What is phishing?

Phishing is a scam technique that uses fake messages, websites, and social engineering to lure information or money out of people and businesses. It mostly depends on peoples’ habits and emotions to cloud their judgment. Phishing has been around since the early days of the internet, but it’s still one of the most widespread forms of cyberattack: 32% of all data breaches last year involved phishing.

Attackers usually use phishing tactics to get money. It can be as simple as tricking a person into making a bank transfer. But some cybercriminals will use malware to get more information about a person or a company that could be sold online. Emails are the most popular form of phishing. Some are so thoroughly researched and well-done that it can be hard to spot a fake.

For more information, check out our YouTube video explaining how phishing attacks work:

• It’s urging you to do something. Most phishing attacks rely on people’s fear of missing out to drive them towards questionable decisions. A sweet deal that’s available for a very short time might lead a hardcore fan of a brand to click on the link in their email or SMS without stopping to see whether it's legit.
• It’s trying to scare you. Scam messages that prey on fear usually go something like this: someone tried to log into your account, your password was changed, or your account will soon be deleted because of suspicious activity. Since you need to react ASAP, the link to the service is helpfully provided to you. These events are quite common, so many people will not think twice before clicking on the link to secure their account.
• There are attachments. Businesses are unlikely to send out newsletters, alert emails, or other messages with attachments — they have no reason to do so. Never download and open them or you risk catching malware.
• It doesn’t look like it came from that sender. If that particular service never contacted you before with alerts on changed passwords or sent you special offers that seem too good to be true, it’s highly likely that it’s not them contacting you now.
• It just looks bad. Are there grammar mistakes, strange and different fonts throughout the text, a blurry logo or no logo at all, or all caps in random places? Does the overall tone of the message seem off? These things point to a potential phishing scam.

Phishing attacks that are tailored and targeted at a specific individual are called spear phishing. Before sending out the phishing email, the attacker researches their target. This includes information from their public accounts, data breaches they might’ve been a part of, and anything the hacker can find about them or the company they work for. With all this information, the cybercriminal can pretend to be someone trustworthy — like a co-worker, an old friend, or a representative of a popular service the victim often uses.

Whaling is another form of spear phishing where the attacker pretends to be a high-ranking member of a company: chief officer, board member, major shareholder, etc. They are trickier to impersonate, so the cybercriminal must put a lot more work into making it believable. However, as senior members have more influence in the company, the gains are also usually much greater. Their employees transfer funds or confidential information without asking too many questions.

The attacker needs a way to closely monitor their victim’s inbox for this type of phishing to work. They take a recently received email (preferably with a link or an attachment) and make a clone. Most of it is left the same, but the attachment contains malware or the link redirects to a fake website.

The new email will claim to contain updated information. For example, if there was an invoice in the original, the attacker might change the details so that the money transfer is sent to them instead. They will then spoof the sender’s email address or create a new address that is very similar to the original. A person who receives tons of similar emails every day will most likely not think twice about downloading the attachment and making the payment.

A lot of phishing attacks are carried out over the phone as well: smishing is SMS-based phishing and vishing (voice phishing) involves phone calls.

Smishing relies on their victims clicking links that lead to fake websites. In a recent FedEx/Amazon phishing scam, hackers used victims’ real first names and informed them that they needed to set delivery preferences for their FedEx packages. People receive similar texts very often, especially around Christmas time, so it may not strike you as odd at first glance. If you followed the link, you were eventually redirected to a fake Amazon website and asked to enter your credit card details to claim a free reward. Users who did so were billed $98.95 every month.

Vishing works a bit differently. It relies heavily on social engineering, creating stressful situations that push people to act without thinking. Attackers often try to scare their victims by claiming that someone tried to use their credit card, that they forgot to pay a fine, etc. Unfortunately, they often succeed. When people let emotion cloud their judgment, they give away online banking details and other personal information without thinking it through.

• Use spam filters. The best way to avoid phishing emails is to prevent them from landing in your inbox. This will protect you from accidentally opening an email with malicious links and attachments.
• Get a browser filter. Spam filters don’t always work, and phishing attempts are getting more sophisticated by the day. Even experienced internet users can get tricked into clicking on a malicious link. In this case, something like NordVPN’s CyberSec feature is designed specifically for that. When you try to access a website, CyberSec looks for it in a list of known malicious sites. If it’s there, it will display a warning and not connect you to it.
• Learn to recognize it. With a little bit of practice, you can learn to spot phishing emails easily. Even the little things matter – if your manager always signs their emails with “Thanks!” but wrote “Best regards” out of nowhere, it’s best to double-check with them. When it comes to company secrets and large sums of money, you can never be too careful.
• Manually enter web addresses. Many people have received an email saying, “Someone tried to log into your account.” While it’s entirely possible that something of the sort happened, it’s also a popular scare tactic. When you’re not sure whether the email can be trusted, don’t click on anything in it. Instead, open a new window and go to the website in question to see if something really happened.
• Always check the website. In the case of smishing, when a shortened URL is displayed, it’s hard to tell if it’s genuine or not. If you must follow the link, do not click on any links, download any files, or enter personal information before carefully inspecting the website it leads you to. Does it have a valid TLS certificate? No major website should operate successfully without it, so always look for “https” at the beginning of a URL and a small padlock icon next to it. Are there any misspelled words? Are the tone of voice, colors, and imagery on the website on-par with what you come to expect from the brand? If you have the slightest doubt, leave the site and contact the service that sent you the message in the first place.
• Stay cool — no matter what. What if a concerned bank employee calls you late at night, telling you that strange activity was spotted on your account? Tell them to block everything and visit the bank in person as soon as possible. Never give your usernames and passwords to anyone over the phone or online under any circumstances. You got a message that you won a huge prize? Great — but stop to think whether you entered any contests or lotteries recently. A clear head and some common sense are your best friends in any stressful situation.

Want to read more like this?

Get the latest news and tips from NordVPN.

Subscribe

Subscribe

You've successfully subscribed to our newsletter!

Email is invalid

Subscribe

We won't spam and you will always be able to unsubscribe.