Phishing is a form of online crime that involves deceiving victims into handing over their personal details. The phisher will then use this information to achieve monetary gain at your expense.
Phishers might convince you to click on a dangerous link or open a malicious attachment to install spyware on your device and obtain your data this way. These are some tips on how to avoid phishing:
- Use two-factor authentication on all your accounts.
- Set up your spam filter properly.
- Avoid sharing your contact information online and on social media.
- Never click on suspicious links or attachments in emails or messages.
- Use a solid antivirus to protect yourself from phishing malware.
We recommend using a solid antivirus with excellent real-time threat detection, like Norton, to protect yourself from the data-stealing malware that many phishers use.
Do you want to learn more about phishing including over 10 different types of this scam? Read the complete article below!
Phishing is a cybercrime that affects the greatest number of people in the US. In 2022 alone, 300,000 people reported being victims of phishing to the Internet Crime Complaint Center.
Despite phishing being so common, many people ask themselves: what is phishing exactly? This article will explain what phishing is, how to recognize and prevent this crime, and what types of phishing you should look out for.
Remember, tons of phishers use dangerous malware, such as keyloggers and ransomware, to attack their targets. That’s why we always recommend using a top-class antivirus solution, such as Norton, to protect yourself.
What is Phishing?
Phishing is a social engineering attack in which cybercriminals manipulate you into giving them important personal details. These can include sensitive data like your PIN code, login credentials to your banking portal, SSN, etc.
Often, a phishing attack starts with a malicious email, message, or phone call to gain the trust of the victim. This communication will appear official, but it will actually come from a criminal. For example, cybercriminals use logos of official websites and companies.
Phishers can obtain your data or otherwise cause damage in several ways, usually by:
- Winning your trust and asking you for your data. For instance, a scammer might claim to call you on behalf of your bank and list some personal information, such as your name and date of birth, to make you believe they are who they say they are.
- Including a link to a phishing website in their message or email. These fake websites often look like real companies’ websites, urging you to fill out your details.
- Including malicious links or attachments in their messages, which can infect your system with keyloggers and other malware to steal your data.
Below, you’ll find an example of phishing.
The final goal of a phisher is to either “fish” for data that they can use to steal from you directly or to sell your data on the dark web.
Different Types of Phishing Attacks
Now that we’ve defined phishing, let’s look at different types of phishing. There are tons of different phishing scams out there. Malicious actors use anything from WhatsApp to hacked emails to steal their victim’s data.
Email phishing
This scam usually involves a cybercriminal impersonating a big company or organization, such as a bank or another financial institution.
The scammer will ask you for important information, such as your PIN code or login details, under the pretense of a security risk or another urgency. They’ll make you feel upset and worried that not giving them the information they request will cause you to lose money or incur other damages.
HTTPS phishing
HTTPS phishing often starts out as a variation of email phishing. A criminal sends you a convincing email, stating that you need to fill out some information to protect your account, avoid a security risk, or win a prize.
You are then guided to a page that resembles the website of the official organization the scammers claim to represent. If you fill out your data on this page, you’ll allow the scammers to steal it.
This type of phishing often works in conjunction with other phishing types, such as fake job phishing or fake prize scams. We’ll discuss both of these scams further down below.
CEO fraud
CEO fraud is a very dangerous type of phishing since it targets companies with lots of resources to steal. The criminal will imitate the CEO of a company or another important executive. They will often hack into the professional’s email to accomplish this. Alternatively, they might create an email address very similar to the CEO’s.
The scammers will rely on the authority of the person they’re imitating to pressure employees into handing over company data or transferring money to them. They’ll often insist something needs to happen fast and they’re unavailable for a confirmation call, like in the example below.
Whaling
Whaling is one of the most dangerous phishing types for businesses as it targets senior-level executives, often CEOs. Since CEOs generally have huge decision-making power, deceiving them successfully can have devastating consequences.
Unlike CEO fraud, whalers view CEOs as their end targets rather than a means to manipulate another employee. Once the scammer deceives a manager or senior executive, they can get them to pay huge fake invoices or easily infiltrate the rest of the company network, for instance.
WhatsApp fraud
WhatsApp fraud is a phishing scam that involves criminals pretending to be someone you know. They’ll come up with a fake emergency and ask you for money or a loan. WhatsApp fraud is an increasingly common phishing attempt.
After hacking another WhatsApp account, the scammer will contact the initial victim’s contacts and ask them for money. They’ll usually mention hospitable bills, personal emergencies, or other fake stories.
Hacking the initial target’s WhatsApp account can happen in different ways. It could happen by sending them a WhatsApp security code and requesting that they share this code, or by hacking into the target’s voicemail, for instance. For more information, check out our article on WhatsApp fraud.
Note:
This type of fraud doesn’t only take place on WhatsApp. It’s only called WhatsApp fraud because this platform is a popular attacking method for these scammers. However, these cybercrimes also happen on platforms like Facebook and many other social media.
Fake job phishing
This scam relies on offering the victim a job as an excuse to ask them for sensitive data or guide them to a dangerous page. This scam is getting more and more common. Some of our team members regularly receive these types of phishing messages.
If you engage with these messages, the phisher might send you a link or attachment that could contain data-stealing malware, for instance. Alternatively, they might ask you for your financial information, claiming they need it to pay you for your work.
Free prize scams
Another common phishing scam is the so-called “free prize scam.” A scammer will send you a message or email claiming you’ve won a free prize. They’ll tell you all you need to do is click on a link and fill out some information to collect your prize.
Generally, the form you need to fill out is aimed at stealing your financial data or other sensitive information. Alternatively, the scammer might install malware on your device if you click on the link.
Pro Tip:
If you didn’t join a contest, then you probably didn’t win it. Unsolicited prizes are more often than not scams in disguise, so be careful which “prizes” you claim online.
Evil twin phishing
Evil twin phishing is all about imitating a public Wi-Fi network, hence the name. The idea is to convince Wi-Fi users at public spaces, like airports, train stations, or shopping malls, that the scammer’s network is the official free Wi-Fi network of a big company, like Starbucks or McDonald’s.
Once they’ve tricked you into connecting to their sham network, they can easily intercept all your unencrypted data. In general, public Wi-Fi networks always carry this risk. This is exactly why we recommend using a good VPN when you’re on a public network. A trusted VPN like NordVPN will encrypt your data and make it illegible to hackers and evil twin phishers.
NordVPN is our VPN of choice for avoiding phishing because it has foolproof encryption and Threat Protection, a built-in feature that blocks malicious websites, website trackers, and ads. It even checks downloads for viruses or suspicious behavior. You can get NordVPN for 72% off when you use our exclusive link below:
Fake invoice phishing
One of the more common phishing scams involves cyber criminals sending over fake invoices. Scammers send over a fake but very real-looking invoice, telling you to pay up quickly or suffer the consequences.
You’re often told to send the money to a specific bank account. Sometimes they’ll even claim you’re in debt and that they’ll send a debt collector if you don’t transfer the money fast.
Alternatively, scammers might use a fake invoice to scare you into contacting them, so they can try to manipulate you into handing over your personal data.
Pro Tip:
If you want to check whether an invoice or payment reminder is legitimate, call the company that sent it. Don’t use the contact information listed on the invoice, though. Always go to the official website of the company and get their contact details from there. Ask for confirmation of the invoice, the amount of money mentioned, and the account it should be transferred to before paying anything.
Angler phishing
Angler phishing, named after the scary-looking predatory Anglerfish, is a phishing scam that takes place on social media, like Facebook.
Criminals will find potential victims who are complaining about an issue they’re experiencing with a company or organization, such as a bank. After finding their next victim, the scammer will create a fake social media account that claims to represent the company the victim is complaining about and contact the victim.
Often, customers are eager to see their issues resolved. Unfortunately, this means plenty of people fall for these scams. When they answer the scammer’s message, the latter will often send them a link to a malicious page.
Once the victim opens the link, they’ll be prompted to fill out their personal and sensitive data, such as their banking details. The scammers will claim this will help resolve the issue, but it will only serve to give the scammers a foothold in their personal and financial accounts.
Vishing (Voice-based phishing)
These days, phishing is getting more and more messaging- and social media-based. Even so, vishing, or voice phishing, still happens regularly.
In a vishing scam, a scammer might pretend to represent your bank or another important organization. A particularly common variation of phone phishing is help desk fraud.
This scam involves a criminal pretending to act on behalf of a big software company, like Microsoft. The scammer will convince the victim that there’s an issue with their device or the software on it. Then, they convince the target to share their screen with the cybercriminal, allowing the latter to extract valuable data from the device or infect it with malware.
What is Spear Phishing?
Spear phishing attacks distinguish themselves from many other phishing attacks because they target victims individually. Hackers pretend to know you, and the messages may appear to come from someone you know. In this sense, spear phishing is more of an umbrella term, as it includes various types of direct phishing attacks, such as CEO fraud, whaling, and WhatsApp fraud.
Spear phishing often begins with hacking a social media or email account, as is the case with CEO and WhatsApp fraud. Since spear phishing relies on a highly targeted attack, access to the accounts of the people the scammers are imitating is often vital.
Spear phishers often do extensive research on both the person they’re imitating and their targets to further sell the scam. Many spear phishing scams trick users by pretending to be a friend or family member of the victim and being stuck in a difficult situation to provoke the victim’s empathy. Subsequently, the scammer will ask for money to “help them out,” like in the example below:
Pro Tip:
Have you received a message from a friend via email, Facebook, or another social media platform asking for money? Get in touch with the person you think you’re talking to by calling them. This way, you can check whether they’re actually in trouble. If not, their account has been hacked.
How to Protect Yourself Against Phishing
We’ve seen that there are tons of different phishing scams out there. Fortunately, there are also some ways to prevent phishing attacks. The most important one, by far, is using your common sense and refraining from giving out personal data to people who have no business asking for it.
Remember that phishing always requires two parties to take action. The scammer initiates, and the victim hands over their data or clicks on a dangerous link or attachment.
Apart from keeping your data to yourself, these are the best ways to protect yourself against phishing:
- Use two-factor authentication, especially on important accounts like online banking portals. Adding an extra login step will make it much harder for phishers to access your accounts.
- Configure your spam folder. Email providers have spam settings you can use to keep malicious emails out of your inbox. For instance, Gmail lets you specify what kind of emails and which email addresses you don’t trust, under Settings > Filters and blocked addresses.
- Avoid sharing your contact details online and on social media to make it harder for phishers to obtain your contact information.
- Never click on suspicious links or attachments in emails and messages.
- Use a reliable VPN, like NordVPN, to encrypt your data to stay safe on public Wi-Fi and mitigate damage from Evil Twin phishing.
- Use a good antivirus with real-time threat detection, like Norton 360, to detect the dangerous malware that phishers like to use.
Phishers often rely on dangerous links and attachments to infect your device with data-stealing malware. As such, it’s vital to have a good antivirus with excellent real-time threat detection running at all times.
Look no further than Norton. This great antivirus has achieved nothing but a perfect AV-Test protection score for the last 10 years straight! Moreover, Norton will provide you with an additional spam filter, on top of your email provider’s filter to get rid of tons of potential phishing emails.
How to Recognize and Prevent Phishing Attacks
Have you received an email, text, or other message from an official institution or a friend asking for money? Think twice before you do anything! You might just be dealing with a phisher!
Below, we’ll quickly go over some major signs that could very well point to a phishing scam.
Sign 1: Greeting, language, spelling, and grammar mistakes
Often, phishing emails are sent out to lots of people at once in large-scale phishing campaigns. This means they aren’t always personalized. Instead, you could get an email with a standard “Dear Mr./Mrs.” or something similar. Official organizations like banks address their customers properly, so non-personalized communication could be a sign of a scam.
Another phishing sign is an email or a message with lots of spelling or grammar mistakes. Many cyber criminals might be from non-English-speaking countries or simply not have great writing skills and make obvious errors.
As you can see in the screenshot of a link-based phishing scam above, the recipient isn’t properly addressed. In fact, they aren’t addressed at all. Moreover, the entire first paragraph is phrased very awkwardly and unprofessionally, adding to the suspicion.
Another technique often used in phishing messages is creating a sense of urgency. Language such as “URGENT,” “IMPORTANT” or “FINAL NOTICE” could indicate you’re dealing with a phishing email.
Sign 2: Incorrect company email addresses
Phishing emails are often sent by fraudulent email addresses. Always look at the email address of the sender and check whether it’s legitimate.
For example, if you’re a customer of the Bank of America, you might get official emails from addresses ending in @bankofamerica.com. Because cybercriminals don’t own this domain, they can’t use these email addresses.
Because of the above, cybercriminals will often contact you from a very similar domain or use a general email provider. They could, for example, use [email protected] or something ending in @americanbank.com.
As you can see in the phishing example above, scammers use an email address that might lead many customers to believe they’re actually dealing with a Bank of America security representative.
You may also find intentional spelling errors in email addresses; by adding a letter or two to the original domain, criminals try to trick you into thinking the message is from a legitimate sender. Sometimes, phishing email addresses consist of random numbers and letters. These are easy to spot and should never be trusted.
In some cases, a phishing message appears to have a trustworthy sender. Sometimes it even seems to be sent from your own email address. This is called ‘email spoofing’ and often occurs in phishing and business email compromise (BEC) scams.
Pro Tip:
If you’re in doubt, always contact the sender by looking up the right contact information on their official website. If it’s an email from your own address, simply ignore it.
Sign 3: Requests to share personal information
If you receive an email, text, or other message asking for personal data, such as your login information, this could be a bad sign. Never share your personal or account information via email or text if you’re not sure it’s safe.
Big organizations, like banks, have secure processes that don’t require them to know your sensitive information, so they won’t ask for it. For instance, if you’ve lost your account information, they’ll often send a letter to your home address with instructions on how to log in and create a new password.
The phishing message above is a fine example of a totally unwarranted request for very sensitive information. Your bank should already have your personal information on file, and they’ll never ask you for your login credentials to your online banking portal.
Warning:
Banks don’t ask for your data on the phone or by mail! Financial institutions never ask for your login credentials or information like PIN codes or TAN codes on the phone or by email/message. If this happens to you, it’s a phishing attempt, and you should call your bank immediately!
Sign 4: Suspicious attachments
A simple click on an attachment in a phishing message could already install malware, such as keyloggers and Trojans, on your device. Only open files that you completely trust and expect to be sent. Be on the lookout for any file names and file types that seem to be out of the ordinary.
Files ending in .zip or .exe should not be trusted at face value. Even PDF files aren’t always safe. You’ll find an overview of file extensions that could be used in phishing emails below.
- .bat (Batch)
- .com (command file)
- .cpl (Control Panel)
- .docm (Microsoft Word with macros)
- .exe (Windows Executable file)
- .jar (Java)
- .js (JavaScript)
- .pif (Program Information File)
- .pptm (Microsoft PowerPoint with macros)
- .ps1 (Windows PowerShell)
- .scr (Screensaver file)
- .vbs (Visual Basic Script)
- .wsf (Windows Script File)
- .xlsm (Microsoft Excel with macros)
- .zip (Compressed)
If you want to know what type of file a certain attachment is, simply check the letters of the file name after the full stop.
Cybercriminals might try to fool you by adding the file extension to the file name. For example, they might try to make you believe you’re dealing with a PDF file by calling it ‘InvoicePDF.exe’. Instead, it’s a .exe file used to install malicious software.
Apart from paying close attention to file extensions, we also recommend using our top antivirus software, Norton 360, to automatically scan any email attachments you receive. This way, you’ll be protected against email malware used by phishers.
Norton has achieved a perfect AV-Test security score for 10 years straight. This means it’s highly unlikely any phisher will get a malicious attachment past its defenses! Moreover, thanks to Norton’s spam filter, you’ll get fewer dangerous emails and attachments in the first place!
Sign 5: Suspicious links
Have you spotted a link in an email that you don’t trust? Don’t click on it. Not every link leads to where it says it’ll lead you.
Luckily, you can easily check this on your PC by hovering your cursor over the link (without clicking it!) and checking the bottom left corner of your browser. A small white bar will appear with the exact webpage the link leads to. Is this a website you don’t recognize or trust? Then this is likely one of many link-based phishing attempts.
The address might even look like a trustworthy website. Always check whether everything’s spelled the right way and the domain is correct (for example, bankofamerica.com/info instead of bankofamerica.officialwebsite.com/info).
What to Do When You’re a Victim of Phishing
Have you become a victim of phishing? The security measures you should take depend on the kind of scam. Here’s what you can do if you’ve fallen prey to a phishing scam:
- Block your card and call your bank immediately if you ever give someone your bank information by accident.
- Change your password if you suspect someone has gained access to it.
- Use a trusted antivirus program to scan your computer if you’ve accidentally clicked on a suspicious link or downloaded a suspicious file.
- Report phishing attempts to the appropriate authorities in your region.
- Inform your family and friends if you’ve fallen victim to a scam because, chances are, the scammers might contact them too.
Final Thoughts: What is Phishing?
Phishing scams affect the most people by a considerable margin. Whether we’re talking about old-school email phishing, or more modern phishing scams like WhatsApp fraud, CEO fraud, or angler phishing, the consequences are often devastating.
The objective of phishing is to extract valuable information from the target. This can be done by convincing the victim to share this information or by installing dangerous malware on their devices through malicious attachments or links.
Some important ways to protect yourself from phishing and the damage it can create include using two-factor authentication, not sharing your contact information online, and using a strong antivirus, like Norton, to protect yourself from the data-stealing malware many phishers use.
Of course, despite phishing’s prominence and devastation, it’s far from the only type of cybercrime you should look out for. There are plenty of other threats out there, such as identity theft, brute force attacks, and sextortion, just to name a few. Be sure to check out these articles to learn about other online scams and risks:
- How to Protect Yourself From Identity Theft
- What is a Brute Force Attack and How Can You Prevent It?
- What is a DDoS Attack and How Do DDoS Attacks Work?
- What is Catfishing? 8 Signs You’re Being Catfished Online
- What is Sextortion? How to Prevent Online Blackmailing
Do you have a specific question about phishing? Our frequently asked questions below might help you find the answer. Simply click on a question to see the answer.
Phishing is a form of online crime in which criminals try to steal personal information or money through various tricks and channels. Victims are often approached via e-mail or text message. The criminal pretends to be someone else. This could be an official organization, but also a close friend.
There are different forms of phishing:
- Scams via WhatsApp or text message
- Fake invoices
- E-mails or social media messages from acquaintances
- Phishing over phone
The tips below will help you recognize phishing:
- Pay attention to salutation, use of language and spelling mistakes.
- Check the sender.
- Look out for suspicious attachments.
- Do not just click on a link.
- Stay informed about the latest developments in the field of phishing.
- Follow your instincts.
If you have become a victim of phishing, please take the following steps:
- Contact your bank immediately to have your account blocked.
- Change your password if it’s an account for an online service.
- Use antivirus software to scan your computer.
- Report the phishing to appropriate authorities, such as the police.
- Inform your (online) friends about the fraud.
