We define phishing as a scam that occurs when a fraudster sends a seemingly trustworthy – but actually malicious – email (or SMS, social media post, or IM) in an attempt to steal your personal information or financial details.
These emails can look pretty authentic, and you might be fooled into thinking they've actually been sent by your bank, a social media site, or even your work colleagues.
Why is it called Phishing?
Well, a fisherman baits their hook if they want to make a catch, right? So does the fraudster. If the malicious link is the hook, the email is the bait – and the scammer is just waiting for you to bite.
The word "Phishing" was influenced by "Phreaking", an activity carried out by folks interested in manipulating the public telephone network – originally to make free long-distance calls.
Phishing tactics you should be aware of
Fishing attempts usually follow the same strategies, which are replicated by fraudsters worldwide. In order to avoid phishing scams, it is important that you are aware of how they are carried out. We list the most common phishing tactics below.
The fraudster's ultimate goal is for you to click the link in the message, which will often claim that you've won a prize, or that you need to log in to your account immediately to solve some made-up issue.
If you click on this link, one of two situations may occur: the link may take you to a download page that will immediately download a virus onto your device. Or, you might be taken to a convincing login screen and prompted to input your username and password. However, doing so only hands that information over to the fraudster – who now has access to your account.
Previously, you could tell if a site was legitimate by simply checking if it had a green padlock in the URL bar, indicating an SSL certificate, or if it had a HTTPS address. These tactics are no longer foolproof, however, as phishing scams have grown more sophisticated.
Phishing scams can make use of cloned websites – pages that look eerily like their legitimate counterparts (think email and bank login pages) but are, instead, a tool for the scammer. If you enter your details into a clone site, you might receive a "login error" even if you typed your password and username correctly. What's happening is that your details are being captured by the scammer, and the clone page is redirecting you to the legitimate site, in the hopes you won't notice any foul play.
The fraudster may also send an email with an odd attachment – perhaps something that looks like a .pdf or word file. Downloading this file is a bad idea. You could be unknowingly installing ransomware or adding your device to a botnet.
Once they have your identifiable information, the fraudster might make purchases with your money or sell your account details. Phishing has also been used to blackmail and manipulate – and even the chair of Hilary Clinton's 2016 presidential campaign fell victim to this ubiquitous crime.
How to avoid phishing scams?
Fortunately, it only takes a bit of caution and a few preventative steps to thwart phishing scams.
Be wary of links
Common sense is the best defense against potentially malicious links! You should always double check that any URL you've been sent is legitimate – extra sub-domains and misspelled or altered company names are a dead giveaway that something's not right. Hover over a link to see where it plans to take you, and consider manually searching for the site or typing the URL.
Think twice before logging in
So, you've received an email from "PayPal" claiming that there's been suspicious activity on your account and that you need to login to confirm your identity. You click the link, you're taken to a webpage, and it's asking you to sign in. This is phishing 101 – and you should never fill out these login forms. Visit sites by typing the URL directly into your address bar, check out user reviews of the service, and utilize two-factor authentication to keep yourself secure.
Proofread emails or messages
Unleash your inner editor! It's very rare for huge organizations like banks, PayPal, and social media companies to send poorly written emails. If the message you've received is riddled with errors and spelling mistakes, or if a website has a distinctly low-quality design, it might not be legitimate.
Trust your gut
A phishing email might claim that you've won a prize but only have a limited time to claim it, or resort to more underhanded tactics, using fear and citing an issue with a bank account or payment method. These sorts of mails can be upsetting, but they can also be used to identify potential scams – after all, you're unlikely to receive such an agitated email from a legitimate source. You'll likely be notified well in advance if there are any actual issues with your account.
Another simple and effective method of verifying the legitimacy of sites and companies that've been linked in suspicious emails is to Google them! Check out what other users have to say. If the site is a front for a phishing scam, there'll almost certainly be writing on the wall (or, uh, in the reviews).
Phishing began in the 90s, and still happens today because it's simple and effective, and there's no one singular way to combat it. In fact, phishing has evolved and taken new forms over the decades – catfishing included!
But it's not all doom and gloom, and there are plenty of ways you can look out for yourself. Be wary of the details you share online, vet potentially malicious links, and be cautious when opening unexpected mail. And, if you find yourself logging in to a website after being prompted to do so, take a moment to ask yourself if anything feels off.
There's plenty more to learn about phishing, and if you're interested, be sure to check out our guide on how to prevent identity theft!