M4S 076: How Does Phishing Work? How to Identify a Scam

Podcast: Play in new window | Download

Have you ever gotten an email, and you weren’t sure whether it was real or a scam? Maybe you’ve heard about the scams to get people’s passwords and wondered, “How does phishing work?” Do you know how to identify phishing emails?

I have, and as a matter of fact, I received one today. I wanted to talk with you about it and discuss how to avoid becoming the next good person conned through the Internet.

What is a Phishing Email? 

The first questions we need to answer when talking about phishing (spelled with a ph) scams are

• What exactly is a phishing email?
• How does phishing work?

Phishing.org defines phishing as:

“Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.”

In other words, phishing is an attempt by bad guys to con you into thinking their email or website is legitimate. Then, when you answer the email or, by following the bad guy’s direction, take action on the site, they use the information you provide to steal from you or cause you other harm.

None of that is good!

How Does Phishing Work? Five Examples

There are all sorts of internet scams, and phishing is just one of them.

When it comes to phishing emails, the bad guys use a variety of strategies in an attempt to part you from your personal information, money, and anything else they find valuable.

Before I get into specific types of phishing attacks, though, let’s go over some of the more typical aspects of phishing emails that help explain how phishing works.

1. Seems Phishy – As with anything, this is where your situational awareness and instincts kick in. You can tell your instincts are firing when your subconscious tells you that there’s something weird about an email, instant message, or website. Look for emails and messages that are not like your usual emails. In other words, keep a suspicious eye out for emails and messages that are NOT normal.
2. Who Sent This – When you look at an email and aren’t sure about who sent it, odds are you don’t need to open it. Not only do you not need to open it, but if you do, you don’t need to do what they tell you to do. Like, click on a strange link. Think of it this way; you don’t open your door to every stranger and do what they say without question. Then why do so many of us do just that with an email?
3. Too Good To Be True – When it comes to email scams, the old saying “If it sounds too good to be true, it probably is” definitely applies. In other words, think twice before believing that you’ve won the lottery, a new car, or something else that seems so fantastic that you’re in shock and can’t believe your crazy luck. After all, you never win anything. Yeah, you never win anything. That is EXACTLY the point.
4. A Sense of Urgency – Scam artists often use the tactic of creating a sense of urgency in the victim or buyer. They instill this sense of urgency in people by presenting them with an incredible opportunity. However, they also let you know that their incredible opportunity has a quickly approaching expiration. They hope you don’t think it through and instead act fast for fear of missing out. So, when you read an email telling you to act now, do the OPPOSITE. Please slow down and consider why they are trying to get you to take quick action.
5. Hyperlinks & Attachments – An email link or attachment may not be all that they appear to be. When you receive a link or attachment in an email that doesn’t make sense or “Seems Phishy,” think twice about clicking on it. Rather than clicking on the link or attachment, take a better look at it. Hover over the link by placing your mouse over it, but NOT clicking on it. When you hover over a link, you should see the actual web address that you will be sent to if you click on it. In the case of a scammers link, the address will often not be spelled correctly or might be completely different than what you expect it to be. The scammers want you to click on their link or attachment because that’s how they infect you with viruses and turn you into a victim.

Five Types of Phishing Emails

The types of phishing attacks are continually evolving. However, many fall within one of these five types of phishing attacks.

Spear Phishing

How does phishing work when it’s “spear phishing?” Spear phishing is a tactic that uses personalized emails or messages to convince you to click on a malicious link or email attachment. When you do, you may be giving the bad guys personal information that they can cause to harm you. When using spear-phishing attacks, con artists customize their emails with your name, phone number, or other bits of information in an attempt to make you believe the email or message is from a legitimate source. Remember, when you consider replying to an email, double-check to make sure it is legitimate.

Email Spoofing (Name Impersonation)

Email spoofing uses the name of a person or organization that you are familiar with. By using a familiar name, the attackers hope to get you to click on their link. Once you click on it, the bad guys then use various techniques to get you to hand over personal information. The best way to avoid email spoofing attacks is to read the sender’s email address carefully. If anything doesn’t appear to be normal, consider not clicking on the link.

Website Spoofing

Website spoofing is similar to email spoofing but is more complicated on the part of the attackers. When website spoofing, attackers copy a legitimate website and use it on their con artist fake web address. These websites are often nearly indistinguishable from legitimate sites.

If you are concerned that a website referenced in an email or message may not be authentic, don’t click on any links. Instead, open a new browser window and manually search for the site on your own. Once you’re sure that you’re on a legitimate site, contact the person or organization through the legitimate site or phone number.

Clone Phishing

Clone phishing happens when bad guys attack a person’s email account by using a previously sent email that contains a link or attachment to make you think the cloned email is legitimate. Criminals replace the link or attachment from the legitimate email with a malicious link or attachment in their fake email. The phony email is then forwarded to the contact list from the victim’s inbox. The criminals hope that the recipients of the cloned email will believe it to be legitimate and click on the link or attachment.

Image Phishing

Do you receive emails that contain images? If so, then you need to use caution because it could be a phishing attack. Scammers use pictures and other types of media to infect your systems. There are a couple of ways for bad guys to embed a phishing image in an email.

• The first is by linking an image in the email or message to a malicious web address.
• The second is to send an attachment, such as a photo or other type of media file, with a virus embedded in the file that infects your computer when you open the attachment.

The best way to avoid image phishing attacks is to not open or click on links from unknown sources. Don’t forget; you don’t have to click on everything people send you. Far from it, instead, be wary about emails from sources that are unknown or seem out of the norm.

How Does Phishing Work? Avoid Phishing Attacks

Use Caution When Opening Attachments or Clicking on Links

Remember, your family’s and friends’ online accounts can be hacked and used by criminals.

Do Your Own Search

If you receive an email from a person or organization that you know, which contains a link or phone number, don’t click on it. Instead, open a reliable search engine and look up the website or phone number on your own. It’s good to remember that even though a link or phone number looks legitimate, it may not be.

Pick Up the Phone

When you receive an email that requests personal or financial information, DO NOT RESPOND to it. Phishing attacks try to instill fear and prey on your willingness to be helpful. If you think an email or message requesting your sensitive information is suspicious, pick up the phone and call using the number in your address book or on their website after doing your own research into it. DON’T call the number contained in the email!

Backup Your Data

Backing up your data regularly makes the potential loss of data to ransomware or other viruses less impactful. So, be smart and prepare in advance.

The Bottom Line 

Today’s quote is by Victoria Ivey, who said,

“Every time you indulge into any sort of online activity, your data can be easily monitored and checked. .” ~Victoria Ivey

That’s pretty self-explanatory.

The internet is great. You can go anywhere and learn anything. Just watch out while checking your emails in the Wild West that you don’t fall victim to a scam.

Stay safe,