What is phishing?
Phishing is a type of online scam that targets users by email, text message, or phone calls. The goal is to steal sensitive information like login credentials or financial information by masquerading as a trustworthy entity. Phishers attempt to lure users to enter information on fake websites that look identical to legitimate ones.
Common phishing techniques include sending fake login pages pretending to be from a real company, fake notifications of security breaches requiring password resets, urgent messages warning of account suspensions, attachments with malware, and links to sites that download malware. Phishers craft messages to pressure users to act hastily without closer inspection.
The word “phishing” likely originated as a variant of “fishing,” referring to baiting users with fraudulent messages. Attackers cast a wide net hoping to hook targets and “reel in” sensitive information. The overall goal is to steal login credentials, financial account details, social security numbers, or to install malware like keyloggers to collect further data. With this stolen data, phishers may commit identity theft or fraud.
According to Wikipedia, “Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as keyloggers.” [1]
How to recognize phishing emails
Phishing emails often contain some telltale signs that can help you identify them as fraudulent. Here are some common indicators to watch out for:
Spelling/grammar errors – Phishing emails may contain typos, awkward phrasing, or other grammatical mistakes. Legitimate companies put effort into proofreading official communications.
Suspicious sender address – The “From” address may look odd or unofficial, like an address from a public email provider instead of an actual company domain. Pay attention if the sender email does not match the company or person it claims to be from.
Generic greetings – Getting an email addressed “Dear user” or “Hello” instead of your name can signal a phishing attempt, as legitimate senders typically personalize messages.
Urgency and threats – Phishing emails often try to instill fear or panic by claiming your account will be shut down or demanding immediate action. Be wary of alarming threats meant to trick you into clicking.
Requests for sensitive information – Real companies don’t ask for sensitive data like passwords or Social Security numbers over email. If an email asks you to verify or update this type of information, it’s likely a scam.
Spoofed sender/domain – It’s easy for scammers to spoof the From address to make it look like an email is coming from a trusted source. But if the domain name looks slightly different, it may be fraudulent.
Links to sketchy sites – Hover over any links to preview the URLs. If they lead to odd or unfamiliar sites instead of official company domains, they could be malicious.
Risks of phishing
Phishing emails pose significant risks to individuals and organizations. Some of the main risks include:
Identity theft
One of the most common goals of phishing attacks is to steal personal information for identity theft. Phishers may ask for sensitive information like Social Security numbers, bank account details, or login credentials. With enough personal information, criminals can open fraudulent accounts or make purchases in the victim’s name (source).
Financial loss
Phishing scams often directly target the finances of individuals and businesses. Fake invoices, requests to “update” account information, or pleas for help from compromised email accounts can trick victims into wiring money or sharing financial data. Businesses can lose direct funds as well as suffer lost productivity and recovery costs after a phishing incident (source).
Malware/ransomware installation
Phishing emails may contain malicious links or attachments that install malware like viruses, spyware or ransomware when opened. This gives criminals access to sensitive files and allows them to lock systems until a ransom is paid.
Hacking of accounts
Phishers frequently aim to steal login credentials for email, bank accounts, online services, and work networks. Access to these accounts allows criminals to monitor private communications, steal funds, harvest additional information, and cause further damage.
What to do if you receive a phishing email
If you receive an email that you suspect to be a phishing attempt, it is important not to interact with it. Here are the steps you should take:
Do not click any links or attachments in the email. Phishing emails often contain malicious links or attachments that can infect your device or trick you into entering sensitive information on a fake website. Even clicking “unsubscribe” or other links can verify your email address to scammers. [1]
Do not reply to the email or contact the sender. Replying will let the scammers know your email address is active. [2]
Forward the suspicious email to your organization’s IT security team or the appropriate email provider’s phishing reporting address. For example, you can forward phishing emails to [email protected] if your organization uses Barracuda email security. Gmail users can forward to [email protected]. [3] This will help get the email reported so protections can be put in place.
Deleting the email is also recommended so you do not accidentally open it again later. [2]
[1] https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/phishing
[2] https://www.eiresystems.com/what-to-do-if-you-get-a-phishing-email/
[3] https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44
How to forward phishing emails
If you receive an email that you suspect is a phishing attempt, you should forward it to the Federal Trade Commission (FTC) for investigation. The FTC provides a direct email address for reporting phishing scams: [email protected].
When forwarding suspicious emails to the FTC:
- Forward the original, unopened email message as an attachment.
- Include a message explaining that you believe the attached email is a phishing attempt.
The FTC relies on reports from individuals to identify and stop phishing campaigns. By forwarding scam emails promptly, you can help protect yourself and others from falling victim to cyber fraud.
How organizations combat phishing
Organizations use a multi-layered approach to combat phishing attacks and protect their systems and data:
Employee education and training is crucial. Organizations implement mandatory cybersecurity awareness training to teach employees how to identify and report phishing emails. Training is often continuous and includes simulated phishing tests to reinforce learning. According to experts at KnowBe4, Inc., regular training can reduce susceptbility to phishing by up to 72% [1].
Email filtering and analysis looks for indicators of phishing in incoming messages. Solutions like IRONSCALES use AI to scan for malicious links, attachments, and impersonation attempts [2]. Suspicious emails can be quarantined or flagged for review by security teams.
Anti-phishing software provides another layer of automated protection. It works by checking URLs against databases of known phishing sites and uses heuristics to determine legitimacy. Leading solutions like Mimecast also offer impersonation protection and reporting tools [3].
Regular simulated phishing campaigns test defenses and preparedness. Phishing emails are sent internally to employees, who are then educated based on their response. This frequent testing reinforces training and identifies areas for improvement.
Best practices to avoid phishing
There are several best practices you can follow to avoid falling victim to phishing scams:
Carefully inspect the sender’s address in any email, even if the display name looks legitimate. Phishing emails often spoof the display name to look real but have a slightly different sender address. For example, the address may have an extra letter or end in .net instead of .com. If an email looks suspicious, don’t click on any links.
Avoid clicking on links in emails altogether. Instead, manually navigate to the website through your browser if you want to access it. This avoids accidentally clicking on a phishing link.
Enable two-factor authentication on important accounts whenever possible. This provides an extra layer of security beyond just a password.
Install anti-phishing browser extensions like Netcraft or Web of Trust. These can identify known phishing sites and warn you before visiting them.
Other tips include being wary of any urgent requests for personal information over email, hovering over links to see the true destination, and watching for poor spelling or grammar which is common in phishing emails.
Phishing statistics
Phishing attacks continue to pose a major threat. According to a 2017 Pew Research study, 49% of U.S. adults have been targeted with a phishing scam. The study found that 11% of people who reported receiving a phishing message fell for the scam and clicked on the malicious link or attachment.
These schemes come at a major cost. The FBI’s 2020 Internet Crime Report shows that phishing resulted in over $54 million in losses. Verizon’s 2020 Data Breach Investigations Report found that 22% of breaches involved phishing.
With phishing emails becoming increasingly sophisticated and personalized, it’s crucial that individuals remain vigilant. These statistics highlight the need for ongoing education and phishing prevention best practices.
Recent examples of mass phishing attacks
Phishing attacks have become increasingly common in recent years, often targeting a wide range of individuals and organizations. Here are two high-profile examples from the past couple years:
[Example 1] – In October 2022, a phishing campaign targeted users of the cryptocurrency exchange Binance. The emails appeared to come from Binance customer support and requested users to download a fake security update. However, the update was malware aimed at stealing account credentials and cryptocurrency funds. Over $500,000 in assets were reportedly stolen (https://it.ucsf.edu/new-phishing-threats).
[Example 2] – In June 2021, a phishing scam targeted over 150,000 employees of MediaTek, a Taiwanese semiconductor company. The attackers posed as recruiters and sent phishing emails with malicious attachments that installed Cobalt Strike malware. The malware was used to steal data and product information. MediaTek was forced to shut down operations in some factories to contain the breach (https://www.bleepingcomputer.com/tag/phishing/).
Resources for More Information
There are several organizations that provide helpful information and resources for learning more about phishing, protecting yourself and reporting phishing attacks:
The Federal Trade Commission (FTC) has an entire section of their website dedicated to phishing and identity theft. Their anti-phishing page provides advice on how to identify and avoid phishing scams. You can also file a complaint with the FTC if you encounter a phishing email campaign.
The Anti-Phishing Working Group (APWG) is an international coalition aimed at combating cybercrime and phishing attacks. They provide a variety of resources including best practices guides, research reports, and a place to report phishing URLs.
OWASP, the Open Web Application Security Project, offers technical resources for developers and security professionals to build anti-phishing defenses into their applications and systems. Their phishing Cheat Sheet summarizes common phishing techniques and recommended countermeasures.
Checking these organizations’ websites can help you stay on top of the latest phishing threats and protection strategies. Their in-depth guides and reporting tools make them invaluable resources in the fight against phishing.