Phishing scams: everything you need to know

The first phishing attack was reported in 1996 when criminals contacted AOL customers via email asking them to confirm their passwords. From that moment, phishing scams have improved in sophistication and are one of the most commonly used social engineering scams to date because sadly, they work.

 

What is a phishing scam

Phishing is a type of social engineering method used to obtain sensitive data such as login credentials and payment details. Usually, criminals impersonate trusted parties to deceive victims into disclosing personal and financial information or install malware into their system to steal sensitive data. Phishing scams typically come in two forms - an email or a text message.

The cause

Due to a global issue concerning the protection of data, over 25 million records are obtained by cyber criminals every day. Information about you can be obtained when a company fails to protect the database containing your information, or if a hacker manages to break into a company’s system and take a copy of its customer records. Once they have a list of email addresses or phone numbers it is very easy to send emails or SMS messages posing as a legitimate company to trick unsuspecting victims into parting with sensitive data. This can then be used for more complex crimes, such as identity theft and fraud.

 

Common types of phishing scams

Deceptive phishing:

The most common type of scam is the deceptive phishing. In this ploy, criminals typically leverage malicious links, logos, and signatures similar to the spoofed organisation in the attempt to steal login credentials and personal data. 

Spear phishing:

A customized version of email phishing, which targets specific individuals or companies instead of random users, containing personal information about the victim, such as name, position, company, email address, and other information that will make the sender look authentic. A study states that 30% of phishing messages get opened by targeted users. 

Whaling phishing:

These attacks occur when a criminal spends a great amount of time to gather information, profiling high-value individuals such as CEOs, to target them with the aim of gaining access to their company's credentials. Whaling techniques usually involve tax forms as they can provide a significant amount of valuable information, especially financial data.

Smishing and Vishing:

With people using their smartphones as a primary source of communication, cyber criminals target victims with phone calls and text messages. A popular vishing scam technique involves hackers pretending to be fraud investigators alerting individuals about their account being threatened and encouraging them to reveal valuable financial and confidential data. With voice imitation AI programs constantly improving, vishing scams are expected to grow in the future. 

You should not provide personal information over the phone at any time unless you are sure of the legitimacy of the caller. Some key points to remember are:

  • If you receive an unsolicited call asking for your personal information, check the company's telephone number on their official website. No company will ask you for answers to secret questions or passwords, so be vigilant.
  • A bank will NEVER ask you for your pin, full card details or password information.
  • A bank will NEVER ask you to move your money into a safe account to protect you against fraud - this is a widely used tactic to trick victims into transferring their money into a criminal’s bank account.
  • If a phone call seems suspicious, hang up - you can call the company back to confirm that it was legitimate.

Example: A text message scam trying to sell concert tickets

 

The consequences of a phishing scam

A phishing attack can have serious consequences for victims, including a loss of funds or identity theft. Businesses are often targeted too, with criminals targeting employees in a bid to bypass security parameters and access the company's credentials. This can cost the targeted organisation a lot of time, money, and its reputation, but can also affect the end user if their personal information is compromised.

 

How to detect a phishing scam

There was a time when phishing scams were very obvious; it wasn’t uncommon to see messages like ‘click here to gain a tremendous amount of money’. Nowadays, it can be challenging to detect scams as criminals have enhanced their phishing techniques. However, some subtle hints can reveal the scam.

The sense of urgency

Some scammers design messages that appear to come from legitime banking institutions asking customers to click a link to update or verify their details - often, the link it malicious. Pay great attention to these messages as they usually contain spoofed logos and email addresses that look very similar to the real company. Attackers often use the 'urgency strategy' to put pressure on individuals and catch them off guard.

Example: A new scam impersonating HSBC bank including a malicious URL

Example: A smishing scam pretending to be Revolut- the UK financial technology company- is mass-distributed containing a malicious link.

Suspicious links

A website's URL is a key factor in identifying a phishing attempt as it usually does not correspond with the context of the communication. Do not click any links or download any attachments before you are sure it is a legitimate communication. It is recommended that you open up your web browser and go to the website in question by typing it into the URL bar. Unfortunately, some email scams hide URLs in buttons - to check the address, right click the button and select ‘copy link address’. Paste the text into a notepad on your PC or device and you will be able to check where it links to.

Example: A scam message pretending to be the UK Government encouraging the individual to click on the malicious link. The official URL would normally start with ‘www.gov.uk/’

Example: A scam message pretending to be PayPal pressures the victim to click the link, which can be easily identified as illegitimate. 

 

Example: A phishing email from UK Gov hiding destination address in the button. 

Suspicious email addresses

You should always check the name and the email address of the sender; it is a key indicator in many cases. Usually, authorised companies have a unique domain email  - HMRC’s emails always end in @hmrc.gov.uk for example, unlike the example below.

Example: Scam attempt coming from a suspicious domain name. 

 

Grammatical and spelling errors

If the message includes grammatical errors and unusual phrases, it is very likely to be a scam. Pay significant attention to small details like typos, including missing or extra spaces between words and sentences.

Example: The word ‘conditions’ is misspelled. 

 

Prevention is key

Unfortunately, it is almost impossible to avoid phishing scams - according to Valimail, 3.4bn fake emails are sent out worldwide each day. However, here are some fundamental steps anybody can undertake to protect themselves:

Education - learning how to distinguish malicious messages and URLs can significantly decrease the risk of phishing threats.

Privacy - be careful not to share private information on your social media accounts; usually, this is the primary source of information for criminals when they start profiling victims. You should enable maximum security settings to prevent anyone outside of your network from viewing information about you.

Dynarisk's Cyber Security Score - by getting your Cyber Security Score you’ll know how at risk you are of cyber attack. Alongside the score you’ll also get a tailored action plan to help reduce your risks, and we will also inform you if we discover your information has been leaked or breached online.