If you’ve heard the term “phishing scam” before, but not quite understood what it meant, then this article explains what it is and how it works, and most importantly how to avoid such scams.
In its most simplest sense, phishing refers to any type of online communication, for example email or instant message, that attempts to steal sensitive information from a person by pretending to represent a trusted entity, such as a social network, bank or reputable business.
The Internet provides a variety of different ways for crooks to disguise themselves as a trustworthy entity. For example, a crook could create an email account that appears to belong to a particular bank, and can alter the account details to make an email appear to have come from a legitimate address associated with that bank when it didn’t. They can also write the email in such a way as to trick the recipient to believe it did originate from that bank.
If a crook does this in order to trick a recipient into handing over their online banking details, this would be a typical example of an online phishing scam.
Another example could be if a crook compromises a Facebook account and changes the account name to some derivative of “Facebook Security”. The crook then sends chat messages to the friends of that account pretending to be from Facebook in order to trick them into compromising their Facebook login details.
Click this link and enter your details…
Primitive phishing scams could simply request a person reply, be it through email or chat message, with their sensitive information such as bank details or login information. But such scams, in today’s climate, are likely to have a low success rate.
It is more likely that phishing scams will include a link to a spoof website to make the scam appear more convincing, along with some type of social engineering trick to fool a victim into clicking it. The spoof website will be set up to also appear like the trusted entity that the crook is pretending to represent. And it is the spoof website that will ask for – and subsequently steal – any information that is entered into it.
Sponsored Content. Continued below...
So for example, an email may claim to be from PayPal, asking a user to confirm their log-in and banking details for security purposes (that’s the social engineering trick!) The email will contain a link that leads to a spoof PayPal website, which asks for the username, password and banking information. When it is entered, it gets sent to the phishing scammer.
An example of a phishing scam pretending to be from Apple’s iCloud team that was sent by email is below.
As you can see, the email contains a link for the recipient to enter their details, which will lead to a spoof website.
Spear-phishing
Phishing scams are typically sent to thousands of potential victims, especially ones that are initiated by email. This is where the name phishing comes from, since the original email or chat message is considered bait, which the crook casts off into cyberspace to see who bites.
However phishing scams can also be targeted, though these scams are comparatively rare. Targeted phishing scams are known as spear-phishing scams, and it means a crook has learnt more details about their potential victim such as their name, date of birth and where they bank. They will use these details in their scam to make it more convincing.
Avoiding phishing scams
Phishing scams can always be avoided providing the target knows what to look out for. The following tips can help you spot a phishing scam before it’s too late.
– Be sceptical of unexpected emails or chat messages – or any other type of online communication – that ask you to click a link.
– Be especially careful if that email or chat message doesn’t contain your name, and instead refers to you as a generic word such as “customer”.
– Be especially sceptical if the email or chat message contains a link that leads to a webpage that asks for sensitive information, such as a password or your banking details.
– If you are asked for such information, check the web address of the page you are on to see if it is the legitimate website belonging to the business or brand who contacted you. That will usually be www.mybrand.com – scammers may try and trick you by creating subdomains on scam websites, for example www.mybrand.scamwebsite.com.
– Look out for poor spelling or grammar since many of these crooks come from non-English speaking countries.
– If you doubt a particular communication as come from its alleged source, contact that source directly by calling the support number or email on their website.
– And remember, if you’re in doubt, always ask someone else for their opinion.
