If you’re wondering why phishing is still a thing, it’s because you and your friends keep falling for it. So stop it. Stop it now.
Email is the largest platform for executing phishing scams, and criminals are getting better at using it effectively. Step 1 for not falling for the next phishing email you receive is understanding what phishing is, how it works and how to recognize it when you see it.
First things first, here’s why you need to know how to spot phishing emails:
What do phishing attacks actually take?
Phishing attacks can lead to a world of problems for you, including identity theft, data theft, fraudulent web usage, and downloading malware to your device. One wrong decision can turn your day into a long visit to your IT technician or even the authorities to clear your identity after it’s stolen.
Phishing attacks have been around for decades. They’re not going anywhere, and will likely continue to plague the internet due to the weakest link: you. Phishing emails flood our inboxes in a variety of flavors: from special offers to messages from your “bank”. Most of these are filtered by our email spam folders, but not all of them.
By design, phishing emails are well-hidden attempts at gaining your credit card and financial information. Phishing tactics are constantly becoming more sophisticated and creative at getting us to give away our information. It’s also much easier than traditional hacking because you only have to fool a person, instead of a machine.
How to go phishing
Make a convincing copy of the last email you received from your bank, and change the text to a message about a problem with your account, and add hyperlinks to the “bank website”. However, instead of the real bank website, they lead to your website which looks exactly like the bank website. The users who fall for the scam will literally be giving their login credentials away to you when they try to log in. Sending this to thousands of people will net you several accounts – depending on how convincing you are at spoofing a bank.
Here’s an example of a url preview. All you need to do is hover your cursor over the hyperlink.
Unlike hackers who attempt to break into your system, phishing attacks attempt to trick you into voluntarily giving up your information. According to the Wombat 2016 State of the Phish, phishing attacks have jumped 13% points from 2014 bringing a reported number of 85% of internet attacks as phishing attacks. Over two thirds of organizations surveyed reported highly targeted and personalized spear phishing attacks, up 22% from 2015.
Who are the targets?
There’s no shortage of targets for phishing attacks, particularly retailers, healthcare organizations, governments, military, financial institutions, and company executives. In 2014, phishing attacks affected 76 million households and 7 million small businesses through an attack on JP Morgan Chas & Co. In recent years, the Department of Defense and Department of Homeland Security have experienced several spear phishing attempts. The phishing attempts on military and government organizations are often attempts to steal personnel information and national defense information. Phishing attacks on healthcare organizations are generally driven by money, as healthcare is a multi-trillion dollar industry. Phishing attackers see the healthcare industry as a large target where nearly any successful attempt could reap large rewards.
How effective are phishing attacks?
While most phishing attempts are filtered to junk and spam folders, some are still effective at getting by these filters and in front of your eyes. Last year, Google reported one effective site had a 45% success rate of people turning over their information while the least successful site had a 3% information turnover rate. Information collected from phishing attempts can cause grave harm to an individual or organization. The Google report also stated within one hour of being phished, 20% of information collected can compromise accounts and websites. Takeaway: if you get phished, act quickly to stop the damage! Change your password, report the sender, and then report the site.
Why do phishing attacks still work?
Phishing attacks still work for a variety of reasons, and this leaves consumers and businesses vulnerable to phishing attacks.
- Phishing techniques are becoming more sophisticated, while we are staying at the same intelligence level.
- It’s a numbers game. If you send a fake email to ten people, chances are very few will fall for it. But send it to ten thousand people, a certain percentage of them will fall for it. A small success rate, just 1% of ten thousand people is a hundred people you managed to fool.
- We let our guard down. Email filters do a decent job of catching most phishing attempts but many still slip by. People get distracted and leave themselves vulnerable to emails appearing to be legitimate.
- Sophisticated spoofing techniques are getting even better. A phishing email can appear to come from a legitimate source by mirroring official bank or financial institution logos and appearing to come from legitimate company email accounts. Additionally, they add a sense of urgency to the message to make you take action, NOW! This is very effective as social engineering and psychology tactics are widely used to pressure people into taking action before they put too much thought into it.
How can you recognize phishing emails?
As previously mentioned, phishing attacks have become more sophisticated and can be difficult to spot if you aren’t vigilant. A phishing email will often urge you to take immediate action. For example, you may receive an email from PayPal or your bank stating your account has been compromised and you must log in to take immediate action. The email will continue with a message that not taking action will result in the closure of your accounts. In a panic, you click on the link in the email and enter your login information. At that point, you have given your login credentials to someone else, and you are now a victim of a phishing attack.
You can also identify a phishing email because it came from a sender you do not recognize. If you do not recognize who is sending the email, don’t open it and delete it immediately. Another indicator of a phishing attempt is the URL in a hyperlink in the email may not match the displayed link. You can hover your mouse over a hyperlink without clicking on it to see a small pop-up with the URL address you will be taken to if you click on it. If the links do not match, do not click on them. If you click anyway, check the URL. Does it match your bank’s? If not, it’s a phishing site, which you should rate and report immediately.
How can you avoid becoming the next victim of a phishing email?
You can protect yourself from phishing attacks by tightening down your spam filters and being more cautious. “The Devil’s in the details”, so pay closer attention to the details in the email. Hover your mouse over any URL the email is urging you to click on. When in doubt, go to the website (Paypal, your bank) directly to log in and review your account – don’t click on the links in the email. You can also send a spam report to many institutions warning them of the phishing attempt. This can raise awareness and help you and others from becoming victims. You should also change your password frequently on your email accounts as a good security practice because once a phishing attempt successfully makes it to your inbox, the attackers may continue to send future attempts and may attempt to crack your password knowing they are sending emails to a legitimate address.
Real-world consequences of phishing.
On March 15, 2017, the US charged Russian FSB Officers and conspirators for hacking into Yahoo and gaining access to millions of email accounts. At least one of the four men charged with hacking Yaho used the information they gained to send phishing attempts to steal private information from people by sending legitimate emails from hacked accounts. The defendants in the case gained unauthorized access to Yahoo’s webmail accounts to steal information from over 500 million Yahoo, Google, and various webmail accounts.
One of the defendants used the information for financial gain because he was able to find credit card and gift card account numbers through Yahoo user communications. One of the men charged in the case ran a hacking website with email hacking services that charged $60 to hack an email. The four men in the case face charges of conspiring to commit computer fraud and abuse with a maximum penalty of 10 years, conspiring to engage in economic espionage with a maximum penalty of 15 years, conspiring to engage in theft of trade secrets with a maximum penalty of 10 years, economic espionage with a maximum penalty of 15 years, conspiring to commit wire fraud with a maximum penalty of 20 years, and several other charges. The maximum penalty the men face if convicted is over 150 years on all counts.
Bear in mind that most of the time, it’s nearly impossible to catch the perpetrators of phishing attacks, so you are your own last line of defense. Take this seriously, educate yourself and your friends so you can protect your information.