users should be aware of spelling errors, incorrect use of grammar, poor quality images or graphic design, as these are all signs that the email is not from a legitimate company.
The email address itself may look fake; for example, legitimate emails from PayPal are sent from a @paypal.com email address, whereas fake emails may be from a web-based email address (such as Google or Yahoo) while pretending to be from PayPal. Companies often address their emails to the customer directly, and not in a generic fashion such as “To our valued customer”.
Users should always check the URL of websites to which they are directed in an email, as these may be the only give-away that the whole thing is a scam. URLs from fake websites may use odd spellings, such as “0” for “O” so that upon first glance they appear legitimate. When in doubt, always find the website through an independent search through a browser instead of following a link embedded in an email.