Social engineering is a mainstay of online crime, a tried-and-true way to get valuable information in an instant. You’ve probably read the statistics, so you realize this cyber risk isn’t going away, but the threat is more severe than you might imagine.
In fact, 81% of organizations surveyed have reported an increase in phishing attacks over the course of the COVID-19 pandemic.
From brand new risks and vulnerabilities to creative hacking campaigns, the cyber landscape is constantly changing in all sorts of ways that can be difficult to predict. Here are some consistent phishing elements and patterns to look out for, and if you do fall into the scammer’s trap, how to emerge safely and recover.
Phishing, smishing, pharming — what’s the difference?
Simply put, phishing is a social engineering scam that tries to trick you into sharing credentials or sensitive information that a criminal can use to gain access to networks, accounts, or other assets. Email, text message, and voice message are common phishing vectors.
Some phishing avenues have become so popular they’ve earned their own names, which explains why you may be hearing terms like “smishing”, “vishing” , and “whaling”. In the end, these are all forms of phishing.
Anatomy of a phishing attack
Phishing attacks can take different forms, but they follow a conventional pattern.
First comes a message, which is the phish bait — the element that compels you to act. Once the bad actor has got your attention, you meet with the phish hook: the action that ultimately completes the attack.
After the link has been clicked or the response has been sent, the criminal can begin to reel in their bounty — whether that’s your user credentials, sensitive company information, or financial details — and you may not realize you’ve been caught up in their net until much later.
Smishing vs. phishing
While phishing scams often use email as the attack vector, scams delivered through text message (or SMS) are known as smishing, and they’ve recently become one of the most common fraud scams. These messages can pop up on your mobile device or in messaging apps to trick you into downloading malware or following a link to a malicious website.
Pharming vs. phishing
Instead of using email or text message to elicit a response from you, pharming bypasses the human element and executes code on your device to automatically redirect you to a malicious website.
Spoofing vs. phishing
Spoofing refers to any behavior involving someone pretending to be a trusted person or authority to get you to do something for them. Spoofing is the broader category of deception related to social engineering scams — all phishing is a form of spoofing, but not all spoofing would be classified as phishing.
Spear phishing vs. phishing
Spear phishing is a very targeted phishing attack: the message is personalized, using material like your name and plausible contacts to deceive you into sharing confidential information. Spear phishing accounts for 65% of all phishing scams, making it the most common type of phishing attack.
Phishing prevention: what to look for, what to do
There are thousands of distinct phishing scams out there, and though it’s impossible to know what will hit your inbox or phone screen next, watch for these common messaging elements that should set alarm bells ringing.
Did you get a message requesting that you do something right now? Urgency is an effective tool, because it taps directly into strong emotions like fear and anxiety, as well as your instinctual response to reach goals quickly.
Sometimes a sense of urgency is used to get you to buy something, but in phishing scams it’s designed to get you to act before fully considering the consequences of your action. Be suspicious when a message uses time-related words like:
Also beware of threats to delete information, launch legal action, or other frightening warnings. If you receive an alarming message, take a pause to investigate: an instant reply is rarely, if ever, required to avoid real fallout.
Phishing scams will often impersonate a recognizable company, counting on brand recognition and your implicit trust to get you to act.
Emails, forms, and landing pages can be carefully designed to mimic real domains, which is known as domain spoofing. But there can be some telltale signs that something’s not right, so before clicking or entering any info, look for anomalies in the:
- URL (Are there any extra characters here or a different domain suffix than you see on the official website?)
- Font (brands insist on consistent design, so look closely to confirm the font is exactly as it is on all other branded pieces)
- Tone (narrative voice, punctuation practices, and other language details should match up with other branded copy)
Sometimes the errors are obvious, like misspellings or poorly constructed sentences, while the more sophisticated phishing attempts pay close attention to all those details. To be safe, if an email or text message requests personal or financial information, don’t reply — instead, contact the company directly to confirm the message was indeed legitimate.
There’s often a hook in the message, something to really make you want to learn more. This could be a dollar value (like a text message confirming a transaction) or perhaps a person appealing for help or a response (maybe a cryptic note about a relative).
You don’t know who sent this or who might be involved, but your mind may fill in the blanks. Resist the urge to respond for more information. If the message is genuine, you’ll see evidence, or else you’re sure to get a follow-up message.
As the saying goes, if it seems too good to be true, it probably is. Be sure to approach “great deals” with great caution; do some digging before you offer up any personal information in your excitement.
One way to vet a deal or a brand is to look for real customer reviews. You can navigate to their website by searching on Google or typing in the URL (not clicking on the link they provide) and look for reviews. But since those testimonials can be biased, you’ll also want to check a third-party review site like Yelp or Google My Business.
What to do if you clicked on a phishing link
So, you slipped up and clicked on a bad link. Rest assured, all’s not lost: if you act quickly and cover these specific steps, you stand a good chance of limiting damage or avoiding it altogether.
1. Don’t enter data
Many phishing links bring you to a page designed to mine your personal information. If you don’t give them anything, there’s nothing to exploit.
If your device was indeed infected with malware once you clicked the link, it could spread to other devices in your network – fast. By unplugging your device from the internet, you put a stop to that path of infection.
3. Back up your files
Hopefully you’ve been backing up your data automatically offsite, but if you haven’t, back up the files on your device to an external hard drive (or USB thumb drive) since you don’t want to reconnect to the internet just yet.
4. Check for malware
Scan your system for viruses and malware. You might have a virus-scanning program already installed, or you may need to download another (in that case, be sure it’s reputable and not more malware in disguise).
If you’re using Elpha Secure cybersecurity software, you’ll get an immediate alert whenever a threat or infection is detected, so there’s no need to use another scanning tool.
5. Change usernames and passwords
Passwords are moderately secure at the best of times; if you use the same password across multiple accounts, you could be inviting hackers to steal a host of personal information (or money). After clicking a phishing link, be sure to change all credentials across all sites you access.
6. Contact a credit bureau
If a hacker did make off with your personal information and tries to use it, you’ll want to know ASAP. This is a worst case scenario, but if you’re concerned, you can set up a fraud alert with one of the main credit bureaus.
What if I clicked a phishing link on my phone?
Phishing links can be tailored to compromise smartphones in specific ways, like causing apps to malfunction, installing unnecessary apps, or consuming your data.
If you’ve clicked on a link on your phone, the first thing to do is refrain from opening any website or app. Next, review the device for any new apps, files, or text messages that look unfamiliar, and delete them.
Android phones can be somewhat more prone to damaging phishing attacks than iPhones, so if you use an Android device, consider scanning the device for malware and changing any saved passwords, as well.
You’re stronger together
A successful phishing attack can have rippling consequences for an organization and its employees, and all it takes is one misstep from one individual. When everyone acknowledges the risk, understands how to spot a phishing attempt, and knows how to handle it, your business will be much safer.
If you haven’t already, consider implementing a cyber awareness training program, and be sure to periodically refresh your team on the clear and present dangers that lurk on the other side of their screens. After all, if there’s one thing you can count on, it’s that cybersecurity threats will continue to surface and evolve in alarming new ways.
Is your cybersecurity strategy ready for a refresh? A good place to start is with cyber risk management basics for your business.