Imagine you're looking for a job. You see a listing online and email them asking for information. They request you give your credit card number to pay for an "employee startup kit" for $1.99, and for "security purposes" they also request your Social Security number. This is a phishing scam.
Phishing attacks are an extremely common tactic cybercriminals use to steal personal information. They're also firmly on the rise: According to technology company Vade, in the first half of 2022 alone, there were 315,846,480 phishing emails. At this rate, malware and phishing attacks will greatly outpace 2021's numbers.
With a phishing attack, a cybercriminal attempts to gather sensitive information such as names, telephone numbers, passwords, Social Security numbers and other types of data by posing as a legitimate source asking for this data.
What is a phishing attack?
There are wide varieties of phishing attacks, but they all share similarities. A common example is an email that appears to be from a well-known company such as Microsoft stating that your account needs to be verified or it will be deleted. Believing the email to be legitimate, you click the included link, which leads to a page that also looks genuine.
The page contains boxes in which you can provide information. You type in the information requested and send it. What you don't know is that while all of this looks normal, it is a fake page that is only pretending to be genuine. Once you type in the information they ask for and send it, the cybercriminal now has access to everything that was sent.
Not all phishing attacks ask you to click on a link or reply to them. Some may include attachments that the sender wants you to download or they may provide a phone number for you to call. In either scenario, they're trying to lure you into providing personal information.
The consequences of this can be severe. Accounts can be stolen, passwords can be made public and the data can be sold to those who stand to gain from having access to your personal information. It's not uncommon for victims to undergo massive financial loss due to identity theft among other grave ramifications.
How do you spot a phishing attack?
Phishing attacks often look like the real thing, but according to Crowdstrike, there are ways you can spot a fake, including being wary of unsolicited emails asking for information, checking the domain name at the end of the sender's email address, and staying away from unexpected attachments.
First, make sure the email is coming from who they say they are. Look at the address carefully. If it says it's from Facebook, make sure the sender's address ends with "@facebook.com." Many cybercriminals will use similar-looking addresses so you don't immediately spot the difference. If it says "@faceb00k.com" or the address is in any way misspelled, then it's not legitimate. Additionally, any additions or subtractions to the original address must be considered suspicious. "@accounts.facebook.net" is a fake source, for example.
If you click a link and the address in the hyperlink bar doesn't look right, it's unlikely to be legitimate. If Apple wants you to type in information, make sure the site is genuinely apple.com. Just like with email addresses, be wary of subtle changes that might be difficult to notice at first. A lowercase "L" can look identical to an uppercase "I."
Grammar and spelling mistakes are dead giveaways of a phishing scam. If there are errors anywhere in the email, whether in the subject line or content, it's very unlikely to be legitimate. Sincere companies often use automated messages and so these types of mistakes are virtually impossible to come by from a genuine source.
No company will ever ask you for your password via email under any circumstances. All emails asking you to provide your password are illegitimate. If the email asks you to correct information that requires a login, go directly to the website and ignore the link in the email. If Google says your information is incorrect on your Gmail account, type mail.google.com directly into the hyperlink bar so you know it's the real thing.
Likewise, no financial institution will ever ask for your bank account information via email. Requesting especially sensitive information such as Social Security numbers in an email is also not done by sincere sources.
If you're not sure if an email asking for information is legitimate, contact the alleged sender without replying to the email. If it looks like it's from Google, contact their support line. If it appears to be from a friend or colleague, ask them directly if it's genuine.
Phishing attacks can be extremely dangerous and consequential, but there are ways to spot them and verify the sincerity of the communication. They also come in many variations, so keep a sharp eye out for anything suspicious or anything you didn't expect to receive. Prudence is the best weapon against phishing attacks.