A Guide to Phishing Scams

Cybercrime, such as identity theft and using stolen data for fraud, is increasingly common. Organizations impacted by fraudulent schemes must spend tens to hundreds of thousands of dollars to clean up the mess from cyberattacks and protect themselves and their customers. Individuals whose information is stolen in this manner may also lose significant funds and can experience reputation damage and embarrassment. While many different scams exist, with new ones emerging daily, phishing scams have been around for a long time. They remain one of the main ways for cybercriminals to collect unauthorized information. Symantec estimated that in 2020, one out of every 4200 emails was a phishing email. The 2019 Verizon Data Breach Investigations Report found that almost one-third of all cybersecurity breaches involve some phishing tactic.

phishing scams

What is a Phishing Scam?

Phishing scams are defined as fraudulent communications that attempt to obtain sensitive data through email, web, or phone solicitations. The perpetrator poses as a legitimate business or individual contact of the recipient. A couple of examples:

  • You receive an email from your bank. There is a logo, and a call to action, such as confirming your social and date of birth via a link. Upon closer examination, you see that the email came from a suspect email address, such as “Customerservice@bankofamerica.biz,” and you call your bank to validate the email. Your bank tells you that you would not be asked to confirm personal information by clicking a link, so you disregard the email and delete it after reporting it to your bank. Had you clicked the link and entered your information, the perpetrator would have access to all the information you provided. In some scams, just clicking the link might install malware, but phishing scams usually focus on just obtaining the information.
  • You receive a work email from a high-ranking executive at your organization. They ask you to provide bank account information for a business account your organization is using, citing urgency due to travel or a high-profile meeting. Because this is an unexpected request, you check in with the executive’s executive assistant to verify that the request is legitimate, who confirms that the email did not originate in their department. You report this phishing attempt to your IT department.

Within the world of phishing scams, there are four main types of phishing attacks:

  • Spear Phishing: This phishing scam type targets a specific group or class of individuals, such as a company’s IT systems owner, and the ask of the email relates directly to their role. It attempts to exploit the proprietary knowledge and access of the targeted professional position.
  • Whaling: This phishing scam type is similar to Spear Phishing, but it targets C-suite executives specifically. Those emails may include the threat of massive legal action and requests for sensitive company information such as tax IDs, bank account information, and similar data.
  • Smishing: This type of scam is a variation of phishing that targets people through text or SMS. The recipient is likely to receive a text on a mobile device that contains a clickable link or a phone number they are urged to call to provide information.
  • Vishing: This phishing scam type is the same as a regular phishing attack, but it is executed via a voice call.

How to Avoid Falling Victim to a Phishing Scam

The most effective strategy to avoid phishing scams is to be educated and aware. Spotting phishing scams and taking verification steps before responding to suspect requests for information is your best bet to avoid becoming a victim. Here are a few signs that the email, text, or call you receive should be further checked out:

  • Suspicious Return Address – From a first glance, the sender might look legitimate, but you need to hover your cursor over the sender’s name to see their entire email. The full email address may include a strange extension (such as the example cited above, where the address had a .biz extension), a spelling mistake, or another inconsistency. This is a major red flag that could mean the email is a phishing attempt.
  • An Urgent Call to Action – Phishing scammers love to scare people into providing sensitive information. They often devise a reason for the urgency, such as the risk that your business license will be suspended if the information is not provided. Scammers hope that the recipient’s fear takes them into a quick response mode without checking with anyone else.
  • Abnormal Requests – If you receive a call, text, or email that asks for something that you usually do not have to provide to your bank, your employer, or a regulatory agency, at least not via this method, it is a good idea to research the request further.

In addition to staying abreast of phishing scam trends, you can also utilize email tools in filtering to help weed out phishing emails. Most email services already have this built in, and you could still see some that find a way to sneak in past filtering settings. Always report all suspicious emails to the administrator of the email service, so they can continue to improve built-in security settings. You can also use SPF checker to validate the legitimacy of the email domains

Phishing scams are not going anywhere anytime soon. On the contrary, they get more sophisticated to trick their targets. Cyber security efforts must continuously evolve to mitigate the risk as completely as possible to protect yourself and your organization. Ensure that training is provided to all who may receive an email, text, or call at your organization. Phishing scams often target vulnerable groups, like the elderly, so look in on people in your life and advise them of scam trends you are aware of. Most importantly, if in doubt, always check with another reliable contact at the organization reaching out. You can save yourself and your organization time and money and stay safe from phishing scams by remaining vigilant.