As online security has improved and modern devices incorporate greater protection against cybercrime, criminals are becoming more cunning.
One of the leading methods of online fraud now involves persuading people to voluntarily surrender their personal details.
While that might sound bizarre, phishing attacks have claimed many victims over the years.
We’ve previously reported on a £37 million copycat website scam, selling vastly overpriced Government documents to unwitting consumers.
Victims were targeted by email, because few people would have ended up on these fraudulent websites without encouragement.
To avoid contributing to next year’s fraud statistics, it’s crucial to understand what phishing attacks are – and how to stay away from them.
A quick definition
Phishing attacks are a form of cybercrime, where criminals feign legitimacy in an attempt to acquire sensitive personal data.
This could include your login credentials, bank account data, passport number or anything else with the potential to be used fraudulently.
Although phishing can involve text messages (known as smishing), we’re focusing on internet activities in this article.
These are the most common phishing methods to be aware of:
In an attempt to convey legitimacy, scam emails often feature copied-and-pasted contact details, company logos or the names of senior employees.
However, poor language skills and inappropriate email addresses usually indicate phishing emails weren’t sent from the brands or institutions they claim to represent.
These are some of the tell-tale signs identifying phishing attacks:
- Phishing attacks are often perpetrated by people whose grasp of English isn’t very good, using phrases like “Greetings of the day” or “to resolve that issues”
- Messages are more likely to include non-specific greetings. “Dear valued customer” immediately highlights the sender has no idea who you are
- Another common mistake is using your surname as a greeting, without the appropriate prefix. Nobody would knowingly start an email to John Smith with “Dear Smith”
- The display name rarely matches the actual email address – such as a purported HMRC notification sent using an email address ending with Nigeria’s .ng country code suffix
- The email address itself is often a dead giveaway. An email from a BroadbandDeals team member will come from firstname.lastname@example.org, not from email@example.com
- Occasionally, scammers manage to make an email look like you sent it yourself, but don’t be fooled
- Finally, approach any emails asking you to reset your password or supply data with extreme caution. If in doubt, don’t reply to the email – phone the company instead.
If you think a phishing email has slipped through your email provider’s spam net, you can Google the subject line along with the word “spam”, to see if other people have reported it.
Never open unsolicited attachments, whether they’re PDFs, JPGs or anything else.
While email remains the dominant platform for phishing, Facebook scams are on the rise.
The social media giant has endured some fairly dreadful PR lately, and anyone who’s fallen victim to Facebook phishing won’t be in a hurry to forgive its trespasses.
Whereas email attacks usually play on existing security fears, Facebook phishing tends to be more materialistic.
Unsolicited messages might promise anything from bitcoin to free gifts or forthcoming electrical goods.
Password theft is often attempted by claiming your password is attached (in a compromised file), or by including a link to an external website.
Another common method of audience manipulation is to threaten suspension or closure of the Facebook account unless “immediate action” is taken.
For a generation hooked on detailing the minutiae of their lives on social media, the threat of expulsion can be enough to lower people’s defences.
Of course, Facebook will rarely get in touch with individual account holders, and it’d never ask for confidential information.
Equally, a friend request from someone you already know or an invitation to download new Facebook features should be treated with great caution.
You can check suspicious messages by forwarding them to firstname.lastname@example.org.
The third main type of phishing to watch out for involves a process known as spearing.
This is much more personalised than the techniques above, usually involving a concerted attack on a single person.
It relies on the previous acquisition of sensitive content, such as who you bank with or where you work, in an attempt to feign familiarity.
This information could be captured from social media accounts, including phone numbers and names of your loved ones.
Because the scammer seems to know so much about you, it’s tempting to drop your guard and confirm more sensitive data.
The best defences include not publishing too much data online, and using common sense to determine whether someone could legitimately need the information they’re asking for.
Finally, there’s an offshoot of spear phishing known as whale phishing, which specifically targets high-level company employees in an attempt to acquire valuable information.