What is Phishing?
The term “Phishing” – not to be confused with “fishing” – is a type of online scam. It’s designed to obtain sensitive and personal information through the disguise of a trustworthy entity such as a person, email or website.
A common example is an email appearing to be from your bank asking you to log in, when in actual fact, it is just an email designed to look as though it’s from your bank sent by John McScammer who is after your login details and hard earned dollars.
Phishing originated around 1996 in the early days of the internet and was mostly utilised for basic financial and personal information theft. The evolution of the internet and ever-increasing reliance on its use for business saw larger, more organised phishing attacks emerge. In 2017, one of the world’s largest phishing attacks occurred named NotPetya which shut down hundreds of global businesses including Maersk and Cadbury.
There are three main types of phishing activities:
- Spear Phishing: A phishing attack directly targeted at businesses or individuals.
- Clone Phishing: A type of phishing attack where a previously sent email is cloned and re-purposed with malicious links.
- Whaling: Similar to spear phishing but specifically targeted at high level executives and high-profile targets.
How does an online phishing attack work?
In almost all forms of phishing attacks the goal of the scammer is to acquire your personal information. This might range from just your name and contact details all the way up to your financial details and even identity documentation.
You will be contacted by the scammer via email, social media, SMS or a phone call and asked to confirm or provide some personal information. The form of contact used is always designed to appear as a legitimate message. It is the intent of the scam to make you believe that what you are seeing or hearing is genuine. Unfortunately, it is far from that.
How to protect yourself from different types of online phishing attacks
1. Email impersonation
Email impersonation is considered the most common form of phishing. This is where a fake email is sent claiming to be from a legitimate source.
Things to watch out for:
- Emails with a subject such as “Renewal due”, “your account has been suspended”, “money transfer”, “you have a virus” or anything that appears to be suspicious.
- Email formatting/branding that is not consistent with similar emails from the same legitimate origin. A good impersonated email will be almost impossible to tell from the real thing but you can easily spot the bad ones.
- A different email address, specifically slight changes or variations of the email domain name.
- Spelling errors, broken English and poor grammar.
2. Link manipulation
Misspelled URLs and subdomains are a common practise for phishing scammers. They’re used to mislead their targets who might give the URL a cursory glance and not realise it is completely different link to a different website.
Example:
- Real: https://www.embarkagency.com.au
- Scam: https://csqd.con.au
But wait, they can get even trickier still! Internationalised domain names can also be subject to link manipulation with a phishing attack. This is because domain names can be registered in multiple country identifiers, but each domain is technically a completely different URL.
Example:
- Real: https://www.embarkagency.com.au
- Scam: https://csqd.com
Scammers can also make a link on a website or in an email appear to be the correct URL, whereas the link is actually coded to take the user to a completely different.
Example:
3. Fake websites
Difficult to spot but not impossible, fake websites are often used to entice a phishing target to enter in their personal details such as login account information. A fake website will look identical to its real counterpart.
Things to watch out for:
- Website links that do not exactly match the legitimate website URL.
- Large amounts of text or big portions of a website that have been converted into single images instead of live text.
- Websites that do not use HTTPS or have a business verified SSL Certificate.
Tips on protecting yourself from phishing attacks:
- Never open suspicious looking emails and do not click on any links or open any attachments in an email that you doubt the legitimacy of.
- Always inspect or preview any links before clicking on them to verify that the link is legitimate. If in doubt, just use Google to navigate to the page/website that the link is linking to.
- Never log in to a website that contains highly sensitive personal information such as online banking and government portals from a link in an email, SMS or on a 3rd party website. Always navigate directly to the login page through your URL bar or through Google.
- Look for the secure SSL symbol when on a website as many fake websites are not encrypted with an SSL certificate. You can read more about SSL certificates here.
- Never provide your credit card, online account details or personal information if you receive a call from a person claiming to be from an organisation you are familiar with. Call that organisation back using their public phone number and verify the legitimacy of the call. Only provide information to people who you have directly contacted and you have verified as legitimate.
- Enabled better spam filtering in your emails to help eliminate fake emails.
- Use only the most up-to-date version of all major web browsers, or change to a newer browser that has stronger security measures built in such as Brave.
- Always use three-factor authentication such as your mobile number or Google’s Authenticator when possible — especially with online banking.
- Don’t trust any Nigerian princes.
It can be hard to spot a phishing attack in the wild as they are inherently designed to be difficult to detect by humans. However, being educated on the potential risks and scams that are out there help to reduce your overall risk of being the victim of a phishing attack. Take time, take care and trust your instincts when online.