Phishing is an illegal attempt to acquire sensitive data via deceptive e-mails and/or websites by tricking consumers into providing personal or account information. Phishing examples may include an unsolicited email from a well-known organization or a fake website that looks like an official one. The email or website will typically contain a “phishing link” that will redirect consumers to a fraudulent web page. Following are the three most common questions people have about phishing scams:
• What is a phishing attack?
• What is a phishing email?
• What is spear phishing?
“Phishing” is a homophone derived from the word “fishing.” Where fishing is an attempt to use a lure to catch an unsuspecting fish, phishing is an attempt to lure an unsuspecting consumer into revealing sensitive data the scammer can use for their own personal gain.
What is a Phishing Attack?
A phishing attack is an attempt by Cyber criminals to masquerade as some sort of official entity that the consumer will trust. The attack typically comes from what seems to be a reputable company like a well-known bank, online shopping service or an official government agency, such as the department of motor vehicles or even the Federal Bureau of Investigation. Irrelevant of the person or entity the attacker is posing as, the goal is always to get the consumer to provide some type of personal information. The two types of phishing attacks include an email that provides the target with a link that will take them to a website and a fraudulent website that bypasses the email step.
What is a Phishing Email?
With a phishing email the criminal somehow gets a hold of a consumer’s email address and sends out an official looking email designed to trick the recipient into supplying personal information. Cyber criminals will go to extraordinary lengths in designing phishing messages that look like an actual email from a legitimate organization and will use the same logos, typefaces, wording and signatures the actual entity would use in an effort to trick the consumer into believing the messages is legitimate. The email message will include a phishing link that will take the victim to the scammer’s fraudulent web page that looks like the entities official site. Scammers will typically try to pressure consumers into action by threatening account expiration or legal action. Here are some of the most common phishing examples:
• A user is sent a fraudulent email message informing them their account may have been compromised and provides a link where they can “reset” their password. This is strictly an attempt to steal the users actual valid login information.
• A target is sent an email with a “special offer” for merchandise or a service with a link to an official looking, but fraudulent, website. This is done in an attempt to steal the consumers bank card data.
• Phishing attempts are also used to gain entrance into corporate or governmental networks by getting employees to give up passwords or other security data so the scammer can gain access to the secured network. Organizations succumbing to this type of attack typically sustains severe financial losses, damaged reputations and loss of consumer trust.
What is a Spear Phishing?
Spear phishing is designed to target a specific person or entity instead of the shotgun approach with random individual emails. Spear phishing requires the Cyber criminal to have specific information on an individual or organization. Here are two common examples:
• The scammer researches an organization and gains access to one employee’s data. The attacker emails the individual posing as an executive of the company requesting certain information with a link that redirects the employee to a password-protected internal document that is in fact a spoofed version of a stolen document.
• A hacker broke into a bank’s database and stole the names and emails address of their account holders. The attacker emails the account holder to inform them their account may have been compromised with a link to a fraudulent site to “verify” their information.
As phishing techniques become increasingly more sophisticated, consumers must remain vigilant to keep from becoming a victim. A sure sign of a scam is a misspelled word or extra numbers inside a URL link that is close to the legitimate domain name. If anything looks suspicious, the best course of action is to look up the organization and call them directly to confirm the legitimacy of the message before responding online.
