Phishing

Phishing is a social engineering technique that attackers use to gather your information by posing as a legitimate institution or a friend. Phishing scams aim to trick individuals into clicking a link, opening an attachment, or disclosing sensitive information such as personally identifiable information, banking and credit details, or passwords. Attackers will use email, instant messaging, social media, and even phone calls to target individuals. Phishing can happen at work and in your personal life.

Recent industry reports show that up to 94% of organizations are victims of phishing attacks¹ and that 22% - 36% of all data breaches involve Phishing.² In the FBI’s 2021 Internet Crime Report, there were 323,972 victims of Phishing attacks in 2021.³

Identifying and Protecting from Phishing Attacks

How can you be aware of and protect yourself from phishing attacks? There are five common indicators of a phishing attack, including:

1. It’s too good to be true.
   
   • Just like a salesman in a car lot trying to sell you a lemon, if the offer is too good to be true, it usually is.
2. There is a strong sense of urgency.
   
   • If there is an intense sense of urgency, chances are it’s a phishing scam. Attackers create a sense of urgency to trick you into reacting to and falling for their message, rather than logically thinking it through. Credible organizations will give their patrons plenty of time to take care of their accounts and will never ask you to divulge personal information over an email. When in doubt, visit the source directly rather than clicking on the link provided in the email.
3. Forged hyperlinks.
   
   • Attackers use fake hyperlinks, or hyperlinks with a different URL than is advertised on the link, to coerce individuals to click on and visit dangerous sites. (For example: zionzbank.com rather than zionsbanks.com). When in doubt, hover over the link to reveal the true URL.
4. Random or unexpected attachments.
   
   • If you see an attachment that you weren’t expecting or that doesn’t make sense, don’t open it! Attackers will often load ransomware or other malware into attachments that will immediately begin to attack your system.
5. Unusual sender.
   
   • If anything seems out of the ordinary or odd, whether it’s someone you know or not, don’t open it. Attackers will often create email accounts in the name of someone you know so that their name shows up in the ‘From’ line.

Other Forms of Phishing

Though they are most commonly in the form of an email, phishing can happen in many ways. Below are scenarios showing a variety of phishing attacks. While fictitious, these stories emphasize real strategies and techniques used by attackers.

• John didn’t recognize the phone number, but he answered the call anyway. The caller claimed to be a representative from his bank. The caller sounded professional and urgently needed to verify suspicious activity on John’s account. John quickly provided his information and was told the issue was taken care of. He went about his day, but later realized he had been the victim of a vishing attack.

  • Vishing: A form of phishing, vishing (voice-phishing) uses phone calls to trick you into disclosing personal information.

• Stephanie heard her phone ding and saw a text message that appeared to be from her mobile phone provider. The message warned of an overdue bill and threatened to cancel her service if she didn’t make an immediate payment. The message provided a link that took her to a payment page. She entered her card details, relieved to have resolved the problem. Later, she realized her card had been used fraudulently. She had been a victim of a smishing attack.

  • Smishing: Smishing (SMS-phishing) involves SMS or text messages that lure you into revealing sensitive information.

• Jonathan was browsing a website and saw an ad offering a free product. All he had to do was pay for shipping and handling. Eager to take advantage of this limited-time offer, he followed the link to a website where he entered his information. The item didn’t arrive in the expected timeframe and when Jonathan tried to follow up, he couldn’t find any information on the company or the item he had purchased. He was a victim of baiting.

  • Baiting: Baiting is a specific form of social engineering where the attacker promises something in return for a small payment. This is usually too good to be true and is intended to gain your financial and personal information.

• Julie saw a poster as she walked down the street. It advertised discounted tickets to an upcoming local concert that she’d been wanting to attend. She quickly scanned the QR code on the poster which directed her to a site to purchase the tickets. Since they were almost sold out, Julie purchased a ticket. When she couldn’t access the ticket later that day, she realized that she had been a victim of a quishing attack.

  • Quishing: this form of phishing utilizes QR codes (QR-phishing) to deceive people into providing sensitive information, downloading harmful software onto their devices, or theft of financial information. A fraudulent QR code is scanned and directs users to a malicious website designed to steal credentials or compromise accounts and devices.

Additional Tips to Protect Against Phishing

Two-Step verification

To help prevent yourself from being susceptible to phishing attacks or other forms of credential stealing, make sure you have multi-factor authentication (such as two-step verification) enabled on your accounts. Additionally, you can turn on security alerts that will notify you if your account is being used on a computer or device you’ve never logged into.

Be aware of social media

Phishing attacks are most common in emails, but they can occur on any account that has a messaging feature, including social media. No matter where you are logged in, be on the lookout for the common signs of phishing attacks!

What to do if you’ve fallen victim

If you suspect that you’ve fallen victim to a phishing attack, it’s important to act quickly to minimize potential consequences. First, change any passwords that may have been compromised. Ensure that the password is strong and unique – read how to create strong passwords here. If you have not already done so, be sure to enable multi-factor or two-factor authentication (MFA/2FA) on your affected devices and accounts. You may want to check your computer or device for viruses or malware. If you provided any financial information, contact your bank or card issuer and alert them of the potential for fraud. Lastly, monitor your accounts for any unauthorized or suspicious activity.

You are the shield

The most important defense against phishing attacks is education and vigilance. Learning to recognize the common tactics used by attackers and remaining aware will help you avoid falling for these scams. Remember: always verify the authenticity of requests for personal information, be careful of unusual requests or offers that are too good to be true, and don’t give into a perceived sense of urgency. You are the best shield to keep your information secure.

Real World Phishing Examples

Phishing: https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-phishing/the-top-5-phishing-scams-of-all-times/

Vishing: https://www.terranovasecurity.com/blog/examples-vishing

Smishing: https://caniphish.com/what-is-smishing#Examples

Baiting: https://www.palisade.email/resources-post/understanding-what-a-baiting-attack-is-examples-and-protection

Quishing: https://www.hbs.net/blog/quishing/