Phishing is defined as a cybercrime designed to target victims via email, telephone, or text message, according to Phishing.org, a resource for IT professionals and their users. Attackers pose as a legitimate institution to make individuals provide their card details, passwords, and other sensitive data. The information from the targets can be used to access their accounts, resulting in identity theft and financial loss.
Other phishing scams involve downloading and installing malware or inadvertently installing ransomware in order for the attacker to gain profit, stated Danny Palmer of ZDNet, a technology news and analysis website.
Complex phishing scams can involve hackers using fake social media accounts, emails, and more to build trust with the victim in a span of months or years in cases where specific people are phished for specific data. In these schemes, victims are more likely to give sensitive information because they trust the sender. Anyone can be a target of phishing— from commercial businesses and the Democratic National Committee to critical infrastructure and individuals.
Respondents’ Awareness and Knowledge of Phishing
Security.Org, a website dedicated to simplifying home security and personal safety, surveyed more than 900 people about their knowledge of phishing and analyzed data from the FBI Internet Crime Report to assess how cybercrimes have changed over time. Security.org found that the number of cybercrime victims of phishing/vishing/smishing/pharming showed a 59% increase in 2015, followed by confidence fraud/romance (48%), gambling (38%), lottery/sweepstakes (34%), harassment/threats of violence (24%), charity (20%), IPR/copyright and counterfeit (16%), misrepresentation (9%), and crimes against children (3%).
Meanwhile, the highest percentages in the number of cybercrime victims were extortion (187%), BEC/EAC (160%), personal data breach (158%), investment (104%), and denial of service/TDos (76%). With regard to phishing awareness, 96% said they know what phishing is while 88% could accurately define phishing. When asked about the respondents’ awareness of where phishing occurs, 47% do not believe that phishing occurs through fraudulent software, along with web advertisements (43%), social media (30%), phone calls (26%), text messages (22%), and email (2%).
By generation, 59% of Baby Boomers did not believe that phishing could occur through fraudulent software (versus 47% of Generation X and Millennials) and 54% did not also believe that it could occur in web advertisements (versus 42% and 41%). Compared to Gen X (31%) and Millennials (25%), 41% of Baby Boomers did not believe that phishing could occur in social media.
Baby Boomers were also known for not believing that it could occur in phone calls (27% versus 25% and 26%), text messages (26% versus 22% and 19%), and emails (1% of Boomers and Gen X versus 3% of millennials). Security.org also asked the respondents to spot a phishing scam, with only 5% of them answering all questions correctly. 12% got all the questions wrong while participants got 60% of the questions wrong overall.
Among those who answered all questions correctly, 86% stated that abstaining from clicking, downloading, opening anything from an anonymous sender was key to avoiding phishing scams. This was followed by ignoring any emails whose sender is unfamiliar to you (80%), using an email spam filter (74%), ignoring text-based communications that ask you to click on links to share personal data (74%), and using anti-virus software (69%).
Other ways to avoid phishing scams were only opening attachments in text-based communications if you are expecting them and know what they contain (69%), ignoring generic communications that include little to no information about you (69%), and ignoring pop-up windows (60%).
How Do Phishing Schemes Work?
Many people don’t have the time to scrutinize every message or text they receive in their inbox, and this is what phishers want to exploit to gain information from you. Scams vary depending on the targets, but some schemes are aimed towards unwary consumers. For example, scammers will change the email subject line to catch the target’s attention, which is a common technique that includes prizes won in fake lotteries or contests. For you to “win” the prize, you are asked to enter your name, birthday, address, and bank details to claim it. You will not receive a prize once you enter your credentials.
Another technique used by scammers is to write up a false claim that appears to be from banks looking to verify your details or from online shops verifying non-existent purchases. Attackers can even pose as tech security firms, saying that they need access to your information to keep you safe. If you are a business owner, attackers might pose as someone from within your organization or one of your suppliers. Scammers will instruct you to download an attachment, claiming that it has information about a contract or deal.
What Are the Telltale Signs of Phishing?
Does the message contain spelling and grammatical errors? Chances are, it is a phishing email. Official messages from any organization are well-written and are unlikely to contain errors. Another sign of phishing is when you see shortened or strange URLs in messages. It is common for phishing messages to lure the victim into clicking a malicious link to a fake website designed to steal your data.
If you want to check if the link is legitimate, hover your cursor and see if the web address is the same as the link. Don’t click on it if you think it looks fake. Attackers may even make subtle changes to a web address and hope that you won’t notice anything. For example, after game developer Blizzard was hacked, attackers spammed messages claiming that players' World of Warcraft accounts were compromised. The attackers asked players to click on a link and enter their credentials to secure their accounts. What made the link different from World of Warcraft’s official link was that the “L” in “World” was changed to a “1.”
If a message warns you that suspicious activity has been detected and asks you to click on a clink to verify your log in details, it’s also a clear sign of phishing. What if it was written with perfect grammar and spelling? What if it contained the official logo of the company? Check the sender address to see if it contains a string of characters and the email was not sent from an official source.
Anyone can be a victim of phishing, including businesses. Some messages are too good to be true while others look like those sent from legitimate organizations. Users should exercise vigilance when checking messages and emails or answering phone calls.